[dpdk-dev] thoughts on DPDK after a few days of reading sources

Stephen Hemminger stephen at networkplumber.org
Thu Feb 11 23:48:28 CET 2016

Previous message: [dpdk-dev] thoughts on DPDK after a few days of reading sources
Next message: [dpdk-dev] [README]:Running DPDK in a LXC-based Container
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 10 Feb 2016 19:05:40 -0800
Seth Arnold <seth.arnold at canonical.com> wrote:

> - ./drivers/net/virtio/virtio_ethdev.c virtio_set_multiple_queues() calls
>   virtio_send_command(), which performs:
>   memcpy(vq->virtio_net_hdr_mz->addr, ctrl, sizeof(struct virtio_pmd_ctrl));
>   This copies a potentially huge amount of uninitialized data into ->addr
>   because the struct virtio_pmd_ctrl ctrl was not zeroed before being
>   passed. How much of this data leaves the system? Does this require a
>   CVE?

This is not really a security issue.
The guest (virtio) has to trust the host to follow the protocol.
If the host is malicious there are far worse things it can do.

In this case. The onstack variabl ctrl is only partially initialized
but only partially used. The hdr part (virtio_net_ctrl_hdr) is fully
initialized, and status is set to 0 in virtio_send_command.

Although partially unitialized data is copied into region shared with host,
only the first part is actually referenced by the ring element:

 	vq->vq_ring.desc[head].flags = VRING_DESC_F_NEXT;
	vq->vq_ring.desc[head].addr = vq->virtio_net_hdr_mz->phys_addr;
	vq->vq_ring.desc[head].len = sizeof(struct virtio_net_ctrl_hdr);

Therefore it is not a real problem.

Previous message: [dpdk-dev] thoughts on DPDK after a few days of reading sources
Next message: [dpdk-dev] [README]:Running DPDK in a LXC-based Container
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list