From b3fb893773ccf067b2c3e09d6e2a27767fb7ff3c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 16 Jan 2023 04:02:20 -0500 Subject: [PATCH] import dpdk-21.11-2.el8_7 --- ...-discard-too-small-descriptor-chains.patch | 78 +++++++++++++ ...-spanned-across-more-than-two-descri.patch | 106 ++++++++++++++++++ SPECS/dpdk.spec | 10 +- 3 files changed, 191 insertions(+), 3 deletions(-) create mode 100644 SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch create mode 100644 SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch diff --git a/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch new file mode 100644 index 0000000..34594b6 --- /dev/null +++ b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch @@ -0,0 +1,78 @@ +From f167022606b5ccca27a627ae599538ce2348ef67 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Maxime Coquelin +Date: Thu, 16 Jun 2022 11:35:56 +0200 +Subject: [PATCH 1/2] vhost: discard too small descriptor chains + +[ upstream commit 71bd0cc536ad6d84188d947d6f24c17400d8f623 ] + +This patch discards descriptor chains which are smaller +than the Virtio-net header size, and ones that are equal. + +Indeed, such descriptor chains sizes mean there is no +packet data. + +This patch also has the advantage of requesting the exact +packets sizes for the mbufs. + +CVE-2022-2132 +Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions") +Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer") +Fixes: 84d5204310d7 ("vhost: support async dequeue for split ring") + +Signed-off-by: Maxime Coquelin +Acked-by: Chenbo Xia +Reviewed-by: David Marchand +--- + lib/vhost/virtio_net.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c +index 858187d1b0..991a7a2bd4 100644 +--- a/lib/vhost/virtio_net.c ++++ b/lib/vhost/virtio_net.c +@@ -2334,10 +2334,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, + buf_addr = buf_vec[vec_idx].buf_addr; + buf_len = buf_vec[vec_idx].buf_len; + +- if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) { +- error = -1; +- goto out; +- } ++ /* ++ * The caller has checked the descriptors chain is larger than the ++ * header size. ++ */ + + if (virtio_net_with_host_offload(dev)) { + if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) { +@@ -2568,6 +2568,14 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq, + + update_shadow_used_ring_split(vq, head_idx, 0); + ++ if (unlikely(buf_len <= dev->vhost_hlen)) { ++ dropped += 1; ++ i++; ++ break; ++ } ++ ++ buf_len -= dev->vhost_hlen; ++ + err = virtio_dev_pktmbuf_prep(dev, pkts[i], buf_len); + if (unlikely(err)) { + /* +@@ -2771,6 +2779,11 @@ vhost_dequeue_single_packed(struct virtio_net *dev, + VHOST_ACCESS_RO) < 0)) + return -1; + ++ if (unlikely(buf_len <= dev->vhost_hlen)) ++ return -1; ++ ++ buf_len -= dev->vhost_hlen; ++ + if (unlikely(virtio_dev_pktmbuf_prep(dev, pkts, buf_len))) { + if (!allocerr_warned) { + VHOST_LOG_DATA(ERR, +-- +2.37.3 + diff --git a/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch new file mode 100644 index 0000000..f6f5535 --- /dev/null +++ b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch @@ -0,0 +1,106 @@ +From e12d415556994d0901c317f6338ed2961185465f Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: +From: Maxime Coquelin +Date: Thu, 16 Jun 2022 14:25:07 +0200 +Subject: [PATCH 2/2] vhost: fix header spanned across more than two + descriptors + +[ upstream commit dc1516e260a0df272b218392faf6db3cbf45e717 ] + +This patch aims at supporting the unlikely case where a +Virtio-net header is spanned across more than two +descriptors. + +CVE-2022-2132 +Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path") + +Signed-off-by: Maxime Coquelin +Acked-by: Chenbo Xia +Reviewed-by: David Marchand +--- + lib/vhost/virtio_net.c | 41 +++++++++++++---------------------------- + 1 file changed, 13 insertions(+), 28 deletions(-) + +diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c +index 991a7a2bd4..bf4d75b4bd 100644 +--- a/lib/vhost/virtio_net.c ++++ b/lib/vhost/virtio_net.c +@@ -2322,25 +2322,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, + uint32_t buf_avail, buf_offset; + uint64_t buf_addr, buf_len; + uint32_t mbuf_avail, mbuf_offset; ++ uint32_t hdr_remain = dev->vhost_hlen; + uint32_t cpy_len; + struct rte_mbuf *cur = m, *prev = m; + struct virtio_net_hdr tmp_hdr; + struct virtio_net_hdr *hdr = NULL; +- /* A counter to avoid desc dead loop chain */ +- uint16_t vec_idx = 0; ++ uint16_t vec_idx; + struct batch_copy_elem *batch_copy = vq->batch_copy_elems; + int error = 0; + +- buf_addr = buf_vec[vec_idx].buf_addr; +- buf_len = buf_vec[vec_idx].buf_len; +- + /* + * The caller has checked the descriptors chain is larger than the + * header size. + */ + + if (virtio_net_with_host_offload(dev)) { +- if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) { ++ if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) { + /* + * No luck, the virtio-net header doesn't fit + * in a contiguous virtual area. +@@ -2348,34 +2345,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, + copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec); + hdr = &tmp_hdr; + } else { +- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr); ++ hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr); + } + } + +- /* +- * A virtio driver normally uses at least 2 desc buffers +- * for Tx: the first for storing the header, and others +- * for storing the data. +- */ +- if (unlikely(buf_len < dev->vhost_hlen)) { +- buf_offset = dev->vhost_hlen - buf_len; +- vec_idx++; +- buf_addr = buf_vec[vec_idx].buf_addr; +- buf_len = buf_vec[vec_idx].buf_len; +- buf_avail = buf_len - buf_offset; +- } else if (buf_len == dev->vhost_hlen) { +- if (unlikely(++vec_idx >= nr_vec)) +- goto out; +- buf_addr = buf_vec[vec_idx].buf_addr; +- buf_len = buf_vec[vec_idx].buf_len; ++ for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) { ++ if (buf_vec[vec_idx].buf_len > hdr_remain) ++ break; + +- buf_offset = 0; +- buf_avail = buf_len; +- } else { +- buf_offset = dev->vhost_hlen; +- buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen; ++ hdr_remain -= buf_vec[vec_idx].buf_len; + } + ++ buf_addr = buf_vec[vec_idx].buf_addr; ++ buf_len = buf_vec[vec_idx].buf_len; ++ buf_offset = hdr_remain; ++ buf_avail = buf_vec[vec_idx].buf_len - hdr_remain; ++ + PRINT_PACKET(dev, + (uintptr_t)(buf_addr + buf_offset), + (uint32_t)buf_avail, 0); +-- +2.37.3 + diff --git a/SPECS/dpdk.spec b/SPECS/dpdk.spec index 2a38ee2..b7567d1 100644 --- a/SPECS/dpdk.spec +++ b/SPECS/dpdk.spec @@ -9,7 +9,7 @@ #% define shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %define ver 21.11 -%define rel 1 +%define rel 2 %define srcname dpdk @@ -26,8 +26,9 @@ Source: http://fast.dpdk.org/rel/dpdk-%{ver}.tar.xz # Only needed for creating snapshot tarballs, not used in build itself Source100: dpdk-snapshot.sh -# Patches only in dpdk package - +# CVE-2022-2132 +Patch1: 0001-vhost-discard-too-small-descriptor-chains.patch +Patch2: 0002-vhost-fix-header-spanned-across-more-than-two-descri.patch Summary: Set of libraries and drivers for fast packet processing @@ -340,6 +341,9 @@ rm -rf %{docdir}/html/.doctrees %endif %changelog +* Wed Oct 26 2022 Timothy Redaelli - 21.11-2 +- Backport fixes for CVE-2022-2132 (#2107171) + * Tue Nov 23 2021 David Marchand - 21.11-1 - Rebase to 21.11 (#2029497)