From 6462e135a2b466af2545fbbbc069e8e40418bd36 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 16 2023 09:01:13 +0000 Subject: import dpdk-18.11.8-2.el7_9 --- diff --git a/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch new file mode 100644 index 0000000..4631ff2 --- /dev/null +++ b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch @@ -0,0 +1,98 @@ +From bec1c5fe59fd82a1d932aece65c919cd46325d89 Mon Sep 17 00:00:00 2001 +From: Maxime Coquelin +Date: Thu, 16 Jun 2022 11:35:56 +0200 +Subject: [PATCH v2 1/2] vhost: discard too small descriptor chains + +This patch discards descriptor chains which are smaller +than the Virtio-net header size, and ones that are equal. + +Indeed, such descriptor chains sizes mean there is no +packet data. + +This patch also has the advantage of requesting the exact +packets sizes for the mbufs. + +CVE-2022-2132 +Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions") +Cc: stable@dpdk.org + +Signed-off-by: Maxime Coquelin +--- + lib/librte_vhost/virtio_net.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c +index ebeec8fd18..7da440de28 100644 +--- a/lib/librte_vhost/virtio_net.c ++++ b/lib/librte_vhost/virtio_net.c +@@ -1112,10 +1112,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, + buf_iova = buf_vec[vec_idx].buf_iova; + buf_len = buf_vec[vec_idx].buf_len; + +- if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) { +- error = -1; +- goto out; +- } ++ /* ++ * The caller has checked the descriptors chain is larger than the ++ * header size. ++ */ + + if (virtio_net_with_host_offload(dev)) { + if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) { +@@ -1350,20 +1350,23 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq, + for (i = 0; i < count; i++) { + struct buf_vector buf_vec[BUF_VECTOR_MAX]; + uint16_t head_idx; +- uint32_t dummy_len; ++ uint32_t buf_len; + uint16_t nr_vec = 0; + int err; + + if (unlikely(fill_vec_buf_split(dev, vq, + vq->last_avail_idx + i, + &nr_vec, buf_vec, +- &head_idx, &dummy_len, ++ &head_idx, &buf_len, + VHOST_ACCESS_RO) < 0)) + break; + + if (likely(dev->dequeue_zero_copy == 0)) + update_shadow_used_ring_split(vq, head_idx, 0); + ++ if (unlikely(buf_len <= dev->vhost_hlen)) ++ break; ++ + pkts[i] = rte_pktmbuf_alloc(mbuf_pool); + if (unlikely(pkts[i] == NULL)) { + RTE_LOG(ERR, VHOST_DATA, +@@ -1460,14 +1463,14 @@ virtio_dev_tx_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, + for (i = 0; i < count; i++) { + struct buf_vector buf_vec[BUF_VECTOR_MAX]; + uint16_t buf_id; +- uint32_t dummy_len; ++ uint32_t buf_len; + uint16_t desc_count, nr_vec = 0; + int err; + + if (unlikely(fill_vec_buf_packed(dev, vq, + vq->last_avail_idx, &desc_count, + buf_vec, &nr_vec, +- &buf_id, &dummy_len, ++ &buf_id, &buf_len, + VHOST_ACCESS_RO) < 0)) + break; + +@@ -1475,6 +1478,9 @@ virtio_dev_tx_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, + update_shadow_used_ring_packed(vq, buf_id, 0, + desc_count); + ++ if (unlikely(buf_len <= dev->vhost_hlen)) ++ break; ++ + pkts[i] = rte_pktmbuf_alloc(mbuf_pool); + if (unlikely(pkts[i] == NULL)) { + RTE_LOG(ERR, VHOST_DATA, +-- +2.37.1 + diff --git a/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch new file mode 100644 index 0000000..fe2fea9 --- /dev/null +++ b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch @@ -0,0 +1,104 @@ +From 735c29eebe2a0757f19bf8b3ba67977e9320c24a Mon Sep 17 00:00:00 2001 +From: Maxime Coquelin +Date: Thu, 16 Jun 2022 14:25:07 +0200 +Subject: [PATCH v2 2/2] vhost: fix header spanned across more than two + descriptors + +This patch aims at supporting the unlikely case where a +Virtio-net header is spanned across more than two +descriptors. + +CVE-2022-2132 +Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path") +Cc: stable@dpdk.org + +Signed-off-by: Maxime Coquelin +--- + lib/librte_vhost/virtio_net.c | 45 +++++++++++------------------------ + 1 file changed, 14 insertions(+), 31 deletions(-) + +diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c +index 7da440de28..bd664c88c1 100644 +--- a/lib/librte_vhost/virtio_net.c ++++ b/lib/librte_vhost/virtio_net.c +@@ -1099,26 +1099,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, + uint32_t buf_avail, buf_offset; + uint64_t buf_addr, buf_iova, buf_len; + uint32_t mbuf_avail, mbuf_offset; ++ uint32_t hdr_remain = dev->vhost_hlen; + uint32_t cpy_len; + struct rte_mbuf *cur = m, *prev = m; + struct virtio_net_hdr tmp_hdr; + struct virtio_net_hdr *hdr = NULL; +- /* A counter to avoid desc dead loop chain */ +- uint16_t vec_idx = 0; ++ uint16_t vec_idx; + struct batch_copy_elem *batch_copy = vq->batch_copy_elems; + int error = 0; + +- buf_addr = buf_vec[vec_idx].buf_addr; +- buf_iova = buf_vec[vec_idx].buf_iova; +- buf_len = buf_vec[vec_idx].buf_len; +- + /* + * The caller has checked the descriptors chain is larger than the + * header size. + */ + + if (virtio_net_with_host_offload(dev)) { +- if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) { ++ if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) { + /* + * No luck, the virtio-net header doesn't fit + * in a contiguous virtual area. +@@ -1126,36 +1122,23 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, + copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec); + hdr = &tmp_hdr; + } else { +- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr); ++ hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr); + } + } + +- /* +- * A virtio driver normally uses at least 2 desc buffers +- * for Tx: the first for storing the header, and others +- * for storing the data. +- */ +- if (unlikely(buf_len < dev->vhost_hlen)) { +- buf_offset = dev->vhost_hlen - buf_len; +- vec_idx++; +- buf_addr = buf_vec[vec_idx].buf_addr; +- buf_iova = buf_vec[vec_idx].buf_iova; +- buf_len = buf_vec[vec_idx].buf_len; +- buf_avail = buf_len - buf_offset; +- } else if (buf_len == dev->vhost_hlen) { +- if (unlikely(++vec_idx >= nr_vec)) +- goto out; +- buf_addr = buf_vec[vec_idx].buf_addr; +- buf_iova = buf_vec[vec_idx].buf_iova; +- buf_len = buf_vec[vec_idx].buf_len; ++ for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) { ++ if (buf_vec[vec_idx].buf_len > hdr_remain) ++ break; + +- buf_offset = 0; +- buf_avail = buf_len; +- } else { +- buf_offset = dev->vhost_hlen; +- buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen; ++ hdr_remain -= buf_vec[vec_idx].buf_len; + } + ++ buf_addr = buf_vec[vec_idx].buf_addr; ++ buf_iova = buf_vec[vec_idx].buf_iova; ++ buf_len = buf_vec[vec_idx].buf_len; ++ buf_offset = hdr_remain; ++ buf_avail = buf_vec[vec_idx].buf_len - hdr_remain; ++ + PRINT_PACKET(dev, + (uintptr_t)(buf_addr + buf_offset), + (uint32_t)buf_avail, 0); +-- +2.37.1 + diff --git a/SPECS/dpdk.spec b/SPECS/dpdk.spec index df2ebc9..7504a7a 100644 --- a/SPECS/dpdk.spec +++ b/SPECS/dpdk.spec @@ -9,7 +9,7 @@ #% define shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %define ver 18.11.8 -%define rel 1 +%define rel 2 %define srcname dpdk-stable @@ -48,6 +48,10 @@ Patch1031: 0001-net-i40e-re-program-promiscuous-mode-on-VF-interface.patch # Bug #1726579 Patch1040: 0001-vhost-add-device-op-when-notification-to-guest-is-se.patch +# CVE-2022-2132 +Patch50: 0001-vhost-discard-too-small-descriptor-chains.patch +Patch51: 0002-vhost-fix-header-spanned-across-more-than-two-descri.patch + Summary: Set of libraries and drivers for fast packet processing # @@ -287,6 +291,9 @@ sed -i -e 's:-%{machine_tmpl}-:-%{machine}-:g' %{buildroot}/%{_sysconfdir}/profi %endif %changelog +* Wed Oct 26 2022 Timothy Redaelli - 18.11.8-2 +- Backport fixes for CVE-2022-2132 (#2107166) + * Wed May 20 2020 Timothy Redaelli - 18.11.8-1 - Updated to DPDK 18.11.8 (#1836829, #1837025)