dpdk/0005-vhost-crypto-fix-data-length-check.patch

From 2fca489d58acfee297d0b9a7dc14e7fa119e8867 Mon Sep 17 00:00:00 2001
From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Thu, 16 Apr 2020 11:29:06 +0100
Subject: [PATCH 5/6] vhost/crypto: fix data length check

This patch fixes the incorrect data length check to vhost crypto.
Instead of blindly accepting the descriptor length as data length, the
change compare the request provided data length and descriptor length
first. The security issue CVE-2020-14374 is not fixed alone by this
patch, part of the fix is done through:
"vhost/crypto: fix missed request check for copy mode".

CVE-2020-14374
Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/librte_vhost/vhost_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index f1cc32a9b..cf9aa2566 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
 		desc = &vc_req->head[desc->next];
 		rte_prefetch0(&vc_req->head[desc->next]);
 		to_copy = RTE_MIN(desc->len, (uint32_t)left);
-		dlen = desc->len;
+		dlen = to_copy;
 		src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
 				VHOST_ACCESS_RO);
 		if (unlikely(!src || !dlen)) {
-- 
2.26.2
Accepting request 838479 from home:jaicaa:branches:network - Add patches to fix vulnerability where malicious guest can harm the host using vhost crypto, this includes executing code in host (VM Escape), reading host application memory space to guest and causing partially denial of service in the host (bsc#1176590). * 0001-vhost-crypto-fix-pool-allocation.patch * 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch * 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch * 0004-vhost-crypto-fix-incorrect-write-back-source.patch * 0005-vhost-crypto-fix-data-length-check.patch * 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch OBS-URL: https://build.opensuse.org/request/show/838479 OBS-URL: https://build.opensuse.org/package/show/network/dpdk?expand=0&rev=121 2020-09-29 16:50:59 +02:00			`From 2fca489d58acfee297d0b9a7dc14e7fa119e8867 Mon Sep 17 00:00:00 2001`
			`From: Fan Zhang <roy.fan.zhang@intel.com>`
			`Date: Thu, 16 Apr 2020 11:29:06 +0100`
			`Subject: [PATCH 5/6] vhost/crypto: fix data length check`

			`This patch fixes the incorrect data length check to vhost crypto.`
			`Instead of blindly accepting the descriptor length as data length, the`
			`change compare the request provided data length and descriptor length`
			`first. The security issue CVE-2020-14374 is not fixed alone by this`
			`patch, part of the fix is done through:`
			`"vhost/crypto: fix missed request check for copy mode".`

			`CVE-2020-14374`
			`Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")`
			`Cc: stable@dpdk.org`

			`Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>`
			`Acked-by: Chenbo Xia <chenbo.xia@intel.com>`
			`---`
			`lib/librte_vhost/vhost_crypto.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c`
			`index f1cc32a9b..cf9aa2566 100644`
			`--- a/lib/librte_vhost/vhost_crypto.c`
			`+++ b/lib/librte_vhost/vhost_crypto.c`
			`@@ -624,7 +624,7 @@ copy_data(void dst_data, struct vhost_crypto_data_req vc_req,`
			`desc = &vc_req->head[desc->next];`
			`rte_prefetch0(&vc_req->head[desc->next]);`
			`to_copy = RTE_MIN(desc->len, (uint32_t)left);`
			`- dlen = desc->len;`
			`+ dlen = to_copy;`
			`src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,`
			`VHOST_ACCESS_RO);`
			`if (unlikely(!src \|\| !dlen)) {`
			`--`
			`2.26.2`