Hello community, here is the log from the commit of package dpdk for openSUSE:Leap:15.2 checked in at 2020-05-23 16:07:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/dpdk (Old) and /work/SRC/openSUSE:Leap:15.2/.dpdk.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dpdk" Sat May 23 16:07:32 2020 rev:41 rq:808208 version:18.11.3 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/dpdk/dpdk.changes 2020-03-02 17:21:54.382128012 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.dpdk.new.2738/dpdk.changes 2020-05-23 16:07:35.381074880 +0200 @@ -1,0 +2,12 @@ +Tue May 19 12:00:28 UTC 2020 - Jaime CaamaƱo Ruiz <[email protected]> + +- Add patches to fix vulnerability where malicious guest/container can + cause resource leak resulting a Denial-of-Service, or memory corruption + and crash, or information leak in vhost-user backend application + (bsc#1171477, CVE-2020-10722, CVE-2020-10723, CVE-2020-10724, + CVE-2020-10725, CVE-2020-10726). + * 0001-vhost-check-log-mmap-offset-and-size-overflow.patch + * 0002-vhost-fix-vring-index-check.patch + * 0003-vhost-crypto-validate-keys-lengths.patch + +------------------------------------------------------------------- New: ---- 0001-vhost-check-log-mmap-offset-and-size-overflow.patch 0002-vhost-fix-vring-index-check.patch 0003-vhost-crypto-validate-keys-lengths.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dpdk.spec ++++++ --- /var/tmp/diff_new_pack.N1EP39/_old 2020-05-23 16:07:35.809075798 +0200 +++ /var/tmp/diff_new_pack.N1EP39/_new 2020-05-23 16:07:35.813075806 +0200 @@ -73,6 +73,9 @@ Patch1: 0002-fix-cpu-compatibility.patch Patch2: 0001-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch Patch3: 0002-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch +Patch4: 0001-vhost-check-log-mmap-offset-and-size-overflow.patch +Patch5: 0002-vhost-fix-vring-index-check.patch +Patch6: 0003-vhost-crypto-validate-keys-lengths.patch BuildRequires: doxygen BuildRequires: fdupes BuildRequires: libelf-devel @@ -174,6 +177,9 @@ %patch1 -p1 -z .init %patch2 -p1 -z .init %patch3 -p1 -z .init +%patch4 -p1 -z .init +%patch5 -p1 -z .init +%patch6 -p1 -z .init # This fixes CROSS compilation (broken) in the mk file for ThunderX ++++++ 0001-vhost-check-log-mmap-offset-and-size-overflow.patch ++++++ >From 16b2a3114b0a70050f360c60b968ce867b43295a Mon Sep 17 00:00:00 2001 From: Maxime Coquelin <[email protected]> Date: Tue, 21 Apr 2020 11:16:56 +0200 Subject: [PATCH 1/3] vhost: check log mmap offset and size overflow vhost_user_set_log_base() is a message handler that is called to handle the VHOST_USER_SET_LOG_BASE message. Its payload contains a 64 bit size and offset. Both are added up and used as a size when calling mmap(). There is no integer overflow check. If an integer overflow occurs a smaller memory map would be created than requested. Since the returned mapping is mapped as writable and used for logging, a memory corruption could occur. Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address") Cc: [email protected] This issue has been assigned CVE-2020-10722 Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Maxime Coquelin <[email protected]> Reviewed-by: Xiaolong Ye <[email protected]> Reviewed-by: Ilja Van Sprundel <[email protected]> --- lib/librte_vhost/vhost_user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 2f4bbb342d..8d78c11b9b 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1595,10 +1595,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, size = msg->payload.log.mmap_size; off = msg->payload.log.mmap_offset; - /* Don't allow mmap_offset to point outside the mmap region */ - if (off > size) { + /* Check for mmap size and offset overflow. */ + if (off >= -size) { RTE_LOG(ERR, VHOST_CONFIG, - "log offset %#"PRIx64" exceeds log size %#"PRIx64"\n", + "log offset %#"PRIx64" and log size %#"PRIx64" overflow\n", off, size); return VH_RESULT_ERR; } -- 2.25.2 ++++++ 0002-vhost-fix-vring-index-check.patch ++++++ >From 54afbd7b8b0c03928b8aef95ec95c1e9baeecb79 Mon Sep 17 00:00:00 2001 From: Maxime Coquelin <[email protected]> Date: Tue, 21 Apr 2020 18:17:43 +0200 Subject: [PATCH 2/3] vhost: fix vring index check vhost_user_check_and_alloc_queue_pair() is used to extract a vring index from a payload. This function validates the index and is called early on in when performing message handling. Most message handlers depend on it correctly validating the vring index. Depending on the message type the vring index is in different parts of the payload. The function contains a switch/case for each type and copies the index. This is stored in a uint16. This index is then validated. Depending on the message, the source index is an unsigned int. If integer truncation occurs (uint->uint16) the top 16 bits of the index are never validated. When they are used later on (e.g. in vhost_user_set_vring_num() or vhost_user_set_vring_addr()) it can lead to out of bound indexing. The out of bound indexed data gets written to, and hence this can cause memory corruption. This patch fixes this vulnerability by declaring vring index as an unsigned int in vhost_user_check_and_alloc_queue_pair(). Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation") Cc: [email protected] This issue has been assigned CVE-2020-10723 Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Maxime Coquelin <[email protected]> Reviewed-by: Xiaolong Ye <[email protected]> Reviewed-by: Ilja Van Sprundel <[email protected]> --- lib/librte_vhost/vhost_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 8d78c11b9b..e4f72ba876 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -2062,7 +2062,7 @@ static int vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, struct VhostUserMsg *msg) { - uint16_t vring_idx; + uint32_t vring_idx; switch (msg->request.master) { case VHOST_USER_SET_VRING_KICK: -- 2.25.2 ++++++ 0003-vhost-crypto-validate-keys-lengths.patch ++++++ >From 9b4b29435b74b3e7c3230faef8fcd23e8b5fc93b Mon Sep 17 00:00:00 2001 From: Maxime Coquelin <[email protected]> Date: Tue, 21 Apr 2020 19:10:09 +0200 Subject: [PATCH 3/3] vhost/crypto: validate keys lengths transform_cipher_param() and transform_chain_param() handle the payload data for the VHOST_USER_CRYPTO_CREATE_SESS message. These payloads have to be validated, since it could come from untrusted sources. Two buffers and their lenghts are defined in this payload, one the the auth key and one for the cipher key. But above functions do not validate the key length inputs, which could lead to read out of bounds, as buffers have static sizes of 64 bytes for the cipher key and 512 bytes for the auth key. This patch adds necessary checks on the key length field before being used. Fixes: e80a98708166 ("vhost/crypto: add session message handler") Cc: [email protected] This issue has been assigned CVE-2020-10724 Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Maxime Coquelin <[email protected]> Reviewed-by: Xiaolong Ye <[email protected]> Reviewed-by: Ilja Van Sprundel <[email protected]> --- lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index cf01c7ebe3..8934365f2f 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -236,6 +236,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform, if (unlikely(ret < 0)) return ret; + if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) { + VC_LOG_DBG("Invalid cipher key length\n"); + return -VIRTIO_CRYPTO_BADMSG; + } + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; xform->cipher.key.length = param->cipher_key_len; if (xform->cipher.key.length > 0) @@ -286,6 +291,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms, &xform_cipher->cipher.algo); if (unlikely(ret < 0)) return ret; + + if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) { + VC_LOG_DBG("Invalid cipher key length\n"); + return -VIRTIO_CRYPTO_BADMSG; + } + xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER; xform_cipher->cipher.key.length = param->cipher_key_len; xform_cipher->cipher.key.data = param->cipher_key_buf; @@ -300,6 +311,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms, ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo); if (unlikely(ret < 0)) return ret; + + if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) { + VC_LOG_DBG("Invalid auth key length\n"); + return -VIRTIO_CRYPTO_BADMSG; + } + xform_auth->auth.digest_length = param->digest_len; xform_auth->auth.key.length = param->auth_key_len; xform_auth->auth.key.data = param->auth_key_buf; -- 2.25.2
