DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [Bug 724] Guest causes DPDK to read out of bounds
@ 2021-06-01 11:17 bugzilla
  0 siblings, 0 replies; only message in thread
From: bugzilla @ 2021-06-01 11:17 UTC (permalink / raw)
  To: dev

https://bugs.dpdk.org/show_bug.cgi?id=724

            Bug ID: 724
           Summary: Guest causes DPDK to read out of bounds
           Product: DPDK
           Version: 20.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: vhost/virtio
          Assignee: dev@dpdk.org
          Reporter: cheng1.jiang@intel.com
  Target Milestone: ---

Report From: dsfasd daf <coolboy43433@gmail.com>
Report Date: Thu, 11 Mar 2021 10:24:24 +0000

Report:


Hi, 
I am clark, a security researcher of Tencent Blade Team. I recently discovered
several security vulnerabilities in DPDK, as follows

1. 
Code:
        examples/vhost/virtio_net.c 
                vs_enqueue_pkts()
                        desc_indexes[i] = vr->avail->ring[used_idx];
                        ...
                        uint16_t desc_idx = desc_indexes[i];
                        err = enqueue_pkt(dev, vr, pkts[i], desc_idx);

                enqueue_pkt(struct vhost_dev *dev, struct rte_vhost_vring *vr,
struct rte_mbuf *m, uint16_t desc_idx) {
                        ...
                        desc = &vr->desc[desc_idx];
                }
description:
        desc_indexes[i] = vr->avail->ring[used_idx] Its value can be fully
controlled by the guest, which will cause out-of-bounds writing in the
enqueue_pkt function
harm:
        Guest causes DPDK to write out of bounds
patch suggestions:
        vs_enqueue_pkts() {
                ...
        +       if (vr->avail->ring[used_idx] >= vr->size)
        +               return 0;
                desc_indexes[i] = vr->avail->ring[used_idx];
                ...
        }

2. 
Code:
        examples/vhost/virtio_net.c 
                vs_dequeue_pkts()
                        desc_indexes[i] = vr->avail->ring[avail_idx];
                        dequeue_pkt(dev, vr, pkts[i], desc_indexes[i],
mbuf_pool);
                dequeue_pkt(struct vhost_dev *dev, struct rte_vhost_vring *vr,
struct rte_mbuf *m, uint16_t desc_idx, struct rte_mempool *mbuf_pool) {
                        desc = &vr->desc[desc_idx];
                }
description:
        desc_indexes[i] = vr->avail->ring[avail_idx]; Its value can be fully
controlled by the guest, which will cause out-of-bounds reading in the
dequeue_pkt function.
harm:
        Guest causes DPDK to read out of bounds
patch suggestions:
        vs_dequeue_pkts() {
                ...
        +       if (vr->avail->ring[used_idx] >= vr->size)
        +               return 0;
                desc_indexes[i] = vr->avail->ring[avail_idx];
                ...
        }

3. 
Code:
        examples/vhost_blk/vhost_blk.c
                vq_get_desc_idx()
                        desc_idx = vq->vring.avail->ring[last_avail_idx];
                process_vq()
                        desc_idx = vq_get_desc_idx(vq);
                        task = &vq->tasks[desc_idx];
                        ...
                        process_blk_task(task);
description:
        desc_idx = vq->vring.avail->ring[last_avail_idx]; Its value can be
fully controlled by the guest, process_blk_task(task); will further cause
out-of-bounds read and write.
harm:
        Guest causes DPDK to read and write out of bounds
patch suggestions:
        process_vq() {
                desc_idx = vq_get_desc_idx(vq);
        +       if (desc_idx >= vq->vring.size)
                        return;
                task = &vq->tasks[desc_idx];


4. 
Code:
        lib/librte_vhost/vhost_user.c  
                vhost_user_postcopy_register() 
                        if (read_vhost_message(main_fd, &ack_msg) <= 0) {}
description:
        vhost_user_postcopy_register is called in the vhost_user_set_mem_table
function, When dev->postcopy_listening was set to 1,
vhost_user_postcopy_register will call read_vhost_message 
and wait for qemu to respond to this message. If there is a Malicious qemu
process does not reply to this message, DPDK will wait for the response
indefinitely, and other legitimate qemu processes 
will not be able to communicate with DPDK normally. This will result in A DoS
attack.
harm:
        qemu causes DPDK denial of service
patch suggestions:
        Add a timeout mechanism

5. 
Code:
        lib/librte_vhost/vhost_crypto.c
                rte_vhost_crypto_fetch_requests()
                        uint16_t desc_idx = vq->avail->ring[used_idx];
                        struct vring_desc *head = &vq->desc[desc_idx];
                        if (unlikely(vhost_crypto_process_one_req(vcrypto, vq,
                                        op, head, descs, used_idx) < 0))
description:
        uint16_t desc_idx = vq->avail->ring[used_idx]; Its value can be fully
controlled by the guest, vhost_crypto_process_one_req(task); will further cause
out-of-bounds reading.
harm:
        Guest causes DPDK to read out of bounds
patch suggestions:
        rte_vhost_crypto_fetch_requests()
                uint16_t desc_idx = vq->avail->ring[used_idx];
        +       if (desc_idx >= vq->size)
        +               return0;
                struct vring_desc *head = &vq->desc[desc_idx];

summary:
Vulnerability 1: The guest causes DPDK to write out of bounds, or it can cause
the virtual machine to escape
Vulnerability 2: Guest causes DPDK to read out of bounds, or causes DPDK DoS
Vulnerability 3: The guest causes DPDK to read and write out of bounds, or it
can cause the virtual machine to escape
Vulnerability 4: qemu causes DPDK denial of service
Vulnerability 5: guest causes DPDK to read out of bounds, or causes DPDK DoS
The above vulnerabilities 1, 2, and 3 are in the exampleCode, but I think it is
still a serious threat, because these example codes may be used in formal
occasions.

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-06-01 11:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-01 11:17 [dpdk-dev] [Bug 724] Guest causes DPDK to read out of bounds bugzilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).