From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 2BB66A0093
	for <public@inbox.dpdk.org>; Mon, 18 May 2020 15:18:20 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 806D11D51D;
	Mon, 18 May 2020 15:18:17 +0200 (CEST)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by dpdk.org (Postfix) with ESMTP id 8E9911D55C
 for <stable@dpdk.org>; Mon, 18 May 2020 15:18:15 +0200 (CEST)
IronPort-SDR: /ehY6F/s0QnLvhl6pzeyu0S7k0EcpeUODcMofQHSu+HaMOUPSgqg2L/F8S+ERLm7vXri2SwOzR
 5eITUrxGDQiA==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
 by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 18 May 2020 06:18:15 -0700
IronPort-SDR: fHx5x1QzbcXwLHRAVSxYweA6p+q10P9NTcxdX4+tzE1bQ0DiCrI2b1FBYHL7uUWWiOLIK4EcHn
 p4Xph1M2uKmw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="281970131"
Received: from silpixa00399752.ir.intel.com (HELO
 silpixa00399752.ger.corp.intel.com) ([10.237.222.180])
 by orsmga002.jf.intel.com with ESMTP; 18 May 2020 06:18:13 -0700
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: stable@dpdk.org
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
 Maxime Coquelin <maxime.coquelin@redhat.com>,
 Ilja Van Sprundel <ivansprundel@ioactive.com>,
 Xiaolong Ye <xiaolong.ye@intel.com>
Date: Mon, 18 May 2020 14:18:02 +0100
Message-Id: <20200518131805.716052-4-ferruh.yigit@intel.com>
X-Mailer: git-send-email 2.25.4
In-Reply-To: <20200518131805.716052-1-ferruh.yigit@intel.com>
References: <20200518131805.716052-1-ferruh.yigit@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] [PATCH v20.02 3/6] vhost/crypto: validate keys lengths
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

From: Maxime Coquelin <maxime.coquelin@redhat.com>

transform_cipher_param() and transform_chain_param() handle
the payload data for the VHOST_USER_CRYPTO_CREATE_SESS
message. These payloads have to be validated, since it
could come from untrusted sources.

Two buffers and their lenghts are defined in this payload,
one the the auth key and one for the cipher key. But above
functions do not validate the key length inputs, which could
lead to read out of bounds, as buffers have static sizes of
64 bytes for the cipher key and 512 bytes for the auth key.

This patch adds necessary checks on the key length field
before being used.

Fixes: e80a98708166 ("vhost/crypto: add session message handler")
Cc: stable@dpdk.org

This issue has been assigned CVE-2020-10724

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
---
 lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index 68911972b6..07a4115482 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -237,6 +237,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform,
 	if (unlikely(ret < 0))
 		return ret;
 
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 	xform->cipher.key.length = param->cipher_key_len;
 	if (xform->cipher.key.length > 0)
@@ -287,6 +292,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
 			&xform_cipher->cipher.algo);
 	if (unlikely(ret < 0))
 		return ret;
+
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 	xform_cipher->cipher.key.length = param->cipher_key_len;
 	xform_cipher->cipher.key.data = param->cipher_key_buf;
@@ -301,6 +312,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
 	ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo);
 	if (unlikely(ret < 0))
 		return ret;
+
+	if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid auth key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform_auth->auth.digest_length = param->digest_len;
 	xform_auth->auth.key.length = param->auth_key_len;
 	xform_auth->auth.key.data = param->auth_key_buf;
-- 
2.25.2