In vhost_crypto_process_one_req(), we have: /** * Process on descriptor */ static __rte_always_inline int vhost_crypto_process_one_req(struct vhost_crypto *vcrypto, struct vhost_virtqueue *vq, struct rte_crypto_op *op, struct vring_desc *head, struct vhost_crypto_desc *descs, uint16_t desc_idx) { <\snip> nb_descs = max_n_descs = dlen / sizeof(struct vring_desc); <\snip> if (unlikely(copy_data(&req, vc_req, descs, &desc, sizeof(req), max_n_descs) < 0)) { err = VIRTIO_CRYPTO_BADMSG; VC_LOG_ERR("Invalid descriptor"); goto error_exit; } /* desc is advanced by 1 now */ max_n_descs -= 1; max_n_descs is decremented by one, but copy_data can process more than a single descriptors. Since &desc is also incremented in copy_data by the number of descriptors parsed, max_n_descs should be decremented by the same amount, otherwise out of bounds accesses to desc array could happen.
Hi Maxime, I will do a proper refactor to the code. Please expect the change done before 23.01 Regards, Fan