From dec28482656898677760cb2937b5c112cd55c575 Mon Sep 17 00:00:00 2001 From: shirely Date: Fri, 10 Jun 2022 16:53:59 +0800 Subject: [PATCH] fix CVE-2021-3839 CVE-2022-0669 (cherry picked from commit 75a45a00311d6d5a090f737f4684537785e39877) --- CVE-2021-3839.patch | 40 ++++++++++++++++++++++++++++++++++++++++ CVE-2022-0669.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ dpdk.spec | 7 ++++++- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3839.patch create mode 100644 CVE-2022-0669.patch diff --git a/CVE-2021-3839.patch b/CVE-2021-3839.patch new file mode 100644 index 0000000..f390e24 --- /dev/null +++ b/CVE-2021-3839.patch @@ -0,0 +1,40 @@ +From aef547884b8a64c0754b4b7906ae9d7c912b8043 Mon Sep 17 00:00:00 2001 +From: Chenbo Xia +Date: Mon, 14 Feb 2022 16:32:37 +0800 +Subject: vhost: fix queue number check when setting inflight FD + +[ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] + +In function vhost_user_set_inflight_fd, queue number in inflight +message is used to access virtqueue. However, queue number could +be larger than VHOST_MAX_VRING and cause write OOB as this number +will be used to write inflight info in virtqueue structure. This +patch checks the queue number to avoid the issue and also make +sure virtqueues are allocated before setting inflight information. + +Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") +Cc: stable@dpdk.org + +Reported-by: Wenxiang Qian +Signed-off-by: Chenbo Xia +Reviewed-by: Maxime Coquelin +--- + lib/librte_vhost/vhost_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c +index 1ee6050ac0..79be132c43 100644 +--- a/lib/librte_vhost/vhost_user.c ++++ b/lib/librte_vhost/vhost_user.c +@@ -2624,6 +2624,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, + case VHOST_USER_SET_VRING_ADDR: + vring_idx = msg->payload.addr.index; + break; ++ case VHOST_USER_SET_INFLIGHT_FD: ++ vring_idx = msg->payload.inflight.num_queues - 1; ++ break; + default: + return 0; + } +-- +cgit v1.2.1 diff --git a/CVE-2022-0669.patch b/CVE-2022-0669.patch new file mode 100644 index 0000000..26d5bad --- /dev/null +++ b/CVE-2022-0669.patch @@ -0,0 +1,42 @@ +From b7979d39ef4d6ad0d78bd66e07168401391c34fa Mon Sep 17 00:00:00 2001 +From: David Marchand +Date: Tue, 18 Jan 2022 15:53:30 +0100 +Subject: vhost: fix FD leak with inflight messages + +[ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] + +Even if unlikely, a buggy vhost-user master might attach fds to inflight +messages. Add checks like for other types of vhost-user messages. + +Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") +Cc: stable@dpdk.org +--- + lib/librte_vhost/vhost_user.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c +index 79be132c43..af44d1e69c 100644 +--- a/lib/librte_vhost/vhost_user.c ++++ b/lib/librte_vhost/vhost_user.c +@@ -1441,6 +1441,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, + int fd, i, j; + void *addr; + ++ if (validate_msg_fds(msg, 0) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + if (msg->size != sizeof(msg->payload.inflight)) { + RTE_LOG(ERR, VHOST_CONFIG, + "invalid get_inflight_fd message size is %d\n", +@@ -1534,6 +1537,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, + void *addr; + int fd, i; + ++ if (validate_msg_fds(msg, 1) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + fd = msg->fds[0]; + if (msg->size != sizeof(msg->payload.inflight) || fd < 0) { + RTE_LOG(ERR, VHOST_CONFIG, +-- +cgit v1.2.1 diff --git a/dpdk.spec b/dpdk.spec index ef81d6d..6f62331 100644 --- a/dpdk.spec +++ b/dpdk.spec @@ -1,6 +1,6 @@ Name: dpdk Version: 19.11 -Release: 16 +Release: 17 Packager: packaging@6wind.com URL: http://dpdk.org %global source_version 19.11 @@ -41,6 +41,8 @@ Patch31: 0015-fix-rte-eal-memory-init-double-unlock.patch Patch32: 0016-fix-last-argv-pointer-change-to-first.patch Patch33: 0017-fix-internal-cfg-and-fbarray-attach-mememory-leak.patch Patch34: 0018-fix-error-that-the-secondary-attach-fails-due-to-detach.patch +Patch35: CVE-2021-3839.patch +Patch36: CVE-2022-0669.patch Summary: Data Plane Development Kit core Group: System Environment/Libraries @@ -190,6 +192,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/${namer}/extra/dpdk/rte_kni.ko /usr/sbin/depmod %changelog +* Fri Jun 10 2022 xiusailong - 19.11-17 +- fix CVE-2021-3839 CVE-2022-0669 + * Thu Jun 9 2022 xiusailong - 19.11-16 - support gazelle feature -- Gitee