Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4309516imu; Mon, 28 Jan 2019 22:30:45 -0800 (PST) X-Google-Smtp-Source: ALg8bN6o8giFqZwYV2VsoBznHYGJMGladOD7V1BeGn9wpKLzPwQsS4h1kcUdQ3sFuk0uZf6Qz5mo X-Received: by 2002:a17:902:20c8:: with SMTP id v8mr25151164plg.319.1548743445101; Mon, 28 Jan 2019 22:30:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548743445; cv=none; d=google.com; s=arc-20160816; b=tFcnlReitwS4KE5+eYEfE7cbHx6wUNwmdA30aatYXwF2zDkH6R7OnhZH2+Ed1btzPQ fk5PTZ/YMtlphv0Gifm0gi5IpXIGq2V6Y7tSK/O/VedWzlZ2OD+TfVK6JZt6Qv/iGL1i jAePHndIB61kcbtHrEo+h6wbjb/Oq8xIDAkbOEpsE5WiqwkFwvJf7QM5fjRrAN3JOnKT 3G/fd9frqRANcBPeCGdCqlcglIzBeD7dQBasFLmiJMHdA7R6grIAg+NBHwTciYCh4MO5 44vK7NBpE+ZW842wS9Y1xAeAzddkNjfw8byFhTWS4qAr8bSGgpLi0sxiG7Wk0r7dBP15 Fezw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=CBbnf2aFSjkLxsqbpJwW2ZYkQY4A/veW24MoMM7nQeI=; b=dBLCUdNIvzWpuj59JPSdQjz7Q55TbF9HrYELS+98FUQMvxcTQI9UhAKpmfOCrNH01f G5vOBJ+lpThTvr9OCRerMK77x0TGSKGfKiGHreCfiIJ00KjeAKWYMoaQpudYuczLV3MH Wn3ouJ1aIW4J8m3DkzgkXDrXu3OckE4eR75/yW3TmJzclRmAbZ8d1KPmxS5227HJzlIK KzXSdCMxxuO5wT8kHsHe+hiAiUGFqx5/sPw5e28DuBdkf+gHkRv9g1UQlzLvSIe74bg7 lwXIQ8DqMq5jW99/T9tWeoaWMBpF6J4T1khEBPtiQ26L89lofM4UicrQF0xEq1TaNwo6 zcLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x128si23475003pfb.128.2019.01.28.22.30.29; Mon, 28 Jan 2019 22:30:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727627AbfA2GaP (ORCPT + 99 others); Tue, 29 Jan 2019 01:30:15 -0500 Received: from mx1.redhat.com ([209.132.183.28]:55036 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727225AbfA2GaN (ORCPT ); Tue, 29 Jan 2019 01:30:13 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3BAE2C04BD46; Tue, 29 Jan 2019 06:30:13 +0000 (UTC) Received: from localhost (unknown [10.64.242.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 68BA71057045; Tue, 29 Jan 2019 06:30:10 +0000 (UTC) Date: Tue, 29 Jan 2019 14:30:08 +0800 From: Stefan Hajnoczi To: Jason Wang Cc: mst@redhat.com, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net] vhost: fix OOB in get_rx_bufs() Message-ID: <20190129063008.GJ3264@stefanha-x1.localdomain> References: <20190128070505.18335-1-jasowang@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YPJ8CVbwFUtL7OFW" Content-Disposition: inline In-Reply-To: <20190128070505.18335-1-jasowang@redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 29 Jan 2019 06:30:13 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --YPJ8CVbwFUtL7OFW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 28, 2019 at 03:05:05PM +0800, Jason Wang wrote: > After batched used ring updating was introduced in commit e2b3b35eb989 > ("vhost_net: batch used ring update in rx"). We tend to batch heads in > vq->heads for more than one packet. But the quota passed to > get_rx_bufs() was not correctly limited, which can result a OOB write > in vq->heads. >=20 > headcount =3D get_rx_bufs(vq, vq->heads + nvq->done_idx, > vhost_len, &in, vq_log, &log, > likely(mergeable) ? UIO_MAXIOV : 1); >=20 > UIO_MAXIOV was still used which is wrong since we could have batched > used in vq->heads, this will cause OOB if the next buffer needs more > than 960 (1024 (UIO_MAXIOV) - 64 (VHOST_NET_BATCH)) heads after we've > batched 64 (VHOST_NET_BATCH) heads: >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > BUG kmalloc-8k (Tainted: G B ): Redzone overwritten > -------------------------------------------------------------------------= ---- >=20 > INFO: 0x00000000fd93b7a2-0x00000000f0713384. First byte 0xa9 instead of 0= xcc > INFO: Allocated in alloc_pd+0x22/0x60 age=3D3933677 cpu=3D2 pid=3D2674 > kmem_cache_alloc_trace+0xbb/0x140 > alloc_pd+0x22/0x60 > gen8_ppgtt_create+0x11d/0x5f0 > i915_ppgtt_create+0x16/0x80 > i915_gem_create_context+0x248/0x390 > i915_gem_context_create_ioctl+0x4b/0xe0 > drm_ioctl_kernel+0xa5/0xf0 > drm_ioctl+0x2ed/0x3a0 > do_vfs_ioctl+0x9f/0x620 > ksys_ioctl+0x6b/0x80 > __x64_sys_ioctl+0x11/0x20 > do_syscall_64+0x43/0xf0 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > INFO: Slab 0x00000000d13e87af objects=3D3 used=3D3 fp=3D0x (null= ) flags=3D0x200000000010201 > INFO: Object 0x0000000003278802 @offset=3D17064 fp=3D0x00000000e2e6652b >=20 > Fixing this by allocating UIO_MAXIOV + VHOST_NET_BATCH iovs for > vhost-net. This is done through set the limitation through > vhost_dev_init(), then set_owner can allocate the number of iov in a > per device manner. >=20 > This fixes CVE-2018-16880. >=20 > Fixes: e2b3b35eb989 ("vhost_net: batch used ring update in rx") > Signed-off-by: Jason Wang > --- > drivers/vhost/net.c | 3 ++- > drivers/vhost/scsi.c | 2 +- > drivers/vhost/vhost.c | 7 ++++--- > drivers/vhost/vhost.h | 4 +++- > drivers/vhost/vsock.c | 2 +- > 5 files changed, 11 insertions(+), 7 deletions(-) No change in the scsi and vsock cases. I haven't reviewed the net case. Acked-by: Stefan Hajnoczi --YPJ8CVbwFUtL7OFW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcT/LwAAoJEJykq7OBq3PIxekH/05O7+mudnt5sHQYTE8fzAnD qyX80qnYtoOkhdxJv+OJXC0wWNziXP+FKx+txGjW8YQbgyICgzPZdFx+MdJskyBj ui74eegtEx60Jn0dxvRv9kuphlDTAk7csZ4tjJkjibkjkYDydqdconnO3l6eoklP mHO15NKbm/R4zeNu8LzvIi0OBRQ7WSDyPuwCieVI8j6pkpPGnkf5qmhfdkLUIhfZ yVXsX/zKFCwAktm2Q3W7nMnaJCwmmewxVj9wASOfwhI9fmUxY1TuAqAAaZW0oV5T H9bjm/I73zR22jAUiMUKNBSs3hGc2DfJsSohkzRIscZuk/bGLVV+qtqokxWWVx8= =3Jhy -----END PGP SIGNATURE----- --YPJ8CVbwFUtL7OFW--