[dpdk-stable] patch 'vhost: fix split ring potential buffer overflow' has been queued to stable release 19.11.9

[Christian Ehrhardt]

Hi,

FYI, your patch has been queued to stable release 19.11.9

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/19/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/cpaelzer/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/cpaelzer/dpdk-stable-queue/commit/a6eda732ae0d400cd910b7eaeb4fbcdb07d2abb0

Thanks.

Christian Ehrhardt <christian.ehrhardt at canonical.com>

---
>From a6eda732ae0d400cd910b7eaeb4fbcdb07d2abb0 Mon Sep 17 00:00:00 2001
From: Marvin Liu <yong.liu at intel.com>
Date: Wed, 31 Mar 2021 14:49:37 +0800
Subject: [PATCH] vhost: fix split ring potential buffer overflow

[ upstream commit 134228ca39ef0cfe325bc5f1d0df38c733ec9752 ]

In vhost datapath, descriptor's length are mostly used in two coherent
operations. First step is used for address translation, second step is
used for memory transaction from guest to host. But the interval between
two steps will give a window for malicious guest, in which can change
descriptor length after vhost calculated buffer size. Thus may lead to
buffer overflow in vhost side. This potential risk can be eliminated by
accessing the descriptor length once.

Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")

Signed-off-by: Marvin Liu <yong.liu at intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 lib/librte_vhost/virtio_net.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index f397e9a13a..32d341fb70 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -546,10 +546,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			return -1;
 		}
 
-		len += descs[idx].len;
+		dlen = descs[idx].len;
+		len += dlen;
 
 		if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
-						descs[idx].addr, descs[idx].len,
+						descs[idx].addr, dlen,
 						perm))) {
 			free_ind_table(idesc);
 			return -1;
-- 
2.31.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-05-17 17:40:32.376875073 +0200
+++ 0073-vhost-fix-split-ring-potential-buffer-overflow.patch	2021-05-17 17:40:29.239810012 +0200
@@ -1 +1 @@
-From 134228ca39ef0cfe325bc5f1d0df38c733ec9752 Mon Sep 17 00:00:00 2001
+From a6eda732ae0d400cd910b7eaeb4fbcdb07d2abb0 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 134228ca39ef0cfe325bc5f1d0df38c733ec9752 ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -24 +25 @@
-index 3d8e29df09..852b4ec9f5 100644
+index f397e9a13a..32d341fb70 100644
@@ -27 +28 @@
-@@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -546,10 +546,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,