git.droids-corp.org - dpdk.git/commit

author	Maxime Coquelin <maxime.coquelin@redhat.com>
	Mon, 18 May 2020 13:16:59 +0000 (14:16 +0100)
committer	David Marchand <david.marchand@redhat.com>
	Mon, 18 May 2020 13:18:58 +0000 (15:18 +0200)
commit	3ae4beb079ce242240c34376a066bbccd0c0b23e
tree	33c0954813de3f73d4a94a2bb0749eadc1f24a51	tree \| snapshot
parent	cfacbcb5a23bc26cb913528c372adddabbb33ca1	commit \| diff

vhost: check log mmap offset and size overflow

vhost_user_set_log_base() is a message handler that is
called to handle the VHOST_USER_SET_LOG_BASE message.
Its payload contains a 64 bit size and offset. Both are
added up and used as a size when calling mmap().

There is no integer overflow check. If an integer overflow
occurs a smaller memory map would be created than
requested. Since the returned mapping is mapped as writable
and used for logging, a memory corruption could occur.

CVE-2020-10722
Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address")
Cc: stable@dpdk.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>