git.droids-corp.org / dpdk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 97ecc1c)
vhost: fix potential memory space leak
authorXiaolong Ye <xiaolong.ye@intel.com>
Mon, 18 May 2020 13:17:03 +0000 (14:17 +0100)
committerDavid Marchand <david.marchand@redhat.com>
Mon, 18 May 2020 13:22:42 +0000 (15:22 +0200)
A malicious container which has direct access to the vhost-user socket
can keep sending VHOST_USER_GET_INFLIGHT_FD messages which may cause
leaking resources until resulting a DOS. Fix it by unmapping the
dev->inflight_info->addr before assigning new mapped addr to it.

CVE-2020-10726
Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing")
Cc: stable@dpdk.org
Signed-off-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
lib/librte_vhost/vhost_user.c patch | blob | history

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 6dbba04..9d25490 100644 (file)
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1442,6 +1442,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,
        }
        memset(addr, 0, mmap_size);
 
+       if (dev->inflight_info->addr) {
+               munmap(dev->inflight_info->addr, dev->inflight_info->size);
+               dev->inflight_info->addr = NULL;
+       }
+
        dev->inflight_info->addr = addr;
        dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size;
        dev->inflight_info->fd = msg->fds[0] = fd;
@@ -1526,8 +1531,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,
                }
        }
 
-       if (dev->inflight_info->addr)
+       if (dev->inflight_info->addr) {
                munmap(dev->inflight_info->addr, dev->inflight_info->size);
+               dev->inflight_info->addr = NULL;
+       }
 
        addr = mmap(0, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED,
                    fd, mmap_offset);
DPDK repo used for reviews