patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: stable@dpdk.org
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
	Maxime Coquelin <maxime.coquelin@redhat.com>,
	Ilja Van Sprundel <ivansprundel@ioactive.com>,
	Xiaolong Ye <xiaolong.ye@intel.com>
Subject: [dpdk-stable] [PATCH v19.11 2/6] vhost: fix vring index check
Date: Mon, 18 May 2020 14:19:09 +0100
Message-ID: <20200518131913.716252-3-ferruh.yigit@intel.com> (raw)
In-Reply-To: <20200518131913.716252-1-ferruh.yigit@intel.com>

From: Maxime Coquelin <maxime.coquelin@redhat.com>

vhost_user_check_and_alloc_queue_pair() is used to extract
a vring index from a payload. This function validates the
index and is called early on in when performing message
handling. Most message handlers depend on it correctly
validating the vring index.

Depending on the message type the vring index is in
different parts of the payload. The function contains a
switch/case for each type and copies the index. This is
stored in a uint16. This index is then validated. Depending
on the message, the source index is an unsigned int. If
integer truncation occurs (uint->uint16) the top 16 bits
of the index are never validated.

When they are used later on  (e.g. in
vhost_user_set_vring_num() or vhost_user_set_vring_addr())
it can lead to out of bound indexing. The out of bound
indexed data gets written to, and hence this can cause
memory corruption.

This patch fixes this vulnerability by declaring vring
index as an unsigned int in
vhost_user_check_and_alloc_queue_pair().

Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation")
Cc: stable@dpdk.org

This issue has been assigned CVE-2020-10723

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
---
 lib/librte_vhost/vhost_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 02962fcdbc..d19614265b 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -2526,7 +2526,7 @@ static int
 vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
 			struct VhostUserMsg *msg)
 {
-	uint16_t vring_idx;
+	uint32_t vring_idx;
 
 	switch (msg->request.master) {
 	case VHOST_USER_SET_VRING_KICK:
-- 
2.25.2


  parent reply	other threads:[~2020-05-18 13:19 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-18 13:19 [dpdk-stable] [PATCH v19.11 0/6] Fix vhost security issues Ferruh Yigit
2020-05-18 13:19 ` [dpdk-stable] [PATCH v19.11 1/6] vhost: check log mmap offset and size overflow Ferruh Yigit
2020-05-18 13:19 ` Ferruh Yigit [this message]
2020-05-18 13:19 ` [dpdk-stable] [PATCH v19.11 3/6] vhost/crypto: validate keys lengths Ferruh Yigit
2020-05-18 13:19 ` [dpdk-stable] [PATCH v19.11 4/6] vhost: fix translated address not checked Ferruh Yigit
2020-05-18 13:19 ` [dpdk-stable] [PATCH v19.11 5/6] vhost: fix potential memory space leak Ferruh Yigit
2020-05-18 13:19 ` [dpdk-stable] [PATCH v19.11 6/6] vhost: fix potential fd leak Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200518131913.716252-3-ferruh.yigit@intel.com \
    --to=ferruh.yigit@intel.com \
    --cc=ivansprundel@ioactive.com \
    --cc=maxime.coquelin@redhat.com \
    --cc=stable@dpdk.org \
    --cc=xiaolong.ye@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

patches for DPDK stable branches

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://inbox.dpdk.org/stable \
		stable@dpdk.org
	public-inbox-index stable

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git