[0/9,SRU,X] CVE-2019-3900: vhost DoS
mbox series

Message ID 1565239512-11188-1-git-send-email-tyhicks@canonical.com
Headers show
Series
  • CVE-2019-3900: vhost DoS
Related show

Message

Tyler Hicks Aug. 8, 2019, 4:45 a.m. UTC
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3900.html

 An infinite loop issue was found in the vhost_net kernel module in
 Linux Kernel up to and including v5.1-rc6, while handling incoming
 packets in handle_rx(). It could occur if one end sends packets faster
 than the other end can process them. A guest user, maybe remote one,
 could use this flaw to stall the vhost_net kernel thread, resulting in
 a DoS scenario.

Fairly involved backports. Build logs are clean. I tested with
netperf's TCP_RR, TCP_SENDFILE, TCP_STREAM, UDP_RR, and UDP_STREAM
tests. The tests were initiated from both the host and the guest to
ensure that the vhost-net connection was stable and that performance was
similar before and after the patches were applied.

Tyler

Jason Wang (6):
  vhost: introduce vhost_vq_avail_empty()
  vhost_net: tx batching
  vhost_net: introduce vhost_exceeds_weight()
  vhost: introduce vhost_exceeds_weight()
  vhost_net: fix possible infinite loop
  vhost: scsi: add weight support

Paolo Abeni (1):
  vhost_net: use packet weight for rx handler, too

Willem de Bruijn (1):
  vhost_net: do not stall on zerocopy depletion

haibinzhang(张海斌) (1):
  vhost-net: set packet weight of tx polling to 2 * vq size

 drivers/vhost/net.c   | 60 ++++++++++++++++++++++++++++++++-------------------
 drivers/vhost/scsi.c  | 14 ++++++++----
 drivers/vhost/vhost.c | 34 ++++++++++++++++++++++++++++-
 drivers/vhost/vhost.h |  7 +++++-
 4 files changed, 87 insertions(+), 28 deletions(-)

Comments

Connor Kuehl Aug. 8, 2019, 8:53 p.m. UTC | #1
On 8/7/19 9:45 PM, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3900.html
> 
>  An infinite loop issue was found in the vhost_net kernel module in
>  Linux Kernel up to and including v5.1-rc6, while handling incoming
>  packets in handle_rx(). It could occur if one end sends packets faster
>  than the other end can process them. A guest user, maybe remote one,
>  could use this flaw to stall the vhost_net kernel thread, resulting in
>  a DoS scenario.
> 
> Fairly involved backports. Build logs are clean. I tested with
> netperf's TCP_RR, TCP_SENDFILE, TCP_STREAM, UDP_RR, and UDP_STREAM
> tests. The tests were initiated from both the host and the guest to
> ensure that the vhost-net connection was stable and that performance was
> similar before and after the patches were applied.
> 
> Tyler
> 
> Jason Wang (6):
>   vhost: introduce vhost_vq_avail_empty()
>   vhost_net: tx batching
>   vhost_net: introduce vhost_exceeds_weight()
>   vhost: introduce vhost_exceeds_weight()
>   vhost_net: fix possible infinite loop
>   vhost: scsi: add weight support
> 
> Paolo Abeni (1):
>   vhost_net: use packet weight for rx handler, too
> 
> Willem de Bruijn (1):
>   vhost_net: do not stall on zerocopy depletion
> 
> haibinzhang(张海斌) (1):
>   vhost-net: set packet weight of tx polling to 2 * vq size
> 
>  drivers/vhost/net.c   | 60 ++++++++++++++++++++++++++++++++-------------------
>  drivers/vhost/scsi.c  | 14 ++++++++----
>  drivers/vhost/vhost.c | 34 ++++++++++++++++++++++++++++-
>  drivers/vhost/vhost.h |  7 +++++-
>  4 files changed, 87 insertions(+), 28 deletions(-)
> 

Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
Stefan Bader Aug. 12, 2019, 2:37 p.m. UTC | #2
On 08.08.19 06:45, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3900.html
> 
>  An infinite loop issue was found in the vhost_net kernel module in
>  Linux Kernel up to and including v5.1-rc6, while handling incoming
>  packets in handle_rx(). It could occur if one end sends packets faster
>  than the other end can process them. A guest user, maybe remote one,
>  could use this flaw to stall the vhost_net kernel thread, resulting in
>  a DoS scenario.
> 
> Fairly involved backports. Build logs are clean. I tested with
> netperf's TCP_RR, TCP_SENDFILE, TCP_STREAM, UDP_RR, and UDP_STREAM
> tests. The tests were initiated from both the host and the guest to
> ensure that the vhost-net connection was stable and that performance was
> similar before and after the patches were applied.
> 
> Tyler
> 
> Jason Wang (6):
>   vhost: introduce vhost_vq_avail_empty()
>   vhost_net: tx batching
>   vhost_net: introduce vhost_exceeds_weight()
>   vhost: introduce vhost_exceeds_weight()
>   vhost_net: fix possible infinite loop
>   vhost: scsi: add weight support
> 
> Paolo Abeni (1):
>   vhost_net: use packet weight for rx handler, too
> 
> Willem de Bruijn (1):
>   vhost_net: do not stall on zerocopy depletion
> 
> haibinzhang(张海斌) (1):
>   vhost-net: set packet weight of tx polling to 2 * vq size
> 
>  drivers/vhost/net.c   | 60 ++++++++++++++++++++++++++++++++-------------------
>  drivers/vhost/scsi.c  | 14 ++++++++----
>  drivers/vhost/vhost.c | 34 ++++++++++++++++++++++++++++-
>  drivers/vhost/vhost.h |  7 +++++-
>  4 files changed, 87 insertions(+), 28 deletions(-)
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Khalid Elmously Aug. 12, 2019, 5:22 p.m. UTC | #3
On 2019-08-08 04:45:03 , Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3900.html
> 
>  An infinite loop issue was found in the vhost_net kernel module in
>  Linux Kernel up to and including v5.1-rc6, while handling incoming
>  packets in handle_rx(). It could occur if one end sends packets faster
>  than the other end can process them. A guest user, maybe remote one,
>  could use this flaw to stall the vhost_net kernel thread, resulting in
>  a DoS scenario.
> 
> Fairly involved backports. Build logs are clean. I tested with
> netperf's TCP_RR, TCP_SENDFILE, TCP_STREAM, UDP_RR, and UDP_STREAM
> tests. The tests were initiated from both the host and the guest to
> ensure that the vhost-net connection was stable and that performance was
> similar before and after the patches were applied.
> 
> Tyler
> 
> Jason Wang (6):
>   vhost: introduce vhost_vq_avail_empty()
>   vhost_net: tx batching
>   vhost_net: introduce vhost_exceeds_weight()
>   vhost: introduce vhost_exceeds_weight()
>   vhost_net: fix possible infinite loop
>   vhost: scsi: add weight support
> 
> Paolo Abeni (1):
>   vhost_net: use packet weight for rx handler, too
> 
> Willem de Bruijn (1):
>   vhost_net: do not stall on zerocopy depletion
> 
> haibinzhang(张海斌) (1):
>   vhost-net: set packet weight of tx polling to 2 * vq size
> 
>  drivers/vhost/net.c   | 60 ++++++++++++++++++++++++++++++++-------------------
>  drivers/vhost/scsi.c  | 14 ++++++++----
>  drivers/vhost/vhost.c | 34 ++++++++++++++++++++++++++++-
>  drivers/vhost/vhost.h |  7 +++++-
>  4 files changed, 87 insertions(+), 28 deletions(-)
> 
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team