From 6a3a414698e45cf01bb1489ef81f4d663a88047b Mon Sep 17 00:00:00 2001 From: Fan Zhang Date: Thu, 16 Apr 2020 11:29:06 +0100 Subject: vhost/crypto: fix data length check This patch fixes the incorrect data length check to vhost crypto. Instead of blindly accepting the descriptor length as data length, the change compare the request provided data length and descriptor length first. The security issue CVE-2020-14374 is not fixed alone by this patch, part of the fix is done through: "vhost/crypto: fix missed request check for copy mode". CVE-2020-14374 Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers") Cc: stable@dpdk.org Signed-off-by: Fan Zhang Acked-by: Chenbo Xia reference:https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=6a3a414698e4 Signed-off-by: gaoxingwang --- lib/librte_vhost/vhost_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index f1cc32a..cf9aa25 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req, desc = &vc_req->head[desc->next]; rte_prefetch0(&vc_req->head[desc->next]); to_copy = RTE_MIN(desc->len, (uint32_t)left); - dlen = desc->len; + dlen = to_copy; src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen, VHOST_ACCESS_RO); if (unlikely(!src || !dlen)) { -- cgit v1.0