Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
vhost: catch overflow causing mmap of size 0
[ upstream commit c6420a3 ]

This patch catches an overflow that could happen if an
invalid region size or page alignment is provided by the
guest via the VHOST_USER_SET_MEM_TABLE request.

If the sum of the size to mmap and the alignment overflows
uint64_t, then RTE_ALIGN_CEIL(mmap_size, alignment) macro
will return 0. This value was passed as is as size argument
to mmap().

While kernel handling of mmap() syscall returns an error
if size is 0, it is better to catch it earlier and provide
a meaningful error log.

Fixes: ec09c28 ("vhost: fix mmap not aligned with hugepage size")

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Tiwei Bie <tiwei.bie@intel.com>
  • Loading branch information
mcoquelin authored and kevintraynor committed Feb 14, 2020
1 parent b4cb395 commit 6b3e0aa
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions lib/librte_vhost/vhost_user.c
Expand Up @@ -1117,6 +1117,21 @@ vhost_user_set_mem_table(struct virtio_net **pdev, struct VhostUserMsg *msg,
goto err_mmap;
}
mmap_size = RTE_ALIGN_CEIL(mmap_size, alignment);
if (mmap_size == 0) {
/*
* It could happen if initial mmap_size + alignment
* overflows the sizeof uint64, which could happen if
* either mmap_size or alignment value is wrong.
*
* mmap() kernel implementation would return an error,
* but better catch it before and provide useful info
* in the logs.
*/
RTE_LOG(ERR, VHOST_CONFIG, "mmap size (0x%" PRIx64 ") "
"or alignment (0x%" PRIx64 ") is invalid\n",
reg->size + mmap_offset, alignment);
goto err_mmap;
}

populate = (dev->dequeue_zero_copy) ? MAP_POPULATE : 0;
mmap_addr = mmap(NULL, mmap_size, PROT_READ | PROT_WRITE,
Expand Down

0 comments on commit 6b3e0aa

Please sign in to comment.