From 9fc3d1245bec49e29013b8120340e87adeaaf11a Mon Sep 17 00:00:00 2001

From: Maxime Coquelin <maxime.coquelin@redhat.com>

Date: Mon, 23 Apr 2018 11:33:42 +0200

Subject: [PATCH 05/11] vhost: add support for non-contiguous indirect descs

 tables

This patch adds support for non-contiguous indirect descriptor

tables in VA space.

When it happens, which is unlikely, a table is allocated and the

non-contiguous content is copied into it.

This issue has been assigned CVE-2018-1059.

Reported-by: Yongji Xie <xieyongji@baidu.com>

Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>

---

 lib/librte_vhost/virtio_net.c | 108 +++++++++++++++++++++++++++++++++++++++---

 1 file changed, 101 insertions(+), 7 deletions(-)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c

index 79bac59..13252e6 100644

--- a/lib/librte_vhost/virtio_net.c

+++ b/lib/librte_vhost/virtio_net.c

@@ -46,4 +46,5 @@

 #include <rte_arp.h>

 #include <rte_spinlock.h>

+#include <rte_malloc.h>

 #include "iotlb.h"

@@ -60,4 +61,44 @@

 }

+static __rte_always_inline struct vring_desc *

+alloc_copy_ind_table(struct virtio_net *dev, struct vhost_virtqueue *vq,

+					 struct vring_desc *desc)

+{

+	struct vring_desc *idesc;

+	uint64_t src, dst;

+	uint64_t len, remain = desc->len;

+	uint64_t desc_addr = desc->addr;

+

+	idesc = rte_malloc(__func__, desc->len, 0);

+	if (unlikely(!idesc))

+		return 0;

+

+	dst = (uint64_t)(uintptr_t)idesc;

+

+	while (remain) {

+		len = remain;

+		src = vhost_iova_to_vva(dev, vq, desc_addr, &len,

+				VHOST_ACCESS_RO);

+		if (unlikely(!src || !len)) {

+			rte_free(idesc);

+			return 0;

+		}

+

+		rte_memcpy((void *)(uintptr_t)dst, (void *)(uintptr_t)src, len);

+

+		remain -= len;

+		dst += len;

+		desc_addr += len;

+	}

+

+	return idesc;

+}

+

+static __rte_always_inline void

+free_ind_table(struct vring_desc *idesc)

+{

+	rte_free(idesc);

+}

+

 static __rte_always_inline void

 do_flush_shadow_used_ring(struct virtio_net *dev, struct vhost_virtqueue *vq,

@@ -376,4 +417,5 @@

 	rte_prefetch0(&vq->desc[desc_indexes[0]]);

 	for (i = 0; i < count; i++) {

+		struct vring_desc *idesc = NULL;

 		uint16_t desc_idx = desc_indexes[i];

 		int err;

@@ -385,10 +427,22 @@

 						vq, vq->desc[desc_idx].addr,

 						&dlen, VHOST_ACCESS_RO);

-			if (unlikely(!descs ||

-					dlen != vq->desc[desc_idx].len)) {

+			if (unlikely(!descs)) {

 				count = i;

 				break;

 			}

+			if (unlikely(dlen < vq->desc[desc_idx].len)) {

+				/*

+				 * The indirect desc table is not contiguous

+				 * in process VA space, we have to copy it.

+				 */

+				idesc = alloc_copy_ind_table(dev, vq,

+							&vq->desc[desc_idx]);

+				if (unlikely(!idesc))

+					break;

+

+				descs = idesc;

+			}

+

 			desc_idx = 0;

 			sz = vq->desc[desc_idx].len / sizeof(*descs);

@@ -401,4 +455,5 @@

 		if (unlikely(err)) {

 			count = i;

+			free_ind_table(idesc);

 			break;

 		}

@@ -406,4 +461,7 @@

 		if (i + 1 < count)

 			rte_prefetch0(&vq->desc[desc_indexes[i+1]]);

+

+		if (unlikely(!!idesc))

+			free_ind_table(idesc);

 	}

@@ -446,4 +504,5 @@

 	uint64_t dlen;

 	struct vring_desc *descs = vq->desc;

+	struct vring_desc *idesc = NULL;

 	*desc_chain_head = idx;

@@ -455,13 +514,27 @@

 						&dlen,

 						VHOST_ACCESS_RO);

-		if (unlikely(!descs || dlen != vq->desc[idx].len))

+		if (unlikely(!descs))

 			return -1;

+		if (unlikely(dlen < vq->desc[idx].len)) {

+			/*

+			 * The indirect desc table is not contiguous

+			 * in process VA space, we have to copy it.

+			 */

+			idesc = alloc_copy_ind_table(dev, vq, &vq->desc[idx]);

+			if (unlikely(!idesc))

+				return -1;

+

+			descs = idesc;

+		}

+

 		idx = 0;

 	}

 	while (1) {

-		if (unlikely(vec_id >= BUF_VECTOR_MAX || idx >= vq->size))

+		if (unlikely(vec_id >= BUF_VECTOR_MAX || idx >= vq->size)) {

+			free_ind_table(idesc);

 			return -1;

+		}

 		len += descs[idx].len;

@@ -480,4 +553,7 @@

 	*vec_idx = vec_id;

+	if (unlikely(!!idesc))

+		free_ind_table(idesc);

+

 	return 0;

 }

@@ -1333,5 +1409,5 @@

 	rte_prefetch0(&vq->desc[desc_indexes[0]]);

 	for (i = 0; i < count; i++) {

-		struct vring_desc *desc;

+		struct vring_desc *desc, *idesc = NULL;

 		uint16_t sz, idx;

 		uint64_t dlen;

@@ -1348,8 +1424,20 @@

 						&dlen,

 						VHOST_ACCESS_RO);

-			if (unlikely(!desc ||

-					dlen != vq->desc[desc_indexes[i]].len))

+			if (unlikely(!desc))

 				break;

+			if (unlikely(dlen < vq->desc[desc_indexes[i]].len)) {

+				/*

+				 * The indirect desc table is not contiguous

+				 * in process VA space, we have to copy it.

+				 */

+				idesc = alloc_copy_ind_table(dev, vq,

+						&vq->desc[desc_indexes[i]]);

+				if (unlikely(!idesc))

+					break;

+

+				desc = idesc;

+			}

+

 			rte_prefetch0(desc);

 			sz = vq->desc[desc_indexes[i]].len / sizeof(*desc);

@@ -1365,4 +1453,5 @@

 			RTE_LOG(ERR, VHOST_DATA,

 				"Failed to allocate memory for mbuf.\n");

+			free_ind_table(idesc);

 			break;

 		}

@@ -1372,4 +1461,5 @@

 		if (unlikely(err)) {

 			rte_pktmbuf_free(pkts[i]);

+			free_ind_table(idesc);

 			break;

 		}

@@ -1381,4 +1471,5 @@

 			if (!zmbuf) {

 				rte_pktmbuf_free(pkts[i]);

+				free_ind_table(idesc);

 				break;

 			}

@@ -1397,4 +1488,7 @@

 			TAILQ_INSERT_TAIL(&vq->zmbuf_list, zmbuf, next);

 		}

+

+		if (unlikely(!!idesc))

+			free_ind_table(idesc);

 	}

 	vq->last_avail_idx += i;

-- 

1.8.3.1