• Jason Wang's avatar
    vhost: fix OOB in get_rx_bufs() · b46a0bf7
    Jason Wang authored
    After batched used ring updating was introduced in commit e2b3b35e
    ("vhost_net: batch used ring update in rx"). We tend to batch heads in
    vq->heads for more than one packet. But the quota passed to
    get_rx_bufs() was not correctly limited, which can result a OOB write
    in vq->heads.
    
            headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
                        vhost_len, &in, vq_log, &log,
                        likely(mergeable) ? UIO_MAXIOV : 1);
    
    UIO_MAXIOV was still used which is wrong since we could have batched
    used in vq->heads, this will cause OOB if the next buffer needs more
    than 960 (1024 (UIO_MAXIOV) - 64 (VHOST_NET_BATCH)) heads after we've
    batched 64 (VHOST_NET_BATCH) heads:
    Acked-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
    
    =============================================================================
    BUG kmalloc-8k (Tainted: G    B            ): Redzone overwritten
    -----------------------------------------------------------------------------
    
    INFO: 0x00000000fd93b7a2-0x00000000f0713384. First byte 0xa9 instead of 0xcc
    INFO: Allocated in alloc_pd+0x22/0x60 age=3933677 cpu=2 pid=2674
        kmem_cache_alloc_trace+0xbb/0x140
        alloc_pd+0x22/0x60
        gen8_ppgtt_create+0x11d/0x5f0
        i915_ppgtt_create+0x16/0x80
        i915_gem_create_context+0x248/0x390
        i915_gem_context_create_ioctl+0x4b/0xe0
        drm_ioctl_kernel+0xa5/0xf0
        drm_ioctl+0x2ed/0x3a0
        do_vfs_ioctl+0x9f/0x620
        ksys_ioctl+0x6b/0x80
        __x64_sys_ioctl+0x11/0x20
        do_syscall_64+0x43/0xf0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
    INFO: Slab 0x00000000d13e87af objects=3 used=3 fp=0x          (null) flags=0x200000000010201
    INFO: Object 0x0000000003278802 @offset=17064 fp=0x00000000e2e6652b
    
    Fixing this by allocating UIO_MAXIOV + VHOST_NET_BATCH iovs for
    vhost-net. This is done through set the limitation through
    vhost_dev_init(), then set_owner can allocate the number of iov in a
    per device manner.
    
    This fixes CVE-2018-16880.
    
    Fixes: e2b3b35e ("vhost_net: batch used ring update in rx")
    Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b46a0bf7
vhost.h 8.49 KB