fix CVE-2021-3839 CVE-2022-0669

(cherry picked from commit 75a45a00311d6d5a090f737f4684537785e39877)

CVE-2021-3839.patch

@@ -0,0 +1,40 @@
+From aef547884b8a64c0754b4b7906ae9d7c912b8043 Mon Sep 17 00:00:00 2001
+From: Chenbo Xia <chenbo.xia@intel.com>
+Date: Mon, 14 Feb 2022 16:32:37 +0800
+Subject: vhost: fix queue number check when setting inflight FD
+
+[ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ]
+
+In function vhost_user_set_inflight_fd, queue number in inflight
+message is used to access virtqueue. However, queue number could
+be larger than VHOST_MAX_VRING and cause write OOB as this number
+will be used to write inflight info in virtqueue structure. This
+patch checks the queue number to avoid the issue and also make
+sure virtqueues are allocated before setting inflight information.
+
+Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information")
+Cc: stable@dpdk.org
+
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Signed-off-by: Chenbo Xia <chenbo.xia@intel.com>
+Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/librte_vhost/vhost_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
+index 1ee6050ac0..79be132c43 100644
+--- a/lib/librte_vhost/vhost_user.c
++++ b/lib/librte_vhost/vhost_user.c
+@@ -2624,6 +2624,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
+ 	case VHOST_USER_SET_VRING_ADDR:
+ 		vring_idx = msg->payload.addr.index;
+ 		break;
++	case VHOST_USER_SET_INFLIGHT_FD:
++		vring_idx = msg->payload.inflight.num_queues - 1;
++		break;
+ 	default:
+ 		return 0;
+ 	}
+-- 
+cgit v1.2.1

CVE-2022-0669.patch

@@ -0,0 +1,42 @@
+From b7979d39ef4d6ad0d78bd66e07168401391c34fa Mon Sep 17 00:00:00 2001
+From: David Marchand <david.marchand@redhat.com>
+Date: Tue, 18 Jan 2022 15:53:30 +0100
+Subject: vhost: fix FD leak with inflight messages
+
+[ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ]
+
+Even if unlikely, a buggy vhost-user master might attach fds to inflight
+messages. Add checks like for other types of vhost-user messages.
+
+Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing")
+Cc: stable@dpdk.org
+---
+ lib/librte_vhost/vhost_user.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
+index 79be132c43..af44d1e69c 100644
+--- a/lib/librte_vhost/vhost_user.c
++++ b/lib/librte_vhost/vhost_user.c
+@@ -1441,6 +1441,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,
+ 	int fd, i, j;
+ 	void *addr;
+ 
++	if (validate_msg_fds(msg, 0) != 0)
++		return RTE_VHOST_MSG_RESULT_ERR;
++
+ 	if (msg->size != sizeof(msg->payload.inflight)) {
+ 		RTE_LOG(ERR, VHOST_CONFIG,
+ 			"invalid get_inflight_fd message size is %d\n",
+@@ -1534,6 +1537,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,
+ 	void *addr;
+ 	int fd, i;
+ 
++	if (validate_msg_fds(msg, 1) != 0)
++		return RTE_VHOST_MSG_RESULT_ERR;
++
+ 	fd = msg->fds[0];
+ 	if (msg->size != sizeof(msg->payload.inflight) || fd < 0) {
+ 		RTE_LOG(ERR, VHOST_CONFIG,
+-- 
+cgit v1.2.1

dpdk.spec

@@ -1,6 +1,6 @@
 Name: dpdk
 Version: 19.11
-Release: 16
+Release: 17
 Packager: packaging@6wind.com
 URL: http://dpdk.org
 %global source_version  19.11
@@ -41,6 +41,8 @@ Patch31: 0015-fix-rte-eal-memory-init-double-unlock.patch
 Patch32: 0016-fix-last-argv-pointer-change-to-first.patch
 Patch33: 0017-fix-internal-cfg-and-fbarray-attach-mememory-leak.patch
 Patch34: 0018-fix-error-that-the-secondary-attach-fails-due-to-detach.patch
+Patch35: CVE-2021-3839.patch
+Patch36: CVE-2022-0669.patch
 
 Summary: Data Plane Development Kit core
 Group: System Environment/Libraries
@@ -190,6 +192,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/${namer}/extra/dpdk/rte_kni.ko
 /usr/sbin/depmod
 
 %changelog
+* Fri Jun 10 2022 xiusailong <xiusailong@huawei.com> - 19.11-17
+- fix CVE-2021-3839 CVE-2022-0669
+
 * Thu Jun 9 2022 xiusailong <xiusailong@huawei.com> - 19.11-16
 - support gazelle feature