From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2EA00A0524; Tue, 1 Jun 2021 13:17:22 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B5E0840689; Tue, 1 Jun 2021 13:17:21 +0200 (CEST) Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178]) by mails.dpdk.org (Postfix) with ESMTP id 70D3040041 for ; Tue, 1 Jun 2021 13:17:20 +0200 (CEST) Received: by inbox.dpdk.org (Postfix, from userid 33) id 4046AA0A02; Tue, 1 Jun 2021 13:17:20 +0200 (CEST) From: bugzilla@dpdk.org To: dev@dpdk.org Date: Tue, 01 Jun 2021 11:17:20 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: DPDK X-Bugzilla-Component: vhost/virtio X-Bugzilla-Version: 20.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cheng1.jiang@intel.com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: dev@dpdk.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All MIME-Version: 1.0 Subject: [dpdk-dev] [Bug 724] Guest causes DPDK to read out of bounds X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" https://bugs.dpdk.org/show_bug.cgi?id=3D724 Bug ID: 724 Summary: Guest causes DPDK to read out of bounds Product: DPDK Version: 20.11 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Normal Component: vhost/virtio Assignee: dev@dpdk.org Reporter: cheng1.jiang@intel.com Target Milestone: --- Report From: dsfasd daf Report Date: Thu, 11 Mar 2021 10:24:24 +0000 Report: Hi,=20 I am clark, a security researcher of Tencent Blade Team. I recently discove= red several security vulnerabilities in DPDK, as follows 1.=20 Code=EF=BC=9A examples/vhost/virtio_net.c=20 vs_enqueue_pkts() desc_indexes[i] =3D vr->avail->ring[used_idx]; ... uint16_t desc_idx =3D desc_indexes[i]; err =3D enqueue_pkt(dev, vr, pkts[i], desc_idx); enqueue_pkt(struct vhost_dev *dev, struct rte_vhost_vring *= vr, struct rte_mbuf *m, uint16_t desc_idx) { ... desc =3D &vr->desc[desc_idx]; } description=EF=BC=9A desc_indexes[i] =3D vr->avail->ring[used_idx] Its value can be fully controlled by the guest, which will cause out-of-bounds writing in the enqueue_pkt function harm=EF=BC=9A Guest causes DPDK to write out of bounds patch suggestions=EF=BC=9A vs_enqueue_pkts() { ... + if (vr->avail->ring[used_idx] >=3D vr->size) + return 0; desc_indexes[i] =3D vr->avail->ring[used_idx]; ... } 2.=20 Code=EF=BC=9A examples/vhost/virtio_net.c=20 vs_dequeue_pkts() desc_indexes[i] =3D vr->avail->ring[avail_idx]; dequeue_pkt(dev, vr, pkts[i], desc_indexes[i], mbuf_pool); dequeue_pkt(struct vhost_dev *dev, struct rte_vhost_vring *= vr, struct rte_mbuf *m, uint16_t desc_idx, struct rte_mempool *mbuf_pool) { desc =3D &vr->desc[desc_idx]; } description=EF=BC=9A desc_indexes[i] =3D vr->avail->ring[avail_idx]; Its value can be fu= lly controlled by the guest, which will cause out-of-bounds reading in the dequeue_pkt function. harm=EF=BC=9A Guest causes DPDK to read out of bounds patch suggestions=EF=BC=9A vs_dequeue_pkts() { ... + if (vr->avail->ring[used_idx] >=3D vr->size) + return 0; desc_indexes[i] =3D vr->avail->ring[avail_idx]; ... } 3.=20 Code=EF=BC=9A examples/vhost_blk/vhost_blk.c vq_get_desc_idx() desc_idx =3D vq->vring.avail->ring[last_avail_idx]; process_vq() desc_idx =3D vq_get_desc_idx(vq); task =3D &vq->tasks[desc_idx]; ... process_blk_task(task); description=EF=BC=9A desc_idx =3D vq->vring.avail->ring[last_avail_idx]; Its value can be fully controlled by the guest, process_blk_task(task); will further cause out-of-bounds read and write. harm=EF=BC=9A Guest causes DPDK to read and write out of bounds patch suggestions=EF=BC=9A process_vq() { desc_idx =3D vq_get_desc_idx(vq); + if (desc_idx >=3D vq->vring.size) return; task =3D &vq->tasks[desc_idx]; 4.=20 Code=EF=BC=9A lib/librte_vhost/vhost_user.c=20=20 vhost_user_postcopy_register()=20 if (read_vhost_message(main_fd, &ack_msg) <=3D 0) {} description=EF=BC=9A vhost_user_postcopy_register is called in the vhost_user_set_mem_ta= ble function, When dev->postcopy_listening was set to 1, vhost_user_postcopy_register will call read_vhost_message=20 and wait for qemu to respond to this message. If there is a Malicious qemu process does not reply to this message, DPDK will wait for the response indefinitely, and other legitimate qemu processes=20 will not be able to communicate with DPDK normally. This will result in A D= oS attack. harm=EF=BC=9A qemu causes DPDK denial of service patch suggestions=EF=BC=9A Add a timeout mechanism 5.=20 Code=EF=BC=9A lib/librte_vhost/vhost_crypto.c rte_vhost_crypto_fetch_requests() uint16_t desc_idx =3D vq->avail->ring[used_idx]; struct vring_desc *head =3D &vq->desc[desc_idx]; if (unlikely(vhost_crypto_process_one_req(vcrypto, = vq, op, head, descs, used_idx) < 0)) description=EF=BC=9A uint16_t desc_idx =3D vq->avail->ring[used_idx]; Its value can be f= ully controlled by the guest, vhost_crypto_process_one_req(task); will further c= ause out-of-bounds reading. harm=EF=BC=9A Guest causes DPDK to read out of bounds patch suggestions=EF=BC=9A rte_vhost_crypto_fetch_requests() uint16_t desc_idx =3D vq->avail->ring[used_idx]; + if (desc_idx >=3D vq->size) + return0; struct vring_desc *head =3D &vq->desc[desc_idx]; summary: Vulnerability 1: The guest causes DPDK to write out of bounds, or it can ca= use the virtual machine to escape Vulnerability 2: Guest causes DPDK to read out of bounds, or causes DPDK DoS Vulnerability 3: The guest causes DPDK to read and write out of bounds, or = it can cause the virtual machine to escape Vulnerability 4: qemu causes DPDK denial of service Vulnerability 5: guest causes DPDK to read out of bounds, or causes DPDK DoS The above vulnerabilities 1, 2, and 3 are in the exampleCode, but I think i= t is still a serious threat, because these example codes may be used in formal occasions. --=20 You are receiving this mail because: You are the assignee for the bug.=