Vhost will create temporary file when receiving VHOST_USER_GET_INFLIGHT_FD
message. Malicious guest can send endless this message to drain out the
resource of host.
When receiving VHOST_USER_GET_INFLIGHT_FD message repeatedly, closing the
file created during the last handling of this message.
CVE-2020-10726
Fixes: d87f1a1cb7 ("vhost: support inflight info sharing")
Cc: stable@dpdk.org
Signed-off-by: Xuan Ding <xuan.ding@intel.com>
Signed-off-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
A malicious container which has direct access to the vhost-user socket
can keep sending VHOST_USER_GET_INFLIGHT_FD messages which may cause
leaking resources until resulting a DOS. Fix it by unmapping the
dev->inflight_info->addr before assigning new mapped addr to it.
CVE-2020-10726
Fixes: d87f1a1cb7 ("vhost: support inflight info sharing")
Cc: stable@dpdk.org
Signed-off-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Malicious guest can construct desc with invalid address and zero buffer
length. That will request vhost to check both translated address and
translated data length. This patch will add missed address check.
CVE-2020-10725
Fixes: 75ed516978 ("vhost: add packed ring batch dequeue")
Fixes: ef861692c3 ("vhost: add packed ring batch enqueue")
Cc: stable@dpdk.org
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
transform_cipher_param() and transform_chain_param() handle
the payload data for the VHOST_USER_CRYPTO_CREATE_SESS
message. These payloads have to be validated, since it
could come from untrusted sources.
Two buffers and their lengths are defined in this payload,
one the the auth key and one for the cipher key. But above
functions do not validate the key length inputs, which could
lead to read out of bounds, as buffers have static sizes of
64 bytes for the cipher key and 512 bytes for the auth key.
This patch adds necessary checks on the key length field
before being used.
CVE-2020-10724
Fixes: e80a987081 ("vhost/crypto: add session message handler")
Cc: stable@dpdk.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
vhost_user_check_and_alloc_queue_pair() is used to extract
a vring index from a payload. This function validates the
index and is called early on in when performing message
handling. Most message handlers depend on it correctly
validating the vring index.
Depending on the message type the vring index is in
different parts of the payload. The function contains a
switch/case for each type and copies the index. This is
stored in a uint16. This index is then validated. Depending
on the message, the source index is an unsigned int. If
integer truncation occurs (uint->uint16) the top 16 bits
of the index are never validated.
When they are used later on (e.g. in
vhost_user_set_vring_num() or vhost_user_set_vring_addr())
it can lead to out of bound indexing. The out of bound
indexed data gets written to, and hence this can cause
memory corruption.
This patch fixes this vulnerability by declaring vring
index as an unsigned int in
vhost_user_check_and_alloc_queue_pair().
CVE-2020-10723
Fixes: 160cbc815b ("vhost: remove a hack on queue allocation")
Cc: stable@dpdk.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
vhost_user_set_log_base() is a message handler that is
called to handle the VHOST_USER_SET_LOG_BASE message.
Its payload contains a 64 bit size and offset. Both are
added up and used as a size when calling mmap().
There is no integer overflow check. If an integer overflow
occurs a smaller memory map would be created than
requested. Since the returned mapping is mapped as writable
and used for logging, a memory corruption could occur.
CVE-2020-10722
Fixes: fbc4d248b1 ("vhost: fix offset while mmaping log base address")
Cc: stable@dpdk.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
gcc 10 issues warnings about the use of rearm_data marker
from struct rte_mbuf.
e.g.
../drivers/net/enic/enic_rxtx_vec_avx2.c: In function ‘rx_one’:
../drivers/net/enic/enic_rxtx_vec_avx2.c:21:2:
warning:
array subscript 0 is outside the bounds of an interior zero-length array
‘RTE_MARKER64’ {aka ‘long unsigned int[0]’} [-Wzero-length-bounds]
21 | *(uint64_t *)&mb->rearm_data = enic->mbuf_initializer;
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../lib/librte_mbuf/rte_mbuf.h:45,
from ../drivers/net/enic/enic_rxtx_vec_avx2.c:6:
../lib/librte_mbuf/rte_mbuf_core.h:484:15:
note: while referencing ‘rearm_data’
484 | RTE_MARKER64 rearm_data;
|
Disable this warning for gcc 10 in order to allow v20.05 to build
without changes to struct rte_mbuf.
Bugzilla ID: 396
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
gcc 10.1.1 reports a warning for the ext_bkt_id variable:
../lib/librte_hash/rte_cuckoo_hash.c:
In function ‘__rte_hash_add_key_with_hash’:
../lib/librte_hash/rte_cuckoo_hash.c:1104:29:
warning: ‘ext_bkt_id’ may be used uninitialized in this function
[-Wmaybe-uninitialized]
1104 | (h->buckets_ext[ext_bkt_id - 1]).sig_current[0] = short_sig;
| ~~~~~~~~~~~^~~
The return value of rte_ring_sc_dequeue_elem() is already checked,
but also initialize ext_bkt_id to zero (invalid value) and check
that it also overwritten.
Fixes: fbfe568103 ("hash: use 32-bit elements rings to save memory")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Yipeng Wang <yipeng1.wang@intel.com>
Since it will check the feature mask before running out-of-place
test cases and the virtio-crypto device supports OOP_LB_IN_LB_OUT mode.
Signed-off-by: Jay Zhou <jianjay.zhou@huawei.com>
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
The OCTEON TX crypto PMD supports non-byte aligned data as
input for SNOW and ZUC algos. Adding the same to the feature list.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Session configure should return -ENOTSUP in case of unsupported xform
requests. Moving the validation of combinations out of cpt, as the
feature support will not be same across OCTEON TX and OCTEON TX2.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
The OCTEON TX2 crypto PMD supports non-byte aligned data as
input for SNOW and ZUC algos. Adding the same to the feature list.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Update max packet length supported by Inline IPsec Rx to
NIX_MAX_FRS
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
The caam_jr_enable_irqs() and caam_jr_disable_irqs() methods maybe return a
negative error. So use int instead of uint32_t int the functions.
Fixes: e7a45f3cc2 ("crypto/caam_jr: add UIO specific operations")
Cc: stable@dpdk.org
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Gagandeep Singh <g.singh@nxp.com>
Zero is a valid fd. It will fail to check the fd if the fd is zero.
The "job_ring->uio_fd" is an fd, so define it as "int".
Fixes: e7a45f3cc2 ("crypto/caam_jr: add UIO specific operations")
Fixes: a5e1018d5e ("crypto/caam_jr: add routines to configure HW")
Cc: stable@dpdk.org
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Gagandeep Singh <g.singh@nxp.com>
The test case - test_stats is directly accessing the
cryptodev and its dev_ops which are internal to library
and should not be used directly by the application.
However, the test case is also missing to check for the
error ENOTSUP. It should skip the case if the API returns
ENOTSUP. This patch fixes these two issues.
Fixes: 202d375c60 ("app/test: add cryptodev unit and performance tests")
Cc: stable@dpdk.org
Signed-off-by: Apeksha Gupta <apeksha.gupta@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add release notes update for QAT DOCSIS AES-256 support
Fixes: 2aab3ff3d8 ("crypto/qat: support DOCSIS AES-256")
Signed-off-by: Mairtin o Loingsigh <mairtin.oloingsigh@intel.com>
gcc 10 defaults to -fno-common and as a result when linking
with crypto drivers:
drivers/librte_pmd_dpaa_sec.a(crypto_dpaa_sec_dpaa_sec.c.o):
(.bss+0x4): multiple definition of `rta_sec_era';
drivers/librte_pmd_caam_jr.a(crypto_caam_jr_caam_jr.c.o):
(.bss+0x0): first defined here
drivers/librte_pmd_dpaa2_sec.a(crypto_dpaa2_sec_dpaa2_sec_dpseci.c.o):
(.data+0x0): multiple definition of `rta_sec_era';
drivers/librte_pmd_caam_jr.a(crypto_caam_jr_caam_jr.c.o):
(.bss+0x0): first defined here
This patch fixes the blunt workaround in the following commit.
Fixes: 50b03f3b8e ("drivers/crypto: disable gcc 10 no-common errors")
Bugzilla ID: 469
Cc: stable@dpdk.org
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Ray Kinsella <mdr@ashroe.eu>
Cryptodev doesn't limit the number of descriptors that can be supported
by the PMD.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Adam Dybkowski <adamx.dybkowski@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
The returned number from rte_event_enqueue_*()
wouldn't include events marked with RTE_EVENT_OP_RELEASE.
Fixes: 1c8e3caa3 ("event/dsw: add event scheduling and device start/stop")
Cc: stable@dpdk.org
Signed-off-by: Yuri Chipchev <yuric@marvell.com>
Reviewed-by: Liron Himi <lironh@marvell.com>
Acked-by: Mattias Rönnblom <mattias.ronnblom@ericsson.com>
Older GCC(~4) complains about uninitialized 'dip'
var though all the lanes of the vec register are set.
Hence this patch explicitly initializes vec register
to fix the issue.
In file included from ip4_lookup.c:34:0:
ip4_lookup_neon.h: n function ‘ip4_lookup_node_process’: \
ip4_lookup_neon.h:25:12: error: ‘dip’ may be used uninitialized in \
this function [-Werror=maybe-uninitialized]
int32x4_t dip;
^
Fixes: 16df6a2c66 ("node: add IPv4 lookup for arm64")
Reported-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
Reviewed-by: Jerin Jacob <jerinj@marvell.com>
This is testpmd part of new line cleanup.
Fixes: 002ade70e9 ("app/test: measure cycles per packet in Rx/Tx")
Fixes: ce8d561418 ("app/testpmd: add port configuration settings")
Cc: stable@dpdk.org
Signed-off-by: Ivan Dyukov <i.dyukov@samsung.com>
Acked-by: Andrew Rybchenko <arybchenko@solarflare.com>
The AVX512 packed ring datapath selection was only done
at build time, but it should also be checked at runtime
that the CPU supports it.
This patch add a CPU flags check so that non-vectorized
path is selected at runtime if AVX512 is not supported.
Also in meson build enable vectorization only for relevant file, not for
all driver.
Fixes: ccb10995c2 ("net/virtio: add election for vectorized path")
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
If hardware mode for this card does not support nic,
the network features for this card will not be supported
and driver will be initialized failed.
Signed-off-by: Xiaoyun Wang <cloud.wangxiaoyun@huawei.com>
This patch adds to MLX5 PMD the support of matching on
GTP header item v_pt_rsv_flags.
This item is contained in 1 byte of the format:
-------------------------------------------
| bit | 0 - 2 | 3 | 4 | 5 | 6 | 7 |
|-----------------------------------------|
| value | Version | PT | Res | E | S | PN |
-------------------------------------------
Matching is supported only for GTP flags E, S, PN.
Therefore values 0 to 7 are supported.
Mask must be set accordingly:
... gtp v_pt_rsv_flags is 1 v_pt_rsv_flags mask 0x07 ...
Signed-off-by: Dekel Peled <dekelp@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
Program received signal SIGSEGV, Segmentation fault.
0x00000000008ef7c4 in mlx5_tx_queue_release (dpdk_txq=0x17ce01680) at
drivers/net/mlx5/mlx5_txq.c:302
301 mlx5_txq_release(ETH_DEV(priv), i);
302 DRV_LOG(DEBUG, "port %u removing Tx queue %u from list",
303 PORT_ID(priv), txq->idx);
The problem is txq is freed inside the mlx5_txq_release() function
and no longer valid in the debug log right after this invocation.
Move the debug log before the mlx5_txq_release() function to fix this.
Fixes: a6d83b6a92 ("net/mlx5: standardize on negative errno values")
Cc: stable@dpdk.org
Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
The function mlx4_drop_get() creates pointer to a struct mlx4_drop and
if needed allocates by rte_malloc.
If the allocation is failed the function goes to label “error”, and
there does dereference to a null pointer.
Skip resources cleaning when the memory allocation is failed.
Coverity issue: 146206
Coverity issue: 146146
Fixes: d3a7e09234 ("net/mlx4: allocate drop flow resources on demand")
Cc: stable@dpdk.org
Signed-off-by: Michael Baum <michaelba@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
The mlx5_flow_get_reg_id() function translates tag ID to register
from the registers that are supported and available for use. The
user does not know which register is available at a time and therefore
there is an array that represents mapping to the available registers.
Usually the free registers are continuous in the flow_mreg_c array but
sometimes the mtr_color_reg register is between them and it must be
skipped and the next register returned, in which case the function
returns the mapping of the next entity in the array.
When the function reads from the next entity in the array, it does not
check whether such an entity exists and in some situation invalid access
to memory occurs beyond the array boundaries.
So, when all the registers are valid from HW perspective and the meter
color register is not the default, the tag id 5 causes an out of bound
access.
Validate registers availability when meter color register is not the
default.
Coverity issue: 146355
Fixes: 792e749e92 ("net/mlx5: fix register usage in meter")
Cc: stable@dpdk.org
Signed-off-by: Michael Baum <michaelba@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
When creating flow rule with zero specs it will cause
matching all UDP packets like following:
eth / ipv4 / udp / vxlan / end
Such rule will match all udp packets.
This change the behavior to match the dv flow engine
which will automatically set the match on relative
outer UDP port if the user didn't specify any.
Fixes: 84c406e745 ("net/mlx5: add flow translate function")
Cc: stable@dpdk.org
Signed-off-by: Raslan Darawsheh <rasland@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
In existing implementation, using wild card VLAN item is not allowed.
A VLAN item in flow pattern must include VLAN ID (vid) value.
This obligation contradict the flow API specification [1].
This patch updates the VLAN item validation and translation, to allow
wild card VLAN item, without VLAN ID value.
User guide and release notes are updated accordingly.
[1]
commit 40513808b165 ("doc: refine ethernet and VLAN flow rule items")
Fixes: 00f75a4057 ("net/mlx5: fix VLAN match for DV mode")
Cc: stable@dpdk.org
Signed-off-by: Dekel Peled <dekelp@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
Now this feature is no longer supported by kernel side, (i40e kernel
driver doesn't support it from v2.3.2 and ixgbe kernel driver isn't
guaranteed to support this feature as well in the future), so remove the
Intel PMD examples to avoid confusion.
Signed-off-by: Xiaolong Ye <xiaolong.ye@intel.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
When a net_ring device is allocated, its device pointer is not set
before calling rte_eth_dev_probing_finish, which is incorrect.
The following:
commit 96cb195211 ("net/ring: use EAL APIs in PMD specific API")
commit a6992e9610 ("net/ring: set ethernet device field")
already fixed the same issue in 17.08, which was fine at the time.
Adding the hook rte_eth_dev_probing_finish() however created this bug,
as the eth_dev exposed when this hook is executed is expected to be
complete.
Remove the prior attempts to fix the issue in rte_pmd_ring_probe() and
write the pointer properly in do_eth_dev_ring_create().
Fixes: fbe90cdd77 ("ethdev: add probing finish function")
Cc: stable@dpdk.org
Signed-off-by: Gaetan Rivet <grive@u256.net>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
When trying to compile with glibc < 2.24 that doesn't
support SOL_NETLINK it will cause compilation failure:
drivers/net/tap/tap_netlink.c:70:17: error:
'SOL_NETLINK' undeclared (first use in this function)
setsockopt(fd, SOL_NETLINK, NETLINK_EXT_ACK, &one, sizeof(one));
The glibc commits adds the SOL_NETLINK support:
https://github.com/bminor/glibc/commit/f9b437d5efce93800b51ad2a437c8b1c9
Fixes: 647909bcf3 ("net/tap: use netlink extended ack support")
Signed-off-by: Raslan Darawsheh <rasland@mellanox.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
NIX exposes NIX_AF_SMQ(0..511)_CFG to configure minimum length
of the packet which is being used for zero padding if packet is
less than configured value.
Setting it to default minimum length i.e. 60 bytes.
Fixes: ec8ddd4fb1 ("net/octeontx2: restructure TM helper functions")
Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
Add Rx descriptor limit for number of segments per MTU.
PMD doesn't support Jumbo Rx scatter gather hence set 1 segment per
MTU. Some applications can adjust mbuf_size based on this value.
For others PMD detects the condition where Rx packet length cannot
be held by configured mbuf size and logs the message.
Signed-off-by: Rasesh Mody <rmody@marvell.com>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Some log will always be printed when the device is initialized
and shut down, which will mislead users and should be removed.
Fixes: 746664d546 ("net/igc: support flow API")
Signed-off-by: Alvin Zhang <alvinx.zhang@intel.com>
Acked-by: Xiaolong Ye <xiaolong.ye@intel.com>
The dummy packet for pppoe-ipv6 has an error, we should
use 0x3b for next header in ipv6 header in the dummy packet,
or some case can not be download, such as:
"eth / pppoes seid is 3 / pppoe_proto_id is 0x0057 /
end actions vf id 1 / end"
Fixes: 55d61fb27a ("net/ice/base: add PPPoE IPv6 dummy packet")
Signed-off-by: Wei Zhao <wei.zhao1@intel.com>
Tested-by: Nannan Lu <nannan.lu@intel.com>
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
