[PATCH] net/virtio: fix Rx checksum calculation

Maxime Coquelin maxime.coquelin at redhat.com
Wed Dec 18 09:59:05 CET 2024

Previous message (by thread): [PATCH] net/virtio: fix Rx checksum calculation
Next message (by thread): [PATCH] net/virtio: fix Rx checksum calculation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 12/18/24 08:34, Wangyunjian(wangyunjian,TongTu) wrote:
>> -----Original Message-----
>> From: Maxime Coquelin [mailto:maxime.coquelin at redhat.com]
>> Sent: Tuesday, December 17, 2024 11:33 PM
>> To: dev at dpdk.org
>> Cc: Olivier Matz <olivier.matz at 6wind.com>; Maxime Gouin
>> <maxime.gouin at 6wind.com>; Maxime Coquelin
>> <maxime.coquelin at redhat.com>
>> Subject: [PATCH] net/virtio: fix Rx checksum calculation
>>
>> From: Olivier Matz <olivier.matz at 6wind.com>
>>
>> If hdr->csum_start is larger than packet length, the len argument passed
>> to rte_raw_cksum_mbuf() overflows and causes a segmentation fault.
>>
>> Ignore checksum computation in this case.
>>
>> CVE-2024-11614
>>
>> Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path")
>>
>> Signed-off-by: Maxime Gouin <maxime.gouin at 6wind.com>
>> Signed-off-by: Olivier Matz <olivier.matz at 6wind.com>
>> Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
>> ---
>>   lib/vhost/virtio_net.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
>> index d764d4bc6a..69901ab3b5 100644
>> --- a/lib/vhost/virtio_net.c
>> +++ b/lib/vhost/virtio_net.c
>> @@ -2823,6 +2823,9 @@ vhost_dequeue_offload(struct virtio_net *dev,
>> struct virtio_net_hdr *hdr,
>>   			 */
>>   			uint16_t csum = 0, off;
>>
>> +			if (hdr->csum_start >= rte_pktmbuf_pkt_len(m))
>> +				return;
>> +
> 
> The hdr->csum_start does two successive reads from user space to read
> a variable length data structure. The result overflow if the data structure
> changes between the two reads.
> 
> We can prevent double fetch issue by using the temporary variable csum_start.

Right, that's a good catch! The exploitation od this issue seem
difficult though.

We may systematically copy the full header, as we only do it for ones
not contiguous in host VA space.

What do you think? Are you willing to contribute a fix?

Thanks,
Maxime
> 
> Thanks,
> Yunjian
> 
>>   			if (rte_raw_cksum_mbuf(m, hdr->csum_start,
>>   					rte_pktmbuf_pkt_len(m) - hdr->csum_start, &csum) <
>> 0)
>>   				return;
>> --
>> 2.47.0
>

Previous message (by thread): [PATCH] net/virtio: fix Rx checksum calculation
Next message (by thread): [PATCH] net/virtio: fix Rx checksum calculation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list