From 134228ca39ef0cfe325bc5f1d0df38c733ec9752 Mon Sep 17 00:00:00 2001 From: Marvin Liu Date: Wed, 31 Mar 2021 14:49:37 +0800 Subject: [PATCH] vhost: fix split ring potential buffer overflow In vhost datapath, descriptor's length are mostly used in two coherent operations. First step is used for address translation, second step is used for memory transaction from guest to host. But the interval between two steps will give a window for malicious guest, in which can change descriptor length after vhost calculated buffer size. Thus may lead to buffer overflow in vhost side. This potential risk can be eliminated by accessing the descriptor length once. Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx") Cc: stable@dpdk.org Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 3d8e29df09..852b4ec9f5 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, return -1; } - len += descs[idx].len; + dlen = descs[idx].len; + len += dlen; if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id, - descs[idx].addr, descs[idx].len, + descs[idx].addr, dlen, perm))) { free_ind_table(idesc); return -1; -- 2.20.1