[PATCH v3 1/2] vhost: fix possible FDs leak

Maxime Coquelin maxime.coquelin at redhat.com
Tue Feb 7 17:22:39 CET 2023

Previous message (by thread): [PATCH] build: fix invalid characters in toolchain definitions
Next message (by thread): [PATCH v3 2/2] vhost: fix possible FD leaks on truncation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On failure, read_vhost_message() only closed the message
FDs if the header size was unexpected, but there are other
cases where it is required. For exemple in the case the
payload size read from the header is greater than the
expected maximum payload size.

This patch fixes this by closing all messages FDs in all
error cases. It also improve error logging by displaying
the request name when failure happens if possible.

Fixes: bf472259dde6 ("vhost: fix possible denial of service by leaking FDs")
Cc: stable at dpdk.org

Signed-off-by: Maxime Coquelin <maxime.coquelin at redhat.com>
Signed-off-by: David Marchand <david.marchand at redhat.com>
Reviewed-by: Chenbo Xia <chenbo.xia at intel.com>
---
 lib/vhost/vhost_user.c | 40 ++++++++++++++++++++++++++--------------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
index 8f33d5f4d9..a6d8269d91 100644
--- a/lib/vhost/vhost_user.c
+++ b/lib/vhost/vhost_user.c
@@ -2827,29 +2827,36 @@ read_vhost_message(struct virtio_net *dev, int sockfd, struct  vhu_msg_context *
 
 	ret = read_fd_message(dev->ifname, sockfd, (char *)&ctx->msg, VHOST_USER_HDR_SIZE,
 		ctx->fds, VHOST_MEMORY_MAX_NREGIONS, &ctx->fd_num);
-	if (ret <= 0) {
-		return ret;
-	} else if (ret != VHOST_USER_HDR_SIZE) {
+	if (ret <= 0)
+		goto out;
+
+	if (ret != VHOST_USER_HDR_SIZE) {
 		VHOST_LOG_CONFIG(dev->ifname, ERR, "Unexpected header size read\n");
-		close_msg_fds(ctx);
-		return -1;
+		ret = -1;
+		goto out;
 	}
 
 	if (ctx->msg.size) {
 		if (ctx->msg.size > sizeof(ctx->msg.payload)) {
 			VHOST_LOG_CONFIG(dev->ifname, ERR, "invalid msg size: %d\n",
 				ctx->msg.size);
-			return -1;
+			ret = -1;
+			goto out;
 		}
 		ret = read(sockfd, &ctx->msg.payload, ctx->msg.size);
 		if (ret <= 0)
-			return ret;
+			goto out;
 		if (ret != (int)ctx->msg.size) {
 			VHOST_LOG_CONFIG(dev->ifname, ERR, "read control message failed\n");
-			return -1;
+			ret = -1;
+			goto out;
 		}
 	}
 
+out:
+	if (ret <= 0)
+		close_msg_fds(ctx);
+
 	return ret;
 }
 
@@ -2997,13 +3004,10 @@ vhost_user_msg_handler(int vid, int fd)
 		}
 	}
 
+	ctx.msg.request.master = VHOST_USER_NONE;
 	ret = read_vhost_message(dev, fd, &ctx);
-	if (ret <= 0) {
-		if (ret < 0)
-			VHOST_LOG_CONFIG(dev->ifname, ERR, "vhost read message failed\n");
-		else
-			VHOST_LOG_CONFIG(dev->ifname, INFO, "vhost peer closed\n");
-
+	if (ret == 0) {
+		VHOST_LOG_CONFIG(dev->ifname, INFO, "vhost peer closed\n");
 		return -1;
 	}
 
@@ -3013,6 +3017,14 @@ vhost_user_msg_handler(int vid, int fd)
 	else
 		msg_handler = NULL;
 
+	if (ret < 0) {
+		VHOST_LOG_CONFIG(dev->ifname, ERR, "vhost read message %s%s%sfailed\n",
+				msg_handler != NULL ? "for " : "",
+				msg_handler != NULL ? msg_handler->description : "",
+				msg_handler != NULL ? " " : "");
+		return -1;
+	}
+
 	if (msg_handler != NULL && msg_handler->description != NULL) {
 		if (request != VHOST_USER_IOTLB_MSG)
 			VHOST_LOG_CONFIG(dev->ifname, INFO,
-- 
2.39.1

Previous message (by thread): [PATCH] build: fix invalid characters in toolchain definitions
Next message (by thread): [PATCH v3 2/2] vhost: fix possible FD leaks on truncation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list