Dear users, All versions of DPDK's Vhost-user library are vulnerable to out-of-bound accesses initiated by a buggy or malicious guest.
This vulnerability has been assigned CVE-2018-1059. Users are strongly encouraged to upgrade to the latest releases: - v16.11.6 (LTS): https://fast.dpdk.org/rel/dpdk-16.11.6.tar.xz - v17.08.2: https://fast.dpdk.org/rel/dpdk-17.08.2.tar.xz - v17.11.2 (LTS): https://fast.dpdk.org/rel/dpdk-17.11.2.tar.xz - v18.02.1: https://fast.dpdk.org/rel/dpdk-18.02.1.tar.xz Starting DPDK v17.11, rte_vhost_gpa_to_vva() API was introduced for external Vhost backends to be able to translate guest's physical addresses to Vhost process's virtual addresses. This API is now marked as deprecated, and users must replace its use with the new rte_vhost_va_from_guest_pa() API. This new API takes an extra length parameter that must be checked properly. Patches fixing this vulnerability will soon be posted to the dev mailing-list for upstream master, and to the stable mailing-list for stable branches. Kind regards, Maxime
