2023-11-03 09:16:16 +08:00
|
|
|
From 5b3c25e6ee2c68887aae166aed57d0b4af91fa60 Mon Sep 17 00:00:00 2001
|
2022-09-08 15:28:35 +08:00
|
|
|
From: Maxime Coquelin <maxime.coquelin@redhat.com>
|
2023-11-03 09:16:16 +08:00
|
|
|
Date: Thu, 16 Jun 2022 11:35:56 +0200
|
|
|
|
|
Subject: [PATCH] vhost: discard too small descriptor chains
|
2022-09-08 15:28:35 +08:00
|
|
|
|
2023-11-03 09:16:16 +08:00
|
|
|
This patch discards descriptor chains which are smaller
|
|
|
|
|
than the Virtio-net header size, and ones that are equal.
|
2022-09-08 15:28:35 +08:00
|
|
|
|
2023-11-03 09:16:16 +08:00
|
|
|
Indeed, such descriptor chains sizes mean there is no
|
|
|
|
|
packet data.
|
|
|
|
|
|
|
|
|
|
This patch also has the advantage of requesting the exact
|
|
|
|
|
packets sizes for the mbufs.
|
2022-09-08 15:28:35 +08:00
|
|
|
|
|
|
|
|
CVE-2022-2132
|
2023-11-03 09:16:16 +08:00
|
|
|
Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions")
|
|
|
|
|
Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer")
|
|
|
|
|
Cc: stable@dpdk.org
|
2022-09-08 15:28:35 +08:00
|
|
|
|
|
|
|
|
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
|
2022-09-09 17:24:50 +08:00
|
|
|
Conflict: NA
|
2023-11-03 09:16:16 +08:00
|
|
|
Reference: https://git.dpdk.org/dpdk-stable/commit/?id=5b3c25e6ee
|
2022-09-08 15:28:35 +08:00
|
|
|
---
|
2023-11-03 09:16:16 +08:00
|
|
|
lib/librte_vhost/virtio_net.c | 21 +++++++++++++++++----
|
|
|
|
|
1 file changed, 17 insertions(+), 4 deletions(-)
|
2022-09-08 15:28:35 +08:00
|
|
|
|
2023-11-03 09:16:16 +08:00
|
|
|
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
|
|
|
|
|
index ae4e54a442..1fcbc1aca9 100644
|
|
|
|
|
--- a/lib/librte_vhost/virtio_net.c
|
|
|
|
|
+++ b/lib/librte_vhost/virtio_net.c
|
|
|
|
|
@@ -1412,10 +1412,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
|
|
|
|
|
buf_iova = buf_vec[vec_idx].buf_iova;
|
|
|
|
|
buf_len = buf_vec[vec_idx].buf_len;
|
2022-09-08 15:28:35 +08:00
|
|
|
|
2023-11-03 09:16:16 +08:00
|
|
|
- if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
|
|
|
|
|
- error = -1;
|
|
|
|
|
- goto out;
|
|
|
|
|
- }
|
|
|
|
|
+ /*
|
|
|
|
|
+ * The caller has checked the descriptors chain is larger than the
|
|
|
|
|
+ * header size.
|
|
|
|
|
+ */
|
2022-09-08 15:28:35 +08:00
|
|
|
|
|
|
|
|
if (virtio_net_with_host_offload(dev)) {
|
2023-11-03 09:16:16 +08:00
|
|
|
if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
|
|
|
|
|
@@ -1742,6 +1742,14 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
|
|
|
|
|
if (likely(dev->dequeue_zero_copy == 0))
|
|
|
|
|
update_shadow_used_ring_split(vq, head_idx, 0);
|
2022-09-08 15:28:35 +08:00
|
|
|
|
2023-11-03 09:16:16 +08:00
|
|
|
+ if (unlikely(buf_len <= dev->vhost_hlen)) {
|
|
|
|
|
+ dropped += 1;
|
|
|
|
|
+ i++;
|
2022-09-08 15:28:35 +08:00
|
|
|
+ break;
|
2023-11-03 09:16:16 +08:00
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ buf_len -= dev->vhost_hlen;
|
|
|
|
|
+
|
|
|
|
|
pkts[i] = virtio_dev_pktmbuf_alloc(dev, mbuf_pool, buf_len);
|
|
|
|
|
if (unlikely(pkts[i] == NULL)) {
|
|
|
|
|
/*
|
|
|
|
|
@@ -1955,6 +1963,11 @@ vhost_dequeue_single_packed(struct virtio_net *dev,
|
|
|
|
|
VHOST_ACCESS_RO) < 0))
|
|
|
|
|
return -1;
|
2022-09-08 15:28:35 +08:00
|
|
|
|
2023-11-03 09:16:16 +08:00
|
|
|
+ if (unlikely(buf_len <= dev->vhost_hlen))
|
|
|
|
|
+ return -1;
|
|
|
|
|
+
|
|
|
|
|
+ buf_len -= dev->vhost_hlen;
|
2022-09-08 15:28:35 +08:00
|
|
|
+
|
2023-11-03 09:16:16 +08:00
|
|
|
*pkts = virtio_dev_pktmbuf_alloc(dev, mbuf_pool, buf_len);
|
|
|
|
|
if (unlikely(*pkts == NULL)) {
|
|
|
|
|
if (!allocerr_warned) {
|
2022-09-08 15:28:35 +08:00
|
|
|
--
|
|
|
|
|
2.23.0
|
|
|
|
|
|
