patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: stable@dpdk.org
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
	Maxime Coquelin <maxime.coquelin@redhat.com>,
	Ilja Van Sprundel <ivansprundel@ioactive.com>,
	Xiaolong Ye <xiaolong.ye@intel.com>
Subject: [dpdk-stable] [PATCH v18.11 2/3] vhost: fix vring index check
Date: Mon, 18 May 2020 14:18:49 +0100	[thread overview]
Message-ID: <20200518131850.716165-3-ferruh.yigit@intel.com> (raw)
In-Reply-To: <20200518131850.716165-1-ferruh.yigit@intel.com>

From: Maxime Coquelin <maxime.coquelin@redhat.com>

vhost_user_check_and_alloc_queue_pair() is used to extract
a vring index from a payload. This function validates the
index and is called early on in when performing message
handling. Most message handlers depend on it correctly
validating the vring index.

Depending on the message type the vring index is in
different parts of the payload. The function contains a
switch/case for each type and copies the index. This is
stored in a uint16. This index is then validated. Depending
on the message, the source index is an unsigned int. If
integer truncation occurs (uint->uint16) the top 16 bits
of the index are never validated.

When they are used later on  (e.g. in
vhost_user_set_vring_num() or vhost_user_set_vring_addr())
it can lead to out of bound indexing. The out of bound
indexed data gets written to, and hence this can cause
memory corruption.

This patch fixes this vulnerability by declaring vring
index as an unsigned int in
vhost_user_check_and_alloc_queue_pair().

Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation")
Cc: stable@dpdk.org

This issue has been assigned CVE-2020-10723

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
---
 lib/librte_vhost/vhost_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 8d78c11b9b..e4f72ba876 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -2062,7 +2062,7 @@ static int
 vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
 			struct VhostUserMsg *msg)
 {
-	uint16_t vring_idx;
+	uint32_t vring_idx;
 
 	switch (msg->request.master) {
 	case VHOST_USER_SET_VRING_KICK:
-- 
2.25.2


  parent reply	other threads:[~2020-05-18 13:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-18 13:18 [dpdk-stable] [PATCH v18.11 0/3] Fix vhost security issues Ferruh Yigit
2020-05-18 13:18 ` [dpdk-stable] [PATCH v18.11 1/3] vhost: check log mmap offset and size overflow Ferruh Yigit
2020-05-18 13:18 ` Ferruh Yigit [this message]
2020-05-18 13:18 ` [dpdk-stable] [PATCH v18.11 3/3] vhost/crypto: validate keys lengths Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200518131850.716165-3-ferruh.yigit@intel.com \
    --to=ferruh.yigit@intel.com \
    --cc=ivansprundel@ioactive.com \
    --cc=maxime.coquelin@redhat.com \
    --cc=stable@dpdk.org \
    --cc=xiaolong.ye@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).