fix CVE-2021-3839 CVE-2022-0669

CVE-2021-3839.patch

@@ -0,0 +1,39 @@
+From 4c40d30d2bc8a35b81d1d386e6674acee49acded Mon Sep 17 00:00:00 2001
+From: Chenbo Xia <chenbo.xia@intel.com>
+Date: Mon, 14 Feb 2022 16:32:37 +0800
+Subject: vhost: fix queue number check when setting inflight FD
+
+[ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ]
+
+In function vhost_user_set_inflight_fd, queue number in inflight
+message is used to access virtqueue. However, queue number could
+be larger than VHOST_MAX_VRING and cause write OOB as this number
+will be used to write inflight info in virtqueue structure. This
+patch checks the queue number to avoid the issue and also make
+sure virtqueues are allocated before setting inflight information.
+
+Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information")
+
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Signed-off-by: Chenbo Xia <chenbo.xia@intel.com>
+Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/vhost/vhost_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
+index 850ac49169..d4b0ec7358 100644
+--- a/lib/vhost/vhost_user.c
++++ b/lib/vhost/vhost_user.c
+@@ -2876,6 +2876,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
+ 	case VHOST_USER_SET_VRING_ADDR:
+ 		vring_idx = msg->payload.addr.index;
+ 		break;
++	case VHOST_USER_SET_INFLIGHT_FD:
++		vring_idx = msg->payload.inflight.num_queues - 1;
++		break;
+ 	default:
+ 		return 0;
+ 	}
+-- 
+cgit v1.2.1

CVE-2022-0669.patch

@@ -0,0 +1,44 @@
+From 6cb68162e4b598b7c0747372fa3fcec9cddd19b8 Mon Sep 17 00:00:00 2001
+From: David Marchand <david.marchand@redhat.com>
+Date: Tue, 18 Jan 2022 15:53:30 +0100
+Subject: vhost: fix FD leak with inflight messages
+
+[ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ]
+
+Even if unlikely, a buggy vhost-user master might attach fds to inflight
+messages. Add checks like for other types of vhost-user messages.
+
+Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing")
+
+Signed-off-by: David Marchand <david.marchand@redhat.com>
+Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/vhost/vhost_user.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
+index d4b0ec7358..9a266b5d42 100644
+--- a/lib/vhost/vhost_user.c
++++ b/lib/vhost/vhost_user.c
+@@ -1600,6 +1600,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,
+ 	int numa_node = SOCKET_ID_ANY;
+ 	void *addr;
+ 
++	if (validate_msg_fds(msg, 0) != 0)
++		return RTE_VHOST_MSG_RESULT_ERR;
++
+ 	if (msg->size != sizeof(msg->payload.inflight)) {
+ 		VHOST_LOG_CONFIG(ERR,
+ 			"invalid get_inflight_fd message size is %d\n",
+@@ -1701,6 +1704,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,
+ 	int fd, i;
+ 	int numa_node = SOCKET_ID_ANY;
+ 
++	if (validate_msg_fds(msg, 1) != 0)
++		return RTE_VHOST_MSG_RESULT_ERR;
++
+ 	fd = msg->fds[0];
+ 	if (msg->size != sizeof(msg->payload.inflight) || fd < 0) {
+ 		VHOST_LOG_CONFIG(ERR,
+-- 
+cgit v1.2.1

dpdk.spec

@@ -1,6 +1,6 @@
 Name: dpdk
 Version: 21.11
-Release: 10
+Release: 11
 Packager: packaging@6wind.com
 URL: http://dpdk.org
 %global source_version  21.11
@@ -92,6 +92,10 @@ Patch9083:    0083-net-hns3-remove-unnecessary-RSS-switch.patch
 Patch9084:    0084-app-testpmd-check-statistics-query-before-printing.patch
 Patch9085:    0085-app-testpmd-fix-MTU-verification.patch
 
+Patch6001:    CVE-2021-3839.patch
+Patch6002:    CVE-2022-0669.patch
+
+
 Summary: Data Plane Development Kit core
 Group: System Environment/Libraries
 License: BSD and LGPLv2 and GPLv2
@@ -209,6 +213,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/%{kern_devel_ver}/extra/dpdk/igb_uio.ko
 /usr/sbin/depmod
 
 %changelog
+* Fri Jun 10 2022 xiusailong <xiusailong@huawei.com> - 21.11-11
+- fix CVE-2021-3839 CVE-2022-0669
+
 * Tue May 17 2022 Min Hu(Connor) <humin29@huawei.com> - 21.11-10
 - sync patches from 22.03.