d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

vhost: fix translated address not checked

Browse Source 
Malicious guest can construct desc with invalid address and zero buffer
length. That will request vhost to check both translated address and
translated data length. This patch will add missed address check.

CVE-2020-10725
Fixes: 75ed516978 ("vhost: add packed ring batch dequeue")
Fixes: ef861692c3 ("vhost: add packed ring batch enqueue")
Cc: stable@dpdk.org

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
This commit is contained in:
Marvin Liu 2020-05-18 14:17:02 +01:00 committed by David Marchand
parent acd4c92fa6
commit 97ecc1c85c
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/librte_vhost/virtio_net.c
View File

@ -1069,6 +1069,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev,
VHOST_ACCESS_RW);
vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
if (unlikely(!desc_addrs[i]))
return -1;
if (unlikely(lens[i] != descs[avail_idx + i].len))
return -1;
}
@ -1822,6 +1824,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev,
}
vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
if (unlikely(!desc_addrs[i]))
return -1;
if (unlikely((lens[i] != descs[avail_idx + i].len)))
return -1;
}