On 01/22/2017 09:46 AM, Yuanhan Liu wrote:
If a malicious guest forges a dead loop desc chain (let desc->next point
to itself) and desc->len is zero, this could lead to a dead loop in
copy_mbuf_to_desc(following is a simplified code to show this issue
clearly):
while (mbuf_is_not_totally_consumed) {
if (desc_avail == 0) {
desc = &descs[desc->next];
desc_avail = desc->len;
}
COPY(desc, mbuf, desc_avail);
}
I have actually fixed a same issue before: a436f53ebfeb ("vhost: avoid
dead loop chain"); it fixes the dequeue path though, leaving the enqueue
path still vulnerable.
The fix is the same. Add a var nr_desc to avoid the dead loop.
Fixes: f1a519ad981c ("vhost: fix enqueue/dequeue to handle chained vring
descriptors")
Cc: [email protected]
Reported-by: Xieming Katty <[email protected]>
Signed-off-by: Yuanhan Liu <[email protected]>
---
lib/librte_vhost/virtio_net.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Thanks for the fix:
Reviewed-by: Maxime Coquelin <[email protected]>
- Maxime
