!5 fix CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 CVE-2020-10725 CVE-2020-10726

Merge pull request !5 from chxssg/master
2020-08-24 19:11:47 +08:00 · 2020-08-24 19:11:47 +08:00 · 1b81ab3c19
commit 1b81ab3c19
parent 4a7c22a281 4ec9a79d56
6 changed files with 292 additions and 2 deletions
--- a/CVE-2020-10722.patch
+++ b/CVE-2020-10722.patch
@ -0,0 +1,48 @@
+From 2cf9c470ebff0091e41af85f16ab906fd98cf9af Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Tue, 21 Apr 2020 11:16:56 +0200
+Subject: vhost: check log mmap offset and size overflow
+
+vhost_user_set_log_base() is a message handler that is
+called to handle the VHOST_USER_SET_LOG_BASE message.
+Its payload contains a 64 bit size and offset. Both are
+added up and used as a size when calling mmap().
+
+There is no integer overflow check. If an integer overflow
+occurs a smaller memory map would be created than
+requested. Since the returned mapping is mapped as writable
+and used for logging, a memory corruption could occur.
+
+Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address")
+
+This issue has been assigned CVE-2020-10722
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+---
+ lib/librte_vhost/vhost_user.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
+index 40c4520..02962fc 100644
+--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
+@@ -2060,10 +2060,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg,
+ 	size = msg->payload.log.mmap_size;
+ 	off  = msg->payload.log.mmap_offset;
+ 
+-	/* Don't allow mmap_offset to point outside the mmap region */
+-	if (off > size) {
+	/* Check for mmap size and offset overflow. */
+	if (off >= -size) {
+ 		RTE_LOG(ERR, VHOST_CONFIG,
+-			"log offset %#"PRIx64" exceeds log size %#"PRIx64"\n",
+			"log offset %#"PRIx64" and log size %#"PRIx64" overflow\n",
+ 			off, size);
+ 		return RTE_VHOST_MSG_RESULT_ERR;
+ 	}
+-- 
+cgit v1.0
+
--- a/CVE-2020-10723.patch
+++ b/CVE-2020-10723.patch
@ -0,0 +1,57 @@
+From 8e9652b0b616a3704b5cb5a3dccb2c239e16ab9c Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Tue, 21 Apr 2020 18:17:43 +0200
+Subject: vhost: fix vring index check
+
+vhost_user_check_and_alloc_queue_pair() is used to extract
+a vring index from a payload. This function validates the
+index and is called early on in when performing message
+handling. Most message handlers depend on it correctly
+validating the vring index.
+
+Depending on the message type the vring index is in
+different parts of the payload. The function contains a
+switch/case for each type and copies the index. This is
+stored in a uint16. This index is then validated. Depending
+on the message, the source index is an unsigned int. If
+integer truncation occurs (uint->uint16) the top 16 bits
+of the index are never validated.
+
+When they are used later on  (e.g. in
+vhost_user_set_vring_num() or vhost_user_set_vring_addr())
+it can lead to out of bound indexing. The out of bound
+indexed data gets written to, and hence this can cause
+memory corruption.
+
+This patch fixes this vulnerability by declaring vring
+index as an unsigned int in
+vhost_user_check_and_alloc_queue_pair().
+
+Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation")
+
+This issue has been assigned CVE-2020-10723
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+---
+ lib/librte_vhost/vhost_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
+index 02962fc..d196142 100644
+--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
+@@ -2508,7 +2508,7 @@ static int
+ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
+ 			struct VhostUserMsg *msg)
+ {
+-	uint16_t vring_idx;
+	uint32_t vring_idx;
+ 
+ 	switch (msg->request.master) {
+ 	case VHOST_USER_SET_VRING_KICK:
+-- 
+cgit v1.0
+
--- a/CVE-2020-10724.patch
+++ b/CVE-2020-10724.patch
@ -0,0 +1,76 @@
+From 963b6eea05f3ee720fcfecd110e20f61b92205d6 Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Tue, 21 Apr 2020 19:10:09 +0200
+Subject: vhost/crypto: validate keys lengths
+
+transform_cipher_param() and transform_chain_param() handle
+the payload data for the VHOST_USER_CRYPTO_CREATE_SESS
+message. These payloads have to be validated, since it
+could come from untrusted sources.
+
+Two buffers and their lenghts are defined in this payload,
+one the the auth key and one for the cipher key. But above
+functions do not validate the key length inputs, which could
+lead to read out of bounds, as buffers have static sizes of
+64 bytes for the cipher key and 512 bytes for the auth key.
+
+This patch adds necessary checks on the key length field
+before being used.
+
+Fixes: e80a98708166 ("vhost/crypto: add session message handler")
+
+This issue has been assigned CVE-2020-10724
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+---
+ lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
+index 6891197..07a4115 100644
+--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
+@@ -237,6 +237,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform,
+ 	if (unlikely(ret < 0))
+ 		return ret;
+ 
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
+ 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ 	xform->cipher.key.length = param->cipher_key_len;
+ 	if (xform->cipher.key.length > 0)
+@@ -287,6 +292,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
+ 			&xform_cipher->cipher.algo);
+ 	if (unlikely(ret < 0))
+ 		return ret;
+
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
+ 	xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ 	xform_cipher->cipher.key.length = param->cipher_key_len;
+ 	xform_cipher->cipher.key.data = param->cipher_key_buf;
+@@ -301,6 +312,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
+ 	ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo);
+ 	if (unlikely(ret < 0))
+ 		return ret;
+
+	if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid auth key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
+ 	xform_auth->auth.digest_length = param->digest_len;
+ 	xform_auth->auth.key.length = param->auth_key_len;
+ 	xform_auth->auth.key.data = param->auth_key_buf;
+-- 
+cgit v1.0
+
--- a/CVE-2020-10725.patch
+++ b/CVE-2020-10725.patch
@ -0,0 +1,44 @@
+From cd0ea71bb6a7d1c503bf2f6f1e3c455cf246d9a1 Mon Sep 17 00:00:00 2001
+From: Marvin Liu <yong.liu@intel.com>
+Date: Wed, 8 Apr 2020 17:13:55 +0800
+Subject: vhost: fix translated address not checked
+
+Malicious guest can construct desc with invalid address and zero buffer
+length. That will request vhost to check both translated address and
+translated data length. This patch will add missed address check.
+
+Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue")
+Fixes: ef861692c398 ("vhost: add packed ring batch enqueue")
+
+This issue has been assigned CVE-2020-10725
+
+Signed-off-by: Marvin Liu <yong.liu@intel.com>
+Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/librte_vhost/virtio_net.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
+index ac2842b..33f1025 100644
+--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
+@@ -1086,6 +1086,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev,
+ 						  VHOST_ACCESS_RW);
+ 
+ 	vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+		if (unlikely(!desc_addrs[i]))
+			return -1;
+ 		if (unlikely(lens[i] != descs[avail_idx + i].len))
+ 			return -1;
+ 	}
+@@ -1841,6 +1843,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev,
+ 	}
+ 
+ 	vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+		if (unlikely(!desc_addrs[i]))
+			return -1;
+ 		if (unlikely((lens[i] != descs[avail_idx + i].len)))
+ 			return -1;
+ 	}
+-- 
+cgit v1.0
--- a/CVE-2020-10726.patch
+++ b/CVE-2020-10726.patch
@ -0,0 +1,51 @@
+From 95e1f29c26777ee36456e340ed9c2b07472add28 Mon Sep 17 00:00:00 2001
+From: Xiaolong Ye <xiaolong.ye@intel.com>
+Date: Wed, 8 Apr 2020 15:31:35 +0800
+Subject: vhost: fix potential memory space leak
+
+A malicious container which has direct access to the vhost-user socket
+can keep sending VHOST_USER_GET_INFLIGHT_FD messages which may cause
+leaking resources until resulting a DOS. Fix it by unmapping the
+dev->inflight_info->addr before assigning new mapped addr to it.
+
+Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing")
+
+This issue has been assigned CVE-2020-10726
+
+Signed-off-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/librte_vhost/vhost_user.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
+index d196142..2a4ba20 100644
+--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
+@@ -1440,6 +1440,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,
+ 	}
+ 	memset(addr, 0, mmap_size);
+ 
+	if (dev->inflight_info->addr) {
+		munmap(dev->inflight_info->addr, dev->inflight_info->size);
+		dev->inflight_info->addr = NULL;
+	}
+
+ 	dev->inflight_info->addr = addr;
+ 	dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size;
+ 	dev->inflight_info->fd = msg->fds[0] = fd;
+@@ -1524,8 +1529,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,
+ 		}
+ 	}
+ 
+-	if (dev->inflight_info->addr)
+	if (dev->inflight_info->addr) {
+ 		munmap(dev->inflight_info->addr, dev->inflight_info->size);
+		dev->inflight_info->addr = NULL;
+	}
+ 
+ 	addr = mmap(0, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED,
+ 		    fd, mmap_offset);
+-- 
+cgit v1.0
+
--- a/dpdk.spec
+++ b/dpdk.spec
@ -1,11 +1,17 @@
 Name: dpdk
 Version: 19.11
-Release: 0
+Release: 1
 Packager: packaging@6wind.com
 URL: http://dpdk.org
 %global source_version  19.11
 Source: %{name}-%{version}.tar.xz

+Patch0: CVE-2020-10725.patch
+Patch1: CVE-2020-10722.patch
+Patch2: CVE-2020-10723.patch
+Patch3: CVE-2020-10724.patch
+Patch4: CVE-2020-10726.patch
+
 Summary: Data Plane Development Kit core
 Group: System Environment/Libraries
 License: BSD and LGPLv2 and GPLv2
@ -57,7 +63,12 @@ Requires:       dpdk = %{version}
 This package contains the pdump tool for capture the dpdk network packets.

 %prep
-%setup -q
+%setup -q -n %{name}-%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1

 %build
 namer=%{kern_devel_ver}
@ -159,5 +170,8 @@ strip -g $RPM_BUILD_ROOT/lib/modules/${namer}/extra/dpdk/rte_kni.ko
 /usr/sbin/depmod

 %changelog
+* Wed May 27 2020 chenxiang<rose.chen@huawei.com> - 19.11-1
+-fix CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 CVE-2020-10725
+
 * Wed May 27 2020 openEuler dpdk version-release
 -first package