[8/9] vhost_net: fix possible infinite loop

Message ID	1565239512-11188-9-git-send-email-tyhicks@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tyler Hicks <tyhicks@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 8/9] vhost_net: fix possible infinite loop Date: Thu, 8 Aug 2019 04:45:11 +0000 Message-Id: <1565239512-11188-9-git-send-email-tyhicks@canonical.com> In-Reply-To: <1565239512-11188-1-git-send-email-tyhicks@canonical.com> References: <1565239512-11188-1-git-send-email-tyhicks@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2019-3900: vhost DoS \| expand [0/9,SRU,X] CVE-2019-3900: vhost DoS [1/9] vhost: introduce vhost_vq_avail_empty() [2/9] vhost_net: tx batching [3/9] vhost_net: do not stall on zerocopy depletion [4/9] vhost-net: set packet weight of tx polling to 2 * vq size [5/9] vhost_net: use packet weight for rx handler, too [6/9] vhost_net: introduce vhost_exceeds_weight() [7/9] vhost: introduce vhost_exceeds_weight() [8/9] vhost_net: fix possible infinite loop [9/9] vhost: scsi: add weight support

Message ID

1565239512-11188-9-git-send-email-tyhicks@canonical.com

State

New

Headers

From: Tyler Hicks <tyhicks@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 8/9] vhost_net: fix possible infinite loop
Date: Thu,  8 Aug 2019 04:45:11 +0000
Message-Id: <1565239512-11188-9-git-send-email-tyhicks@canonical.com>
In-Reply-To: <1565239512-11188-1-git-send-email-tyhicks@canonical.com>
References: <1565239512-11188-1-git-send-email-tyhicks@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2019-3900: vhost DoS | expand

Commit Message

Tyler Hicks Aug. 8, 2019, 4:45 a.m. UTC

From: Jason Wang <jasowang@redhat.com>

When the rx buffer is too small for a packet, we will discard the vq
descriptor and retry it for the next packet:

while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
					      &busyloop_intr))) {
...
	/* On overrun, truncate and discard */
	if (unlikely(headcount > UIO_MAXIOV)) {
		iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
		err = sock->ops->recvmsg(sock, &msg,
					 1, MSG_DONTWAIT | MSG_TRUNC);
		pr_debug("Discarded rx packet: len %zd\n", sock_len);
		continue;
	}
...
}

This makes it possible to trigger a infinite while..continue loop
through the co-opreation of two VMs like:

1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the
   vhost process as much as possible e.g using indirect descriptors or
   other.
2) Malicious VM2 generate packets to VM1 as fast as possible

Fixing this by checking against weight at the end of RX and TX
loop. This also eliminate other similar cases when:

- userspace is consuming the packets in the meanwhile
- theoretical TOCTOU attack if guest moving avail index back and forth
  to hit the continue after vhost find guest just add new buffers

This addresses CVE-2019-3900.

Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short")
Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

CVE-2019-3900

(backported from commit e2412c07f8f3040593dfb88207865a3cd58680c0)
[tyhicks: Backport to Xenial:
 - Adjust handle_tx() instead of handle_tx_{copy,zerocopy}() due to
   missing commit 0d20bdf34dc7 ("vhost_net: split out datacopy logic")
 - Minor context adjustments due to a lack of missing the iov_limit
   member of the vhost_dev struct which was added later in commit
   b46a0bf78ad7 ("vhost: fix OOB in get_rx_bufs()")
 - handle_rx() still uses peek_head_len() due to missing and unneeded commit
   030881372460 ("vhost_net: basic polling support")
 - Context adjustment in call to vhost_log_write() in hunk #3 of net.c due to
   missing and unneeded commit cc5e71075947 ("vhost: log dirty page correctly")
 - Context adjustment in hunk #4 due to using break instead of goto out
 - Context adjustment in hunk #5 due to missing and unneeded commit
   c67df11f6e48 ("vhost_net: try batch dequing from skb array")]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 drivers/vhost/net.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 2b73e1d0776b..1ba2c21f0fcb 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -335,7 +335,7 @@  static void handle_tx(struct vhost_net *net)
 	hdr_size = nvq->vhost_hlen;
 	zcopy = nvq->ubufs;
 
-	for (;;) {
+	do {
 		/* Release DMAs done buffers first */
 		if (zcopy)
 			vhost_zerocopy_signal_used(net, vq);
@@ -425,10 +425,7 @@  static void handle_tx(struct vhost_net *net)
 		else
 			vhost_zerocopy_signal_used(net, vq);
 		vhost_net_tx_packet(net);
-		if (unlikely(vhost_exceeds_weight(vq, ++sent_pkts,
-						  total_len)))
-			break;
-	}
+	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
 out:
 	mutex_unlock(&vq->mutex);
 }
@@ -570,7 +567,11 @@  static void handle_rx(struct vhost_net *net)
 		vq->log : NULL;
 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
 
-	while ((sock_len = peek_head_len(sock->sk))) {
+	do {
+		sock_len = peek_head_len(sock->sk);
+
+		if (!sock_len)
+			break;
 		sock_len += sock_hlen;
 		vhost_len = sock_len + vhost_hlen;
 		headcount = get_rx_bufs(vq, vq->heads, vhost_len,
@@ -648,9 +649,8 @@  static void handle_rx(struct vhost_net *net)
 		if (unlikely(vq_log))
 			vhost_log_write(vq, vq_log, log, vhost_len);
 		total_len += vhost_len;
-		if (unlikely(vhost_exceeds_weight(vq, ++recv_pkts, total_len)))
-			break;
-	}
+	} while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));
+
 out:
 	mutex_unlock(&vq->mutex);
 }
@@ -720,7 +720,7 @@  static int vhost_net_open(struct inode *inode, struct file *f)
 		n->vqs[i].sock_hlen = 0;
 	}
 	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
-		       VHOST_NET_WEIGHT, VHOST_NET_PKT_WEIGHT);
+		       VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT);
 
 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev);
 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev);

[8/9] vhost_net: fix possible infinite loop

Commit Message

Patch