From c9999095cf2b36107200aa64db46f17e3c30dd1a Mon Sep 17 00:00:00 2001 From: shirely Date: Fri, 10 Jun 2022 17:31:55 +0800 Subject: [PATCH] fix CVE-2021-3839 CVE-2022-0669 (cherry picked from commit 0613aa55c208d165b89303d58b1eab1f67ea2f62) --- CVE-2021-3839.patch | 39 +++++++++++++++++++++++++++++++++++++++ CVE-2022-0669.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++ dpdk.spec | 9 ++++++++- 3 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3839.patch create mode 100644 CVE-2022-0669.patch diff --git a/CVE-2021-3839.patch b/CVE-2021-3839.patch new file mode 100644 index 0000000..9d8e1b7 --- /dev/null +++ b/CVE-2021-3839.patch @@ -0,0 +1,39 @@ +From 4c40d30d2bc8a35b81d1d386e6674acee49acded Mon Sep 17 00:00:00 2001 +From: Chenbo Xia +Date: Mon, 14 Feb 2022 16:32:37 +0800 +Subject: vhost: fix queue number check when setting inflight FD + +[ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] + +In function vhost_user_set_inflight_fd, queue number in inflight +message is used to access virtqueue. However, queue number could +be larger than VHOST_MAX_VRING and cause write OOB as this number +will be used to write inflight info in virtqueue structure. This +patch checks the queue number to avoid the issue and also make +sure virtqueues are allocated before setting inflight information. + +Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") + +Reported-by: Wenxiang Qian +Signed-off-by: Chenbo Xia +Reviewed-by: Maxime Coquelin +--- + lib/vhost/vhost_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c +index 850ac49169..d4b0ec7358 100644 +--- a/lib/vhost/vhost_user.c ++++ b/lib/vhost/vhost_user.c +@@ -2876,6 +2876,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, + case VHOST_USER_SET_VRING_ADDR: + vring_idx = msg->payload.addr.index; + break; ++ case VHOST_USER_SET_INFLIGHT_FD: ++ vring_idx = msg->payload.inflight.num_queues - 1; ++ break; + default: + return 0; + } +-- +cgit v1.2.1 diff --git a/CVE-2022-0669.patch b/CVE-2022-0669.patch new file mode 100644 index 0000000..9b86bc6 --- /dev/null +++ b/CVE-2022-0669.patch @@ -0,0 +1,44 @@ +From 6cb68162e4b598b7c0747372fa3fcec9cddd19b8 Mon Sep 17 00:00:00 2001 +From: David Marchand +Date: Tue, 18 Jan 2022 15:53:30 +0100 +Subject: vhost: fix FD leak with inflight messages + +[ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] + +Even if unlikely, a buggy vhost-user master might attach fds to inflight +messages. Add checks like for other types of vhost-user messages. + +Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") + +Signed-off-by: David Marchand +Reviewed-by: Maxime Coquelin +--- + lib/vhost/vhost_user.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c +index d4b0ec7358..9a266b5d42 100644 +--- a/lib/vhost/vhost_user.c ++++ b/lib/vhost/vhost_user.c +@@ -1600,6 +1600,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, + int numa_node = SOCKET_ID_ANY; + void *addr; + ++ if (validate_msg_fds(msg, 0) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + if (msg->size != sizeof(msg->payload.inflight)) { + VHOST_LOG_CONFIG(ERR, + "invalid get_inflight_fd message size is %d\n", +@@ -1701,6 +1704,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, + int fd, i; + int numa_node = SOCKET_ID_ANY; + ++ if (validate_msg_fds(msg, 1) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + fd = msg->fds[0]; + if (msg->size != sizeof(msg->payload.inflight) || fd < 0) { + VHOST_LOG_CONFIG(ERR, +-- +cgit v1.2.1 diff --git a/dpdk.spec b/dpdk.spec index d4d6f5c..46ff9cf 100644 --- a/dpdk.spec +++ b/dpdk.spec @@ -1,6 +1,6 @@ Name: dpdk Version: 21.11 -Release: 10 +Release: 11 Packager: packaging@6wind.com URL: http://dpdk.org %global source_version 21.11 @@ -92,6 +92,10 @@ Patch9083: 0083-net-hns3-remove-unnecessary-RSS-switch.patch Patch9084: 0084-app-testpmd-check-statistics-query-before-printing.patch Patch9085: 0085-app-testpmd-fix-MTU-verification.patch +Patch6001: CVE-2021-3839.patch +Patch6002: CVE-2022-0669.patch + + Summary: Data Plane Development Kit core Group: System Environment/Libraries License: BSD and LGPLv2 and GPLv2 @@ -209,6 +213,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/%{kern_devel_ver}/extra/dpdk/igb_uio.ko /usr/sbin/depmod %changelog +* Fri Jun 10 2022 xiusailong - 21.11-11 +- fix CVE-2021-3839 CVE-2022-0669 + * Tue May 17 2022 Min Hu(Connor) - 21.11-10 - sync patches from 22.03. -- Gitee