dpdk/CVE-2021-3839.patch

From 4c40d30d2bc8a35b81d1d386e6674acee49acded Mon Sep 17 00:00:00 2001
From: Chenbo Xia <chenbo.xia@intel.com>
Date: Mon, 14 Feb 2022 16:32:37 +0800
Subject: vhost: fix queue number check when setting inflight FD

[ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ]

In function vhost_user_set_inflight_fd, queue number in inflight
message is used to access virtqueue. However, queue number could
be larger than VHOST_MAX_VRING and cause write OOB as this number
will be used to write inflight info in virtqueue structure. This
patch checks the queue number to avoid the issue and also make
sure virtqueues are allocated before setting inflight information.

Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information")

Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
Signed-off-by: Chenbo Xia <chenbo.xia@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/vhost/vhost_user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
index 850ac49169..d4b0ec7358 100644
--- a/lib/vhost/vhost_user.c
+++ b/lib/vhost/vhost_user.c
@@ -2876,6 +2876,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
 	case VHOST_USER_SET_VRING_ADDR:
 		vring_idx = msg->payload.addr.index;
 		break;
+	case VHOST_USER_SET_INFLIGHT_FD:
+		vring_idx = msg->payload.inflight.num_queues - 1;
+		break;
 	default:
 		return 0;
 	}
-- 
cgit v1.2.1