From 3ae4beb079ce242240c34376a066bbccd0c0b23e Mon Sep 17 00:00:00 2001 From: Maxime Coquelin Date: Mon, 18 May 2020 14:16:59 +0100 Subject: [PATCH] vhost: check log mmap offset and size overflow vhost_user_set_log_base() is a message handler that is called to handle the VHOST_USER_SET_LOG_BASE message. Its payload contains a 64 bit size and offset. Both are added up and used as a size when calling mmap(). There is no integer overflow check. If an integer overflow occurs a smaller memory map would be created than requested. Since the returned mapping is mapped as writable and used for logging, a memory corruption could occur. CVE-2020-10722 Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address") Cc: stable@dpdk.org Reported-by: Ilja Van Sprundel Signed-off-by: Maxime Coquelin Reviewed-by: Xiaolong Ye Reviewed-by: Ilja Van Sprundel --- lib/librte_vhost/vhost_user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 9c891d4c01..ff5b13169f 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -2068,10 +2068,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, size = msg->payload.log.mmap_size; off = msg->payload.log.mmap_offset; - /* Don't allow mmap_offset to point outside the mmap region */ - if (off > size) { + /* Check for mmap size and offset overflow. */ + if (off >= -size) { VHOST_LOG_CONFIG(ERR, - "log offset %#"PRIx64" exceeds log size %#"PRIx64"\n", + "log offset %#"PRIx64" and log size %#"PRIx64" overflow\n", off, size); return RTE_VHOST_MSG_RESULT_ERR; } -- 2.20.1