vhost: fix translated address not checked

Malicious guest can construct desc with invalid address and zero buffer
length. That will request vhost to check both translated address and
translated data length. This patch will add missed address check.

CVE-2020-10725
Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue")
Fixes: ef861692c398 ("vhost: add packed ring batch enqueue")
Cc: stable@dpdk.org
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index fe5cac0bdce3c9b23e6d3d3a719c08e2770d3817..5e8c6b99c0bd738a385ecec86f1145afc0dc8039 100644 (file)
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1069,6 +1069,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev,
                                                  VHOST_ACCESS_RW);
 
        vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+               if (unlikely(!desc_addrs[i]))
+                       return -1;
                if (unlikely(lens[i] != descs[avail_idx + i].len))
                        return -1;
        }
@@ -1822,6 +1824,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev,
        }
 
        vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+               if (unlikely(!desc_addrs[i]))
+                       return -1;
                if (unlikely((lens[i] != descs[avail_idx + i].len)))
                        return -1;
        }