DPDK patches and discussions
 help / color / mirror / Atom feed
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: Maxime Coquelin <maxime.coquelin@redhat.com>,
	Chenbo Xia <chenbo.xia@intel.com>,
	Zhihong Wang <zhihong.wang@intel.com>,
	Fan Zhang <roy.fan.zhang@intel.com>
Cc: dev@dpdk.org, Ferruh Yigit <ferruh.yigit@intel.com>, stable@dpdk.org
Subject: [dpdk-dev] [PATCH 5/6] vhost/crypto: fix data length check
Date: Mon, 28 Sep 2020 11:59:17 +0100
Message-ID: <20200928105918.740807-5-ferruh.yigit@intel.com> (raw)
In-Reply-To: <20200928105918.740807-1-ferruh.yigit@intel.com>

From: Fan Zhang <roy.fan.zhang@intel.com>

This patch fixes the incorrect data length check to vhost crypto.
Instead of blindly accepting the descriptor length as data length, the
change compare the request provided data length and descriptor length
first. The security issue CVE-2020-14374 is not fixed alone by this
patch, part of the fix is done through:
"vhost/crypto: fix missed request check for copy mode".

CVE-2020-14374
Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/librte_vhost/vhost_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index f1cc32a9b2..cf9aa2566b 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
 		desc = &vc_req->head[desc->next];
 		rte_prefetch0(&vc_req->head[desc->next]);
 		to_copy = RTE_MIN(desc->len, (uint32_t)left);
-		dlen = desc->len;
+		dlen = to_copy;
 		src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
 				VHOST_ACCESS_RO);
 		if (unlikely(!src || !dlen)) {
-- 
2.26.2


  parent reply	other threads:[~2020-09-28 11:00 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-28 10:59 [dpdk-dev] [PATCH 1/6] vhost/crypto: fix pool allocation Ferruh Yigit
2020-09-28 10:59 ` [dpdk-dev] [PATCH 2/6] vhost/crypto: fix incorrect descriptor deduction Ferruh Yigit
2020-09-28 10:59 ` [dpdk-dev] [PATCH 3/6] vhost/crypto: fix missed request check for copy mode Ferruh Yigit
2020-09-28 10:59 ` [dpdk-dev] [PATCH 4/6] vhost/crypto: fix incorrect write back source Ferruh Yigit
2020-09-28 10:59 ` Ferruh Yigit [this message]
2020-09-28 10:59 ` [dpdk-dev] [PATCH 6/6] vhost/crypto: fix possible TOCTOU attack Ferruh Yigit
2020-09-28 15:19   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200928105918.740807-5-ferruh.yigit@intel.com \
    --to=ferruh.yigit@intel.com \
    --cc=chenbo.xia@intel.com \
    --cc=dev@dpdk.org \
    --cc=maxime.coquelin@redhat.com \
    --cc=roy.fan.zhang@intel.com \
    --cc=stable@dpdk.org \
    --cc=zhihong.wang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git