Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-30 Thread David Miller
From: "Michael S. Tsirkin" Date: Tue, 29 Jan 2019 20:36:31 -0500 > If it helps I can include most virtio stuff in my pull requests instead. > Or if that can't work since there's too often a dependency on net-next, > maybe Jason wants to create a tree and send pull requests to you. Let > us know

Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-29 Thread Michael S. Tsirkin
On Tue, Jan 29, 2019 at 03:38:10PM -0800, David Miller wrote: > From: David Miller > Date: Tue, 29 Jan 2019 15:10:26 -0800 (PST) > > > Yeah the CVE pushed my hand a little bit, and I knew I was going to > > send Linus a pull request today because David Watson needs some TLS > > changes in net-nex

Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-29 Thread David Miller
From: David Miller Date: Tue, 29 Jan 2019 15:10:26 -0800 (PST) > Yeah the CVE pushed my hand a little bit, and I knew I was going to > send Linus a pull request today because David Watson needs some TLS > changes in net-next. I also want to make a general comment for the record. If I let pa

Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-29 Thread David Miller
From: "Michael S. Tsirkin" Date: Tue, 29 Jan 2019 17:54:44 -0500 > On Mon, Jan 28, 2019 at 10:54:44PM -0800, David Miller wrote: >> From: Jason Wang >> Date: Mon, 28 Jan 2019 15:05:05 +0800 >> >> > After batched used ring updating was introduced in commit e2b3b35eb989 >> > ("vhost_net: batch us

Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-29 Thread Michael S. Tsirkin
On Mon, Jan 28, 2019 at 10:54:44PM -0800, David Miller wrote: > From: Jason Wang > Date: Mon, 28 Jan 2019 15:05:05 +0800 > > > After batched used ring updating was introduced in commit e2b3b35eb989 > > ("vhost_net: batch used ring update in rx"). We tend to batch heads in > > vq->heads for more t

Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-28 Thread David Miller
From: Jason Wang Date: Mon, 28 Jan 2019 15:05:05 +0800 > After batched used ring updating was introduced in commit e2b3b35eb989 > ("vhost_net: batch used ring update in rx"). We tend to batch heads in > vq->heads for more than one packet. But the quota passed to > get_rx_bufs() was not correctly

Re: [PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-28 Thread Stefan Hajnoczi
On Mon, Jan 28, 2019 at 03:05:05PM +0800, Jason Wang wrote: > After batched used ring updating was introduced in commit e2b3b35eb989 > ("vhost_net: batch used ring update in rx"). We tend to batch heads in > vq->heads for more than one packet. But the quota passed to > get_rx_bufs() was not correct

[PATCH net] vhost: fix OOB in get_rx_bufs()

2019-01-27 Thread Jason Wang
After batched used ring updating was introduced in commit e2b3b35eb989 ("vhost_net: batch used ring update in rx"). We tend to batch heads in vq->heads for more than one packet. But the quota passed to get_rx_bufs() was not correctly limited, which can result a OOB write in vq->heads. head