From: Ferruh Yigit <ferruh.yigit@intel.com>
To: Maxime Coquelin <maxime.coquelin@redhat.com>,
Chenbo Xia <chenbo.xia@intel.com>,
Zhihong Wang <zhihong.wang@intel.com>,
Fan Zhang <roy.fan.zhang@intel.com>
Cc: dev@dpdk.org, Ferruh Yigit <ferruh.yigit@intel.com>, stable@dpdk.org
Subject: [dpdk-dev] [PATCH 5/6] vhost/crypto: fix data length check
Date: Mon, 28 Sep 2020 11:59:17 +0100 [thread overview]
Message-ID: <20200928105918.740807-5-ferruh.yigit@intel.com> (raw)
In-Reply-To: <20200928105918.740807-1-ferruh.yigit@intel.com>
From: Fan Zhang <roy.fan.zhang@intel.com>
This patch fixes the incorrect data length check to vhost crypto.
Instead of blindly accepting the descriptor length as data length, the
change compare the request provided data length and descriptor length
first. The security issue CVE-2020-14374 is not fixed alone by this
patch, part of the fix is done through:
"vhost/crypto: fix missed request check for copy mode".
CVE-2020-14374
Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
Cc: stable@dpdk.org
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
lib/librte_vhost/vhost_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index f1cc32a9b2..cf9aa2566b 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
desc = &vc_req->head[desc->next];
rte_prefetch0(&vc_req->head[desc->next]);
to_copy = RTE_MIN(desc->len, (uint32_t)left);
- dlen = desc->len;
+ dlen = to_copy;
src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
VHOST_ACCESS_RO);
if (unlikely(!src || !dlen)) {
--
2.26.2
next prev parent reply other threads:[~2020-09-28 11:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-28 10:59 [dpdk-dev] [PATCH 1/6] vhost/crypto: fix pool allocation Ferruh Yigit
2020-09-28 10:59 ` [dpdk-dev] [PATCH 2/6] vhost/crypto: fix incorrect descriptor deduction Ferruh Yigit
2020-09-28 10:59 ` [dpdk-dev] [PATCH 3/6] vhost/crypto: fix missed request check for copy mode Ferruh Yigit
2020-09-28 10:59 ` [dpdk-dev] [PATCH 4/6] vhost/crypto: fix incorrect write back source Ferruh Yigit
2020-09-28 10:59 ` Ferruh Yigit [this message]
2020-09-28 10:59 ` [dpdk-dev] [PATCH 6/6] vhost/crypto: fix possible TOCTOU attack Ferruh Yigit
2020-09-28 15:19 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200928105918.740807-5-ferruh.yigit@intel.com \
--to=ferruh.yigit@intel.com \
--cc=chenbo.xia@intel.com \
--cc=dev@dpdk.org \
--cc=maxime.coquelin@redhat.com \
--cc=roy.fan.zhang@intel.com \
--cc=stable@dpdk.org \
--cc=zhihong.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).