From 4ec9a79d56ffc14d9dc42cf9065f01b277a9b11b Mon Sep 17 00:00:00 2001 From: chxssg Date: Mon, 24 Aug 2020 16:43:29 +0800 Subject: [PATCH] fix CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 CVE-2020-10725 CVE-2020-10726 --- CVE-2020-10722.patch | 48 ++++++++++++++++++++++++++++ CVE-2020-10723.patch | 57 +++++++++++++++++++++++++++++++++ CVE-2020-10724.patch | 76 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2020-10725.patch | 44 +++++++++++++++++++++++++ CVE-2020-10726.patch | 51 +++++++++++++++++++++++++++++ dpdk.spec | 18 +++++++++-- 6 files changed, 292 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-10722.patch create mode 100644 CVE-2020-10723.patch create mode 100644 CVE-2020-10724.patch create mode 100644 CVE-2020-10725.patch create mode 100644 CVE-2020-10726.patch diff --git a/CVE-2020-10722.patch b/CVE-2020-10722.patch new file mode 100644 index 0000000..15c19d9 --- /dev/null +++ b/CVE-2020-10722.patch @@ -0,0 +1,48 @@ +From 2cf9c470ebff0091e41af85f16ab906fd98cf9af Mon Sep 17 00:00:00 2001 +From: Maxime Coquelin +Date: Tue, 21 Apr 2020 11:16:56 +0200 +Subject: vhost: check log mmap offset and size overflow + +vhost_user_set_log_base() is a message handler that is +called to handle the VHOST_USER_SET_LOG_BASE message. +Its payload contains a 64 bit size and offset. Both are +added up and used as a size when calling mmap(). + +There is no integer overflow check. If an integer overflow +occurs a smaller memory map would be created than +requested. Since the returned mapping is mapped as writable +and used for logging, a memory corruption could occur. + +Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address") + +This issue has been assigned CVE-2020-10722 + +Reported-by: Ilja Van Sprundel +Signed-off-by: Maxime Coquelin +Reviewed-by: Xiaolong Ye +Reviewed-by: Ilja Van Sprundel +--- + lib/librte_vhost/vhost_user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c +index 40c4520..02962fc 100644 +--- a/lib/librte_vhost/vhost_user.c ++++ b/lib/librte_vhost/vhost_user.c +@@ -2060,10 +2060,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, + size = msg->payload.log.mmap_size; + off = msg->payload.log.mmap_offset; + +- /* Don't allow mmap_offset to point outside the mmap region */ +- if (off > size) { ++ /* Check for mmap size and offset overflow. */ ++ if (off >= -size) { + RTE_LOG(ERR, VHOST_CONFIG, +- "log offset %#"PRIx64" exceeds log size %#"PRIx64"\n", ++ "log offset %#"PRIx64" and log size %#"PRIx64" overflow\n", + off, size); + return RTE_VHOST_MSG_RESULT_ERR; + } +-- +cgit v1.0 + diff --git a/CVE-2020-10723.patch b/CVE-2020-10723.patch new file mode 100644 index 0000000..045a330 --- /dev/null +++ b/CVE-2020-10723.patch @@ -0,0 +1,57 @@ +From 8e9652b0b616a3704b5cb5a3dccb2c239e16ab9c Mon Sep 17 00:00:00 2001 +From: Maxime Coquelin +Date: Tue, 21 Apr 2020 18:17:43 +0200 +Subject: vhost: fix vring index check + +vhost_user_check_and_alloc_queue_pair() is used to extract +a vring index from a payload. This function validates the +index and is called early on in when performing message +handling. Most message handlers depend on it correctly +validating the vring index. + +Depending on the message type the vring index is in +different parts of the payload. The function contains a +switch/case for each type and copies the index. This is +stored in a uint16. This index is then validated. Depending +on the message, the source index is an unsigned int. If +integer truncation occurs (uint->uint16) the top 16 bits +of the index are never validated. + +When they are used later on (e.g. in +vhost_user_set_vring_num() or vhost_user_set_vring_addr()) +it can lead to out of bound indexing. The out of bound +indexed data gets written to, and hence this can cause +memory corruption. + +This patch fixes this vulnerability by declaring vring +index as an unsigned int in +vhost_user_check_and_alloc_queue_pair(). + +Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation") + +This issue has been assigned CVE-2020-10723 + +Reported-by: Ilja Van Sprundel +Signed-off-by: Maxime Coquelin +Reviewed-by: Xiaolong Ye +Reviewed-by: Ilja Van Sprundel +--- + lib/librte_vhost/vhost_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c +index 02962fc..d196142 100644 +--- a/lib/librte_vhost/vhost_user.c ++++ b/lib/librte_vhost/vhost_user.c +@@ -2508,7 +2508,7 @@ static int + vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, + struct VhostUserMsg *msg) + { +- uint16_t vring_idx; ++ uint32_t vring_idx; + + switch (msg->request.master) { + case VHOST_USER_SET_VRING_KICK: +-- +cgit v1.0 + diff --git a/CVE-2020-10724.patch b/CVE-2020-10724.patch new file mode 100644 index 0000000..729d4db --- /dev/null +++ b/CVE-2020-10724.patch @@ -0,0 +1,76 @@ +From 963b6eea05f3ee720fcfecd110e20f61b92205d6 Mon Sep 17 00:00:00 2001 +From: Maxime Coquelin +Date: Tue, 21 Apr 2020 19:10:09 +0200 +Subject: vhost/crypto: validate keys lengths + +transform_cipher_param() and transform_chain_param() handle +the payload data for the VHOST_USER_CRYPTO_CREATE_SESS +message. These payloads have to be validated, since it +could come from untrusted sources. + +Two buffers and their lenghts are defined in this payload, +one the the auth key and one for the cipher key. But above +functions do not validate the key length inputs, which could +lead to read out of bounds, as buffers have static sizes of +64 bytes for the cipher key and 512 bytes for the auth key. + +This patch adds necessary checks on the key length field +before being used. + +Fixes: e80a98708166 ("vhost/crypto: add session message handler") + +This issue has been assigned CVE-2020-10724 + +Reported-by: Ilja Van Sprundel +Signed-off-by: Maxime Coquelin +Reviewed-by: Xiaolong Ye +Reviewed-by: Ilja Van Sprundel +--- + lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c +index 6891197..07a4115 100644 +--- a/lib/librte_vhost/vhost_crypto.c ++++ b/lib/librte_vhost/vhost_crypto.c +@@ -237,6 +237,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform, + if (unlikely(ret < 0)) + return ret; + ++ if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) { ++ VC_LOG_DBG("Invalid cipher key length\n"); ++ return -VIRTIO_CRYPTO_BADMSG; ++ } ++ + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + xform->cipher.key.length = param->cipher_key_len; + if (xform->cipher.key.length > 0) +@@ -287,6 +292,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms, + &xform_cipher->cipher.algo); + if (unlikely(ret < 0)) + return ret; ++ ++ if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) { ++ VC_LOG_DBG("Invalid cipher key length\n"); ++ return -VIRTIO_CRYPTO_BADMSG; ++ } ++ + xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + xform_cipher->cipher.key.length = param->cipher_key_len; + xform_cipher->cipher.key.data = param->cipher_key_buf; +@@ -301,6 +312,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms, + ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo); + if (unlikely(ret < 0)) + return ret; ++ ++ if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) { ++ VC_LOG_DBG("Invalid auth key length\n"); ++ return -VIRTIO_CRYPTO_BADMSG; ++ } ++ + xform_auth->auth.digest_length = param->digest_len; + xform_auth->auth.key.length = param->auth_key_len; + xform_auth->auth.key.data = param->auth_key_buf; +-- +cgit v1.0 + diff --git a/CVE-2020-10725.patch b/CVE-2020-10725.patch new file mode 100644 index 0000000..a6eba33 --- /dev/null +++ b/CVE-2020-10725.patch @@ -0,0 +1,44 @@ +From cd0ea71bb6a7d1c503bf2f6f1e3c455cf246d9a1 Mon Sep 17 00:00:00 2001 +From: Marvin Liu +Date: Wed, 8 Apr 2020 17:13:55 +0800 +Subject: vhost: fix translated address not checked + +Malicious guest can construct desc with invalid address and zero buffer +length. That will request vhost to check both translated address and +translated data length. This patch will add missed address check. + +Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue") +Fixes: ef861692c398 ("vhost: add packed ring batch enqueue") + +This issue has been assigned CVE-2020-10725 + +Signed-off-by: Marvin Liu +Reviewed-by: Maxime Coquelin +--- + lib/librte_vhost/virtio_net.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c +index ac2842b..33f1025 100644 +--- a/lib/librte_vhost/virtio_net.c ++++ b/lib/librte_vhost/virtio_net.c +@@ -1086,6 +1086,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev, + VHOST_ACCESS_RW); + + vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { ++ if (unlikely(!desc_addrs[i])) ++ return -1; + if (unlikely(lens[i] != descs[avail_idx + i].len)) + return -1; + } +@@ -1841,6 +1843,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev, + } + + vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { ++ if (unlikely(!desc_addrs[i])) ++ return -1; + if (unlikely((lens[i] != descs[avail_idx + i].len))) + return -1; + } +-- +cgit v1.0 \ No newline at end of file diff --git a/CVE-2020-10726.patch b/CVE-2020-10726.patch new file mode 100644 index 0000000..853ef90 --- /dev/null +++ b/CVE-2020-10726.patch @@ -0,0 +1,51 @@ +From 95e1f29c26777ee36456e340ed9c2b07472add28 Mon Sep 17 00:00:00 2001 +From: Xiaolong Ye +Date: Wed, 8 Apr 2020 15:31:35 +0800 +Subject: vhost: fix potential memory space leak + +A malicious container which has direct access to the vhost-user socket +can keep sending VHOST_USER_GET_INFLIGHT_FD messages which may cause +leaking resources until resulting a DOS. Fix it by unmapping the +dev->inflight_info->addr before assigning new mapped addr to it. + +Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") + +This issue has been assigned CVE-2020-10726 + +Signed-off-by: Xiaolong Ye +Reviewed-by: Maxime Coquelin +--- + lib/librte_vhost/vhost_user.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c +index d196142..2a4ba20 100644 +--- a/lib/librte_vhost/vhost_user.c ++++ b/lib/librte_vhost/vhost_user.c +@@ -1440,6 +1440,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, + } + memset(addr, 0, mmap_size); + ++ if (dev->inflight_info->addr) { ++ munmap(dev->inflight_info->addr, dev->inflight_info->size); ++ dev->inflight_info->addr = NULL; ++ } ++ + dev->inflight_info->addr = addr; + dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size; + dev->inflight_info->fd = msg->fds[0] = fd; +@@ -1524,8 +1529,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, + } + } + +- if (dev->inflight_info->addr) ++ if (dev->inflight_info->addr) { + munmap(dev->inflight_info->addr, dev->inflight_info->size); ++ dev->inflight_info->addr = NULL; ++ } + + addr = mmap(0, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, + fd, mmap_offset); +-- +cgit v1.0 + diff --git a/dpdk.spec b/dpdk.spec index a820624..a18fff4 100644 --- a/dpdk.spec +++ b/dpdk.spec @@ -1,11 +1,17 @@ Name: dpdk Version: 19.11 -Release: 0 +Release: 1 Packager: packaging@6wind.com URL: http://dpdk.org %global source_version 19.11 Source: %{name}-%{version}.tar.xz +Patch0: CVE-2020-10725.patch +Patch1: CVE-2020-10722.patch +Patch2: CVE-2020-10723.patch +Patch3: CVE-2020-10724.patch +Patch4: CVE-2020-10726.patch + Summary: Data Plane Development Kit core Group: System Environment/Libraries License: BSD and LGPLv2 and GPLv2 @@ -57,7 +63,12 @@ Requires: dpdk = %{version} This package contains the pdump tool for capture the dpdk network packets. %prep -%setup -q +%setup -q -n %{name}-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build namer=%{kern_devel_ver} @@ -159,5 +170,8 @@ strip -g $RPM_BUILD_ROOT/lib/modules/${namer}/extra/dpdk/rte_kni.ko /usr/sbin/depmod %changelog +* Wed May 27 2020 chenxiang - 19.11-1 +-fix CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 CVE-2020-10725 + * Wed May 27 2020 openEuler dpdk version-release -first package -- Gitee