Daniel Mrzyglod 7b3249c56e net/virtio: fix untrusted scalar value
The unscrutinized value may be incorrectly assumed to be within a certain
range by later operations.

In vhost_user_read: An unscrutinized value from an untrusted source used
in a trusted context - the value of sz_payload may be harmfull and we need
limit them to the max value of payload.

Coverity issue: 139601
Fixes: 6a84c37e3975 ("net/virtio-user: add vhost-user adapter layer")
Cc: stable@dpdk.org

Signed-off-by: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
Acked-by: Jianfeng Tan <jianfeng.tan@intel.com>
Acked-by: Yuanhan Liu <yliu@fridaylinux.org>
2017-10-10 15:52:27 +02:00

472 lines
12 KiB
C

/*-
* BSD LICENSE
*
* Copyright(c) 2010-2016 Intel Corporation. All rights reserved.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Intel Corporation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/un.h>
#include <string.h>
#include <errno.h>
#include "vhost.h"
#include "virtio_user_dev.h"
/* The version of the protocol we support */
#define VHOST_USER_VERSION 0x1
#define VHOST_MEMORY_MAX_NREGIONS 8
struct vhost_memory {
uint32_t nregions;
uint32_t padding;
struct vhost_memory_region regions[VHOST_MEMORY_MAX_NREGIONS];
};
struct vhost_user_msg {
enum vhost_user_request request;
#define VHOST_USER_VERSION_MASK 0x3
#define VHOST_USER_REPLY_MASK (0x1 << 2)
uint32_t flags;
uint32_t size; /* the following payload size */
union {
#define VHOST_USER_VRING_IDX_MASK 0xff
#define VHOST_USER_VRING_NOFD_MASK (0x1 << 8)
uint64_t u64;
struct vhost_vring_state state;
struct vhost_vring_addr addr;
struct vhost_memory memory;
} payload;
int fds[VHOST_MEMORY_MAX_NREGIONS];
} __attribute((packed));
#define VHOST_USER_HDR_SIZE offsetof(struct vhost_user_msg, payload.u64)
#define VHOST_USER_PAYLOAD_SIZE \
(sizeof(struct vhost_user_msg) - VHOST_USER_HDR_SIZE)
static int
vhost_user_write(int fd, void *buf, int len, int *fds, int fd_num)
{
int r;
struct msghdr msgh;
struct iovec iov;
size_t fd_size = fd_num * sizeof(int);
char control[CMSG_SPACE(fd_size)];
struct cmsghdr *cmsg;
memset(&msgh, 0, sizeof(msgh));
memset(control, 0, sizeof(control));
iov.iov_base = (uint8_t *)buf;
iov.iov_len = len;
msgh.msg_iov = &iov;
msgh.msg_iovlen = 1;
msgh.msg_control = control;
msgh.msg_controllen = sizeof(control);
cmsg = CMSG_FIRSTHDR(&msgh);
cmsg->cmsg_len = CMSG_LEN(fd_size);
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
memcpy(CMSG_DATA(cmsg), fds, fd_size);
do {
r = sendmsg(fd, &msgh, 0);
} while (r < 0 && errno == EINTR);
return r;
}
static int
vhost_user_read(int fd, struct vhost_user_msg *msg)
{
uint32_t valid_flags = VHOST_USER_REPLY_MASK | VHOST_USER_VERSION;
int ret, sz_hdr = VHOST_USER_HDR_SIZE, sz_payload;
ret = recv(fd, (void *)msg, sz_hdr, 0);
if (ret < sz_hdr) {
PMD_DRV_LOG(ERR, "Failed to recv msg hdr: %d instead of %d.",
ret, sz_hdr);
goto fail;
}
/* validate msg flags */
if (msg->flags != (valid_flags)) {
PMD_DRV_LOG(ERR, "Failed to recv msg: flags %x instead of %x.",
msg->flags, valid_flags);
goto fail;
}
sz_payload = msg->size;
if ((size_t)sz_payload > sizeof(msg->payload))
goto fail;
if (sz_payload) {
ret = recv(fd, (void *)((char *)msg + sz_hdr), sz_payload, 0);
if (ret < sz_payload) {
PMD_DRV_LOG(ERR,
"Failed to recv msg payload: %d instead of %d.",
ret, msg->size);
goto fail;
}
}
return 0;
fail:
return -1;
}
struct hugepage_file_info {
uint64_t addr; /**< virtual addr */
size_t size; /**< the file size */
char path[PATH_MAX]; /**< path to backing file */
};
/* Two possible options:
* 1. Match HUGEPAGE_INFO_FMT to find the file storing struct hugepage_file
* array. This is simple but cannot be used in secondary process because
* secondary process will close and munmap that file.
* 2. Match HUGEFILE_FMT to find hugepage files directly.
*
* We choose option 2.
*/
static int
get_hugepage_file_info(struct hugepage_file_info huges[], int max)
{
int idx;
FILE *f;
char buf[BUFSIZ], *tmp, *tail;
char *str_underline, *str_start;
int huge_index;
uint64_t v_start, v_end;
f = fopen("/proc/self/maps", "r");
if (!f) {
PMD_DRV_LOG(ERR, "cannot open /proc/self/maps");
return -1;
}
idx = 0;
while (fgets(buf, sizeof(buf), f) != NULL) {
if (sscanf(buf, "%" PRIx64 "-%" PRIx64, &v_start, &v_end) < 2) {
PMD_DRV_LOG(ERR, "Failed to parse address");
goto error;
}
tmp = strchr(buf, ' ') + 1; /** skip address */
tmp = strchr(tmp, ' ') + 1; /** skip perm */
tmp = strchr(tmp, ' ') + 1; /** skip offset */
tmp = strchr(tmp, ' ') + 1; /** skip dev */
tmp = strchr(tmp, ' ') + 1; /** skip inode */
while (*tmp == ' ') /** skip spaces */
tmp++;
tail = strrchr(tmp, '\n'); /** remove newline if exists */
if (tail)
*tail = '\0';
/* Match HUGEFILE_FMT, aka "%s/%smap_%d",
* which is defined in eal_filesystem.h
*/
str_underline = strrchr(tmp, '_');
if (!str_underline)
continue;
str_start = str_underline - strlen("map");
if (str_start < tmp)
continue;
if (sscanf(str_start, "map_%d", &huge_index) != 1)
continue;
if (idx >= max) {
PMD_DRV_LOG(ERR, "Exceed maximum of %d", max);
goto error;
}
huges[idx].addr = v_start;
huges[idx].size = v_end - v_start;
snprintf(huges[idx].path, PATH_MAX, "%s", tmp);
idx++;
}
fclose(f);
return idx;
error:
fclose(f);
return -1;
}
static int
prepare_vhost_memory_user(struct vhost_user_msg *msg, int fds[])
{
int i, num;
struct hugepage_file_info huges[VHOST_MEMORY_MAX_NREGIONS];
struct vhost_memory_region *mr;
num = get_hugepage_file_info(huges, VHOST_MEMORY_MAX_NREGIONS);
if (num < 0) {
PMD_INIT_LOG(ERR, "Failed to prepare memory for vhost-user");
return -1;
}
for (i = 0; i < num; ++i) {
mr = &msg->payload.memory.regions[i];
mr->guest_phys_addr = huges[i].addr; /* use vaddr! */
mr->userspace_addr = huges[i].addr;
mr->memory_size = huges[i].size;
mr->mmap_offset = 0;
fds[i] = open(huges[i].path, O_RDWR);
}
msg->payload.memory.nregions = num;
msg->payload.memory.padding = 0;
return 0;
}
static struct vhost_user_msg m;
const char * const vhost_msg_strings[] = {
[VHOST_USER_SET_OWNER] = "VHOST_SET_OWNER",
[VHOST_USER_RESET_OWNER] = "VHOST_RESET_OWNER",
[VHOST_USER_SET_FEATURES] = "VHOST_SET_FEATURES",
[VHOST_USER_GET_FEATURES] = "VHOST_GET_FEATURES",
[VHOST_USER_SET_VRING_CALL] = "VHOST_SET_VRING_CALL",
[VHOST_USER_SET_VRING_NUM] = "VHOST_SET_VRING_NUM",
[VHOST_USER_SET_VRING_BASE] = "VHOST_SET_VRING_BASE",
[VHOST_USER_GET_VRING_BASE] = "VHOST_GET_VRING_BASE",
[VHOST_USER_SET_VRING_ADDR] = "VHOST_SET_VRING_ADDR",
[VHOST_USER_SET_VRING_KICK] = "VHOST_SET_VRING_KICK",
[VHOST_USER_SET_MEM_TABLE] = "VHOST_SET_MEM_TABLE",
[VHOST_USER_SET_VRING_ENABLE] = "VHOST_SET_VRING_ENABLE",
};
static int
vhost_user_sock(struct virtio_user_dev *dev,
enum vhost_user_request req,
void *arg)
{
struct vhost_user_msg msg;
struct vhost_vring_file *file = 0;
int need_reply = 0;
int fds[VHOST_MEMORY_MAX_NREGIONS];
int fd_num = 0;
int i, len;
int vhostfd = dev->vhostfd;
RTE_SET_USED(m);
PMD_DRV_LOG(INFO, "%s", vhost_msg_strings[req]);
msg.request = req;
msg.flags = VHOST_USER_VERSION;
msg.size = 0;
switch (req) {
case VHOST_USER_GET_FEATURES:
need_reply = 1;
break;
case VHOST_USER_SET_FEATURES:
case VHOST_USER_SET_LOG_BASE:
msg.payload.u64 = *((__u64 *)arg);
msg.size = sizeof(m.payload.u64);
break;
case VHOST_USER_SET_OWNER:
case VHOST_USER_RESET_OWNER:
break;
case VHOST_USER_SET_MEM_TABLE:
if (prepare_vhost_memory_user(&msg, fds) < 0)
return -1;
fd_num = msg.payload.memory.nregions;
msg.size = sizeof(m.payload.memory.nregions);
msg.size += sizeof(m.payload.memory.padding);
msg.size += fd_num * sizeof(struct vhost_memory_region);
break;
case VHOST_USER_SET_LOG_FD:
fds[fd_num++] = *((int *)arg);
break;
case VHOST_USER_SET_VRING_NUM:
case VHOST_USER_SET_VRING_BASE:
case VHOST_USER_SET_VRING_ENABLE:
memcpy(&msg.payload.state, arg, sizeof(msg.payload.state));
msg.size = sizeof(m.payload.state);
break;
case VHOST_USER_GET_VRING_BASE:
memcpy(&msg.payload.state, arg, sizeof(msg.payload.state));
msg.size = sizeof(m.payload.state);
need_reply = 1;
break;
case VHOST_USER_SET_VRING_ADDR:
memcpy(&msg.payload.addr, arg, sizeof(msg.payload.addr));
msg.size = sizeof(m.payload.addr);
break;
case VHOST_USER_SET_VRING_KICK:
case VHOST_USER_SET_VRING_CALL:
case VHOST_USER_SET_VRING_ERR:
file = arg;
msg.payload.u64 = file->index & VHOST_USER_VRING_IDX_MASK;
msg.size = sizeof(m.payload.u64);
if (file->fd > 0)
fds[fd_num++] = file->fd;
else
msg.payload.u64 |= VHOST_USER_VRING_NOFD_MASK;
break;
default:
PMD_DRV_LOG(ERR, "trying to send unhandled msg type");
return -1;
}
len = VHOST_USER_HDR_SIZE + msg.size;
if (vhost_user_write(vhostfd, &msg, len, fds, fd_num) < 0) {
PMD_DRV_LOG(ERR, "%s failed: %s",
vhost_msg_strings[req], strerror(errno));
return -1;
}
if (req == VHOST_USER_SET_MEM_TABLE)
for (i = 0; i < fd_num; ++i)
close(fds[i]);
if (need_reply) {
if (vhost_user_read(vhostfd, &msg) < 0) {
PMD_DRV_LOG(ERR, "Received msg failed: %s",
strerror(errno));
return -1;
}
if (req != msg.request) {
PMD_DRV_LOG(ERR, "Received unexpected msg type");
return -1;
}
switch (req) {
case VHOST_USER_GET_FEATURES:
if (msg.size != sizeof(m.payload.u64)) {
PMD_DRV_LOG(ERR, "Received bad msg size");
return -1;
}
*((__u64 *)arg) = msg.payload.u64;
break;
case VHOST_USER_GET_VRING_BASE:
if (msg.size != sizeof(m.payload.state)) {
PMD_DRV_LOG(ERR, "Received bad msg size");
return -1;
}
memcpy(arg, &msg.payload.state,
sizeof(struct vhost_vring_state));
break;
default:
PMD_DRV_LOG(ERR, "Received unexpected msg type");
return -1;
}
}
return 0;
}
/**
* Set up environment to talk with a vhost user backend.
*
* @return
* - (-1) if fail;
* - (0) if succeed.
*/
static int
vhost_user_setup(struct virtio_user_dev *dev)
{
int fd;
int flag;
struct sockaddr_un un;
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd < 0) {
PMD_DRV_LOG(ERR, "socket() error, %s", strerror(errno));
return -1;
}
flag = fcntl(fd, F_GETFD);
if (fcntl(fd, F_SETFD, flag | FD_CLOEXEC) < 0)
PMD_DRV_LOG(WARNING, "fcntl failed, %s", strerror(errno));
memset(&un, 0, sizeof(un));
un.sun_family = AF_UNIX;
snprintf(un.sun_path, sizeof(un.sun_path), "%s", dev->path);
if (connect(fd, (struct sockaddr *)&un, sizeof(un)) < 0) {
PMD_DRV_LOG(ERR, "connect error, %s", strerror(errno));
close(fd);
return -1;
}
dev->vhostfd = fd;
return 0;
}
static int
vhost_user_enable_queue_pair(struct virtio_user_dev *dev,
uint16_t pair_idx,
int enable)
{
int i;
for (i = 0; i < 2; ++i) {
struct vhost_vring_state state = {
.index = pair_idx * 2 + i,
.num = enable,
};
if (vhost_user_sock(dev, VHOST_USER_SET_VRING_ENABLE, &state))
return -1;
}
return 0;
}
struct virtio_user_backend_ops ops_user = {
.setup = vhost_user_setup,
.send_request = vhost_user_sock,
.enable_qp = vhost_user_enable_queue_pair
};