From eca42c66092b9031711afe215fbc1891ee55f143 Mon Sep 17 00:00:00 2001
From: Jim Harris <james.r.harris@intel.com>
Date: Thu, 31 Jan 2019 20:11:19 -0700
Subject: [PATCH] CHANGELOG: add note on vhost vulnerability

Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: Id47256ecfc5d774e7d8054423cda32a90f0c4f76

Reviewed-on: https://review.gerrithub.io/c/442929
Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Darek Stojaczyk <dariusz.stojaczyk@intel.com>
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79de470ba..1c8d8c6e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -191,6 +191,13 @@ block devices. The module is split into the library (located in lib/ftl) and bde
 
 ### vhost
 
+A security vulnerability has been identified and fixed in the SPDK vhost target.  A malicious
+vhost client (i.e. virtual machine) could carefully construct a circular descriptor chain which
+would result in a partial denial of service in the SPDK vhost target.  These types of descriptor
+chains are now properly detected by the vhost target.  All SPDK vhost users serving untrusted
+vhost clients are strongly recommended to upgrade. (Reported by Dima Stepanov and Evgeny
+Yakovlev.)
+
 Vhost SCSI and Vhost Block devices can now accept multiple connections on the same socket file.
 Each connection (internally called a vhost session) will have access to the same storage, but
 will use different virtqueues, different features and possibly different memory.