From: Marvin Liu Date: Wed, 31 Mar 2021 06:49:37 +0000 (+0800) Subject: vhost: fix split ring potential buffer overflow X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=134228ca39ef0cfe325bc5f1d0df38c733ec9752;p=dpdk.git vhost: fix split ring potential buffer overflow In vhost datapath, descriptor's length are mostly used in two coherent operations. First step is used for address translation, second step is used for memory transaction from guest to host. But the interval between two steps will give a window for malicious guest, in which can change descriptor length after vhost calculated buffer size. Thus may lead to buffer overflow in vhost side. This potential risk can be eliminated by accessing the descriptor length once. Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx") Cc: stable@dpdk.org Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 3d8e29df09..852b4ec9f5 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, return -1; } - len += descs[idx].len; + dlen = descs[idx].len; + len += dlen; if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id, - descs[idx].addr, descs[idx].len, + descs[idx].addr, dlen, perm))) { free_ind_table(idesc); return -1;