dpdk/0003-vhost-crypto-validate-keys-lengths.patch

From 5216718e4837d4dcc6020cd5f6d5d629222bad8c Mon Sep 17 00:00:00 2001
From: Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Tue, 21 Apr 2020 19:10:09 +0200
Subject: [PATCH 3/6] vhost/crypto: validate keys lengths

transform_cipher_param() and transform_chain_param() handle
the payload data for the VHOST_USER_CRYPTO_CREATE_SESS
message. These payloads have to be validated, since it
could come from untrusted sources.

Two buffers and their lenghts are defined in this payload,
one the the auth key and one for the cipher key. But above
functions do not validate the key length inputs, which could
lead to read out of bounds, as buffers have static sizes of
64 bytes for the cipher key and 512 bytes for the auth key.

This patch adds necessary checks on the key length field
before being used.

Fixes: e80a98708166 ("vhost/crypto: add session message handler")
Cc: stable@dpdk.org

This issue has been assigned CVE-2020-10724

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
---
 lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index 68911972b6..07a4115482 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -237,6 +237,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform,
 	if (unlikely(ret < 0))
 		return ret;
 
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 	xform->cipher.key.length = param->cipher_key_len;
 	if (xform->cipher.key.length > 0)
@@ -287,6 +292,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
 			&xform_cipher->cipher.algo);
 	if (unlikely(ret < 0))
 		return ret;
+
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 	xform_cipher->cipher.key.length = param->cipher_key_len;
 	xform_cipher->cipher.key.data = param->cipher_key_buf;
@@ -301,6 +312,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
 	ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo);
 	if (unlikely(ret < 0))
 		return ret;
+
+	if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid auth key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform_auth->auth.digest_length = param->digest_len;
 	xform_auth->auth.key.length = param->auth_key_len;
 	xform_auth->auth.key.data = param->auth_key_buf;
-- 
2.25.2
Accepting request 807340 from home:jaicaa:branches:network - Update to v19.11.1. For a list of changes, check: * https://doc.dpdk.org/guides/rel_notes/release_19_11.html#new-features - Removed patches no longer applying to the code base: * 0001-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch * 0002-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch * 0002-fix-cpu-compatibility.patch - Rebased patches: * 0001-fix-cpu-compatibility.patch - Add patches to fix vulnerability where malicious guest/container can cause resource leak resulting a Denial-of-Service, or memory corruption and crash, or information leak in vhost-user backend application (bsc#1171477, CVE-2020-10722, CVE-2020-10723, CVE-2020-10724, CVE-2020-10725, CVE-2020-10726). * 0001-vhost-check-log-mmap-offset-and-size-overflow.patch * 0002-vhost-fix-vring-index-check.patch * 0003-vhost-crypto-validate-keys-lengths.patch * 0004-vhost-fix-translated-address-not-checked.patch * 0005-vhost-fix-potential-memory-space-leak.patch * 0006-vhost-fix-potential-fd-leak.patch OBS-URL: https://build.opensuse.org/request/show/807340 OBS-URL: https://build.opensuse.org/package/show/network/dpdk?expand=0&rev=115 2020-05-20 11:15:07 +02:00			`From 5216718e4837d4dcc6020cd5f6d5d629222bad8c Mon Sep 17 00:00:00 2001`
			`From: Maxime Coquelin <maxime.coquelin@redhat.com>`
			`Date: Tue, 21 Apr 2020 19:10:09 +0200`
			`Subject: [PATCH 3/6] vhost/crypto: validate keys lengths`

			`transform_cipher_param() and transform_chain_param() handle`
			`the payload data for the VHOST_USER_CRYPTO_CREATE_SESS`
			`message. These payloads have to be validated, since it`
			`could come from untrusted sources.`

			`Two buffers and their lenghts are defined in this payload,`
			`one the the auth key and one for the cipher key. But above`
			`functions do not validate the key length inputs, which could`
			`lead to read out of bounds, as buffers have static sizes of`
			`64 bytes for the cipher key and 512 bytes for the auth key.`

			`This patch adds necessary checks on the key length field`
			`before being used.`

			`Fixes: e80a98708166 ("vhost/crypto: add session message handler")`
			`Cc: stable@dpdk.org`

			`This issue has been assigned CVE-2020-10724`

			`Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>`
			`Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>`
			`Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>`
			`Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>`
			`---`
			`lib/librte_vhost/vhost_crypto.c \| 17 +++++++++++++++++`
			`1 file changed, 17 insertions(+)`

			`diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c`
			`index 68911972b6..07a4115482 100644`
			`--- a/lib/librte_vhost/vhost_crypto.c`
			`+++ b/lib/librte_vhost/vhost_crypto.c`
			`@@ -237,6 +237,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform,`
			`if (unlikely(ret < 0))`
			`return ret;`

			`+ if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {`
			`+ VC_LOG_DBG("Invalid cipher key length\n");`
			`+ return -VIRTIO_CRYPTO_BADMSG;`
			`+ }`
			`+`
			`xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;`
			`xform->cipher.key.length = param->cipher_key_len;`
			`if (xform->cipher.key.length > 0)`
			`@@ -287,6 +292,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,`
			`&xform_cipher->cipher.algo);`
			`if (unlikely(ret < 0))`
			`return ret;`
			`+`
			`+ if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {`
			`+ VC_LOG_DBG("Invalid cipher key length\n");`
			`+ return -VIRTIO_CRYPTO_BADMSG;`
			`+ }`
			`+`
			`xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER;`
			`xform_cipher->cipher.key.length = param->cipher_key_len;`
			`xform_cipher->cipher.key.data = param->cipher_key_buf;`
			`@@ -301,6 +312,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,`
			`ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo);`
			`if (unlikely(ret < 0))`
			`return ret;`
			`+`
			`+ if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) {`
			`+ VC_LOG_DBG("Invalid auth key length\n");`
			`+ return -VIRTIO_CRYPTO_BADMSG;`
			`+ }`
			`+`
			`xform_auth->auth.digest_length = param->digest_len;`
			`xform_auth->auth.key.length = param->auth_key_len;`
			`xform_auth->auth.key.data = param->auth_key_buf;`
			`--`
			`2.25.2`