import dpdk-21.11-2.el8_7

2023-01-16 04:02:20 -05:00 · 2023-01-16 04:02:20 -05:00 · b3fb893773
commit b3fb893773
parent 1cde36c233
3 changed files with 191 additions and 3 deletions
--- a/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch
+++ b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch
@ -0,0 +1,78 @@
+From f167022606b5ccca27a627ae599538ce2348ef67 Mon Sep 17 00:00:00 2001
+Message-Id: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Thu, 16 Jun 2022 11:35:56 +0200
+Subject: [PATCH 1/2] vhost: discard too small descriptor chains
+
+[ upstream commit 71bd0cc536ad6d84188d947d6f24c17400d8f623 ]
+
+This patch discards descriptor chains which are smaller
+than the Virtio-net header size, and ones that are equal.
+
+Indeed, such descriptor chains sizes mean there is no
+packet data.
+
+This patch also has the advantage of requesting the exact
+packets sizes for the mbufs.
+
+CVE-2022-2132
+Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions")
+Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer")
+Fixes: 84d5204310d7 ("vhost: support async dequeue for split ring")
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Acked-by: Chenbo Xia <chenbo.xia@intel.com>
+Reviewed-by: David Marchand <david.marchand@redhat.com>
+---
+ lib/vhost/virtio_net.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
+index 858187d1b0..991a7a2bd4 100644
+--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
+@@ -2334,10 +2334,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 	buf_addr = buf_vec[vec_idx].buf_addr;
+ 	buf_len = buf_vec[vec_idx].buf_len;
+ 
+-	if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
+-		error = -1;
+-		goto out;
+-	}
+	/*
+	 * The caller has checked the descriptors chain is larger than the
+	 * header size.
+	 */
+ 
+ 	if (virtio_net_with_host_offload(dev)) {
+ 		if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
+@@ -2568,6 +2568,14 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 
+ 		update_shadow_used_ring_split(vq, head_idx, 0);
+ 
+		if (unlikely(buf_len <= dev->vhost_hlen)) {
+			dropped += 1;
+			i++;
+			break;
+		}
+
+		buf_len -= dev->vhost_hlen;
+
+ 		err = virtio_dev_pktmbuf_prep(dev, pkts[i], buf_len);
+ 		if (unlikely(err)) {
+ 			/*
+@@ -2771,6 +2779,11 @@ vhost_dequeue_single_packed(struct virtio_net *dev,
+ 					 VHOST_ACCESS_RO) < 0))
+ 		return -1;
+ 
+	if (unlikely(buf_len <= dev->vhost_hlen))
+		return -1;
+
+	buf_len -= dev->vhost_hlen;
+
+ 	if (unlikely(virtio_dev_pktmbuf_prep(dev, pkts, buf_len))) {
+ 		if (!allocerr_warned) {
+ 			VHOST_LOG_DATA(ERR,
+-- 
+2.37.3
+
--- a/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
+++ b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
@ -0,0 +1,106 @@
+From e12d415556994d0901c317f6338ed2961185465f Mon Sep 17 00:00:00 2001
+Message-Id: <e12d415556994d0901c317f6338ed2961185465f.1666780268.git.tredaelli@redhat.com>
+In-Reply-To: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
+References: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Thu, 16 Jun 2022 14:25:07 +0200
+Subject: [PATCH 2/2] vhost: fix header spanned across more than two
+ descriptors
+
+[ upstream commit dc1516e260a0df272b218392faf6db3cbf45e717 ]
+
+This patch aims at supporting the unlikely case where a
+Virtio-net header is spanned across more than two
+descriptors.
+
+CVE-2022-2132
+Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Acked-by: Chenbo Xia <chenbo.xia@intel.com>
+Reviewed-by: David Marchand <david.marchand@redhat.com>
+---
+ lib/vhost/virtio_net.c | 41 +++++++++++++----------------------------
+ 1 file changed, 13 insertions(+), 28 deletions(-)
+
+diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
+index 991a7a2bd4..bf4d75b4bd 100644
+--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
+@@ -2322,25 +2322,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 	uint32_t buf_avail, buf_offset;
+ 	uint64_t buf_addr, buf_len;
+ 	uint32_t mbuf_avail, mbuf_offset;
+	uint32_t hdr_remain = dev->vhost_hlen;
+ 	uint32_t cpy_len;
+ 	struct rte_mbuf *cur = m, *prev = m;
+ 	struct virtio_net_hdr tmp_hdr;
+ 	struct virtio_net_hdr *hdr = NULL;
+-	/* A counter to avoid desc dead loop chain */
+-	uint16_t vec_idx = 0;
+	uint16_t vec_idx;
+ 	struct batch_copy_elem *batch_copy = vq->batch_copy_elems;
+ 	int error = 0;
+ 
+-	buf_addr = buf_vec[vec_idx].buf_addr;
+-	buf_len = buf_vec[vec_idx].buf_len;
+-
+ 	/*
+ 	 * The caller has checked the descriptors chain is larger than the
+ 	 * header size.
+ 	 */
+ 
+ 	if (virtio_net_with_host_offload(dev)) {
+-		if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
+		if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
+ 			/*
+ 			 * No luck, the virtio-net header doesn't fit
+ 			 * in a contiguous virtual area.
+@@ -2348,34 +2345,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 			copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
+ 			hdr = &tmp_hdr;
+ 		} else {
+-			hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr);
+			hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
+ 		}
+ 	}
+ 
+-	/*
+-	 * A virtio driver normally uses at least 2 desc buffers
+-	 * for Tx: the first for storing the header, and others
+-	 * for storing the data.
+-	 */
+-	if (unlikely(buf_len < dev->vhost_hlen)) {
+-		buf_offset = dev->vhost_hlen - buf_len;
+-		vec_idx++;
+-		buf_addr = buf_vec[vec_idx].buf_addr;
+-		buf_len = buf_vec[vec_idx].buf_len;
+-		buf_avail  = buf_len - buf_offset;
+-	} else if (buf_len == dev->vhost_hlen) {
+-		if (unlikely(++vec_idx >= nr_vec))
+-			goto out;
+-		buf_addr = buf_vec[vec_idx].buf_addr;
+-		buf_len = buf_vec[vec_idx].buf_len;
+	for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
+		if (buf_vec[vec_idx].buf_len > hdr_remain)
+			break;
+ 
+-		buf_offset = 0;
+-		buf_avail = buf_len;
+-	} else {
+-		buf_offset = dev->vhost_hlen;
+-		buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen;
+		hdr_remain -= buf_vec[vec_idx].buf_len;
+ 	}
+ 
+	buf_addr = buf_vec[vec_idx].buf_addr;
+	buf_len = buf_vec[vec_idx].buf_len;
+	buf_offset = hdr_remain;
+	buf_avail = buf_vec[vec_idx].buf_len - hdr_remain;
+
+ 	PRINT_PACKET(dev,
+ 			(uintptr_t)(buf_addr + buf_offset),
+ 			(uint32_t)buf_avail, 0);
+-- 
+2.37.3
+
--- a/SPECS/dpdk.spec
+++ b/SPECS/dpdk.spec
@ -9,7 +9,7 @@
 #% define shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 %define ver 21.11
-%define rel 1
+%define rel 2

 %define srcname dpdk

@ -26,8 +26,9 @@ Source: http://fast.dpdk.org/rel/dpdk-%{ver}.tar.xz
 # Only needed for creating snapshot tarballs, not used in build itself
 Source100: dpdk-snapshot.sh

-# Patches only in dpdk package
-
+# CVE-2022-2132
+Patch1: 0001-vhost-discard-too-small-descriptor-chains.patch
+Patch2: 0002-vhost-fix-header-spanned-across-more-than-two-descri.patch

 Summary: Set of libraries and drivers for fast packet processing

@ -340,6 +341,9 @@ rm -rf %{docdir}/html/.doctrees
 %endif

 %changelog
+* Wed Oct 26 2022 Timothy Redaelli <tredaelli@redhat.com> - 21.11-2
+- Backport fixes for CVE-2022-2132 (#2107171)
+
 * Tue Nov 23 2021 David Marchand <david.marchand@redhat.com> - 21.11-1
 - Rebase to 21.11 (#2029497)