Patchwork [3.5.y.z,extended,stable] Patch "vhost/net: fix heads usage of ubuf_info" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date March 21, 2013, 12:51 p.m.
Message ID <1363870317-19582-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/229665/
State New
Headers show

Comments

Luis Henriques - March 21, 2013, 12:51 p.m.
This is a note to let you know that I have just added a patch titled

    vhost/net: fix heads usage of ubuf_info

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From 103a1dfc6f64fa5929d9e0980334ecfbd3a4cf40 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Sun, 17 Mar 2013 02:46:09 +0000
Subject: [PATCH] vhost/net: fix heads usage of ubuf_info

commit 46aa92d1ba162b4b3d6b7102440e459d4e4ee255 upstream.

ubuf info allocator uses guest controlled head as an index,
so a malicious guest could put the same head entry in the ring twice,
and we will get two callbacks on the same value.
To fix use upend_idx which is guaranteed to be unique.

Reported-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Luis Henriques <luis.henriques@canonical.com>
---
 drivers/vhost/net.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--
1.8.1.2

Patch

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3c4dcc3d9..f2e8236 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -235,7 +235,8 @@  static void handle_tx(struct vhost_net *net)
 				msg.msg_controllen = 0;
 				ubufs = NULL;
 			} else {
-				struct ubuf_info *ubuf = &vq->ubuf_info[head];
+				struct ubuf_info *ubuf;
+				ubuf = vq->ubuf_info + vq->upend_idx;

 				vq->heads[vq->upend_idx].len = len;
 				ubuf->callback = vhost_zerocopy_callback;