From patchwork Thu Oct 26 19:54:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1855971 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SGc3B2w7Sz23jx for ; Fri, 27 Oct 2023 06:55:17 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qw6Rb-0004jt-JH; Thu, 26 Oct 2023 19:55:03 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qw6RX-0004hn-4D for kernel-team@lists.ubuntu.com; Thu, 26 Oct 2023 19:54:59 +0000 Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 12A853FD46 for ; Thu, 26 Oct 2023 19:54:58 +0000 (UTC) Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-66d412e2450so17235286d6.2 for ; Thu, 26 Oct 2023 12:54:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698350095; x=1698954895; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kesaGe9h4Vcb9U9EgcC+BGD297JbCJ9IAxvRrixu9Is=; b=WKdeSSd7cLwG1TtI6lY4rB15Bex1eGG4+p7Qbm2ocToXiQ5k+Nv5yVt75ArBodPZUi tnqId4Zj0hSDQXRdTw+x5Gb9LL1mlluUSjc44IRmAAlwywpadPfJyuFf2GLrahX4Af98 aSiQTPKu9112LA33p9t9PlRjhSgx+BemrXkvC1DF6n/UYpHJNJWHadzqCjRK4w4yzfPn hLr6cQbUgo4GR8ed2g4P/jLda2i6OzDJ/V9/gy0ipE/t9MUvTsjUN5otGU8XR0CRFAV7 Z6r4byyGBuZUPY6/jRgbmWd8uxSKgsqe3C95ubduI1ipKgX1qlcDcy4cbcP+eaLphdZE F3vw== X-Gm-Message-State: AOJu0Yy48Zq/JYOWfx307WexOziwPXFhkmpW2Thcj5COsSJs2wxjIwQb FOalq+/WjNe4g+/ebFCuKhDhS8dACtR4VdoYAfA/91D1laijB+Rpl6xzSc55CRFPrZ0m9c1wQ61 NMRM02gaHuic8bawa5O9VwNTrtTN8NTN3+wfCZcREe+HrQOyDbg== X-Received: by 2002:a05:6214:262d:b0:66d:17a2:34cc with SMTP id gv13-20020a056214262d00b0066d17a234ccmr577810qvb.64.1698350094904; Thu, 26 Oct 2023 12:54:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHKnL/oVfSp8Pr0JdU2BOL4E6ozHnQ89XqtCuCTXsXV+qoz1YvnACehdS3DRVi3LrPF7jClaw== X-Received: by 2002:a05:6214:262d:b0:66d:17a2:34cc with SMTP id gv13-20020a056214262d00b0066d17a234ccmr577797qvb.64.1698350094604; Thu, 26 Oct 2023 12:54:54 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:e1f:c1df:c74d:d6e]) by smtp.gmail.com with ESMTPSA id dz16-20020ad45890000000b0065d105f6931sm53264qvb.59.2023.10.26.12.54.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Oct 2023 12:54:54 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][J/L/M][PATCH 1/1] vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() Date: Thu, 26 Oct 2023 15:54:51 -0400 Message-Id: <20231026195451.32587-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231026195451.32587-1-yuxuan.luo@canonical.com> References: <20231026195451.32587-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Stefano Garzarella In the while loop of vringh_iov_xfer(), `partlen` could be 0 if one of the `iov` has 0 lenght. In this case, we should skip the iov and go to the next one. But calling vringh_kiov_advance() with 0 lenght does not cause the advancement, since it returns immediately if asked to advance by 0 bytes. Let's restore the code that was there before commit b8c06ad4d67d ("vringh: implement vringh_kiov_advance()"), avoiding using vringh_kiov_advance(). Fixes: b8c06ad4d67d ("vringh: implement vringh_kiov_advance()") Cc: stable@vger.kernel.org Reported-by: Jason Wang Signed-off-by: Stefano Garzarella Acked-by: Jason Wang Signed-off-by: David S. Miller (cherry picked from commit 7aed44babc7f97e82b38e9a68515e699692cc100) CVE-2023-5158 Signed-off-by: Yuxuan Luo --- drivers/vhost/vringh.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c index 786876af0a73a..13b75213ebaae 100644 --- a/drivers/vhost/vringh.c +++ b/drivers/vhost/vringh.c @@ -123,8 +123,18 @@ static inline ssize_t vringh_iov_xfer(struct vringh *vrh, done += partlen; len -= partlen; ptr += partlen; + iov->consumed += partlen; + iov->iov[iov->i].iov_len -= partlen; + iov->iov[iov->i].iov_base += partlen; - vringh_kiov_advance(iov, partlen); + if (!iov->iov[iov->i].iov_len) { + /* Fix up old iov element then increment. */ + iov->iov[iov->i].iov_len = iov->consumed; + iov->iov[iov->i].iov_base -= iov->consumed; + + iov->consumed = 0; + iov->i++; + } } return done; }