From 6b3e0aa1624e47893c67e67900dcec586ebf0d99 Mon Sep 17 00:00:00 2001 From: Maxime Coquelin Date: Thu, 16 Jan 2020 11:44:27 +0100 Subject: [PATCH] vhost: catch overflow causing mmap of size 0 [ upstream commit c6420a36328b9c6b71770aaa982abacd0e2440b8 ] This patch catches an overflow that could happen if an invalid region size or page alignment is provided by the guest via the VHOST_USER_SET_MEM_TABLE request. If the sum of the size to mmap and the alignment overflows uint64_t, then RTE_ALIGN_CEIL(mmap_size, alignment) macro will return 0. This value was passed as is as size argument to mmap(). While kernel handling of mmap() syscall returns an error if size is 0, it is better to catch it earlier and provide a meaningful error log. Fixes: ec09c280b839 ("vhost: fix mmap not aligned with hugepage size") Reported-by: Ilja Van Sprundel Signed-off-by: Maxime Coquelin Reviewed-by: Tiwei Bie --- lib/librte_vhost/vhost_user.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index b9ecec5ba7..4c58880f8c 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1117,6 +1117,21 @@ vhost_user_set_mem_table(struct virtio_net **pdev, struct VhostUserMsg *msg, goto err_mmap; } mmap_size = RTE_ALIGN_CEIL(mmap_size, alignment); + if (mmap_size == 0) { + /* + * It could happen if initial mmap_size + alignment + * overflows the sizeof uint64, which could happen if + * either mmap_size or alignment value is wrong. + * + * mmap() kernel implementation would return an error, + * but better catch it before and provide useful info + * in the logs. + */ + RTE_LOG(ERR, VHOST_CONFIG, "mmap size (0x%" PRIx64 ") " + "or alignment (0x%" PRIx64 ") is invalid\n", + reg->size + mmap_offset, alignment); + goto err_mmap; + } populate = (dev->dequeue_zero_copy) ? MAP_POPULATE : 0; mmap_addr = mmap(NULL, mmap_size, PROT_READ | PROT_WRITE,