commit 727183c8a94d36d9dfbc7cd6e158776e93a4066d Author: Chenbo Xia <chenbo.xia> Date: Mon Feb 14 16:32:37 2022 +0800 vhost: fix queue number check when setting inflight FD [ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue and also make sure virtqueues are allocated before setting inflight information. Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") Cc: stable Reported-by: Wenxiang Qian <leonwxqian> Signed-off-by: Chenbo Xia <chenbo.xia> Reviewed-by: Maxime Coquelin <maxime.coquelin> commit b953f26898313eefa596bc76213006034237abae Author: David Marchand <david.marchand> Date: Tue Jan 18 15:53:30 2022 +0100 vhost: fix FD leak with inflight messages [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] Even if unlikely, a buggy vhost-user master might attach fds to inflight messages. Add checks like for other types of vhost-user messages. Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") Cc: stable commit f370310000ba7516fd54811df60a250df745d7ae Merge: a22f82dd3 f771ef680 Author: Open vSwitch CI <ovs-ci> Date: Wed Apr 27 17:59:46 2022 -0400 Merging upstream branch-2.13 Commit list: f771ef6803 ofproto-dpif-xlate: Clear out vlan flow fields while processing native tunnel. (#393566 2060552) commit a22f82dd3de9edee25a7208ae735742a6abd2998 Merge: 7093aaf1b 123f0f834 Author: Open vSwitch CI <ovs-ci> Date: Tue Apr 26 18:45:36 2022 -0400 Merging upstream branch-2.13 Commit list: 123f0f8346 ofproto-xlate: Fix crash when forwarding packet between legacy_l3 tunnels. 1011545b5a system-traffic: Fix fragment reassembly with L3 L4 protocol information. commit 7093aaf1b683ade1151716600d53b1b28481e06b Merge: a1e511ab9 fdca6491a Author: Open vSwitch CI <ovs-ci> Date: Mon Apr 18 13:50:42 2022 -0400 Merging upstream branch-2.13 Commit list: fdca6491ae cirrus: Update FreeBSD versions. commit a1e511ab9fb76440fab03b41920a0312a8a0c852 Merge: 2dcca0604 7c7e87464 Author: Open vSwitch CI <ovs-ci> Date: Fri Apr 8 12:14:36 2022 -0400 Merging upstream branch-2.13 Commit list: 7c7e874649 Prepare for 2.13.8. 3512f8f56a Set release date for 2.13.7. commit 2dcca06045f5ac26ad7bdb62009620029d499d54 Merge: 25feb8508 6f351968d Author: Open vSwitch CI <ovs-ci> Date: Fri Apr 8 10:00:53 2022 -0400 Merging upstream branch-2.13 Commit list: 6f351968df NEWS: Highlight libopenvswitch API change caused by UB fixes. commit 25feb85087c7ce16515443ef40913095ce41650e Merge: c9fd039a8 3f6beb3d5 Author: Open vSwitch CI <ovs-ci> Date: Wed Apr 6 10:15:46 2022 -0400 Merging upstream branch-2.13 Commit list: 3f6beb3d50 netdev-offload-tc: Check for ct_state flag combinations that are not offloadable. commit c9fd039a8d320f664238e368163c1d1258f337eb Merge: 776326629 6919581c4 Author: Open vSwitch CI <ovs-ci> Date: Tue Apr 5 13:22:44 2022 -0400 Merging upstream branch-2.13 Commit list: 6919581c46 dpif-netdev: Fix dp_netdev_get_pmd() function getting correct core_id. 9746203388 ofproto-dpif-xlate: Fix NULL pointer dereference in xlate_normal().
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openvswitch2.13 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4786