CVE-2020-10722
DPDK librte_vhost: Interger overflow in vhost_user_set_log_base() [PRODUCT]: DPDK (https://dpdk.org) [VERSION]: v18.11+ [SEVERITY]: 5.1 (Medium) - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H [REFERENCES]: https://bugs.dpdk.org/show_bug.cgi?id=267 [DESCRIPTION]: vhost_user_set_log_base() is a message handler that is called to handle the VHOST_USER_SET_LOG_BASE message. Its payload contains a 64 bit size and offset. Both are added up and used as a size when calling mmap(). There is no integer overflow check. If an integer overflow occurs a smaller memory map would be created than requested. Since the returned mapping is mapped as writable and used for logging, it seems highly likely that memory corruption can occur.
Reporter: Ilja Van Sprundel <ivansprundel@ioactive.com>
Created attachment 99 [details] vhost: check log mmap offset and size overflow
Commits: main repo https://git.dpdk.org/dpdk/commit/?id=3ae4beb079ce https://git.dpdk.org/dpdk/commit/?id=c78d94189dce https://git.dpdk.org/dpdk/commit/?id=acd4c92fa693 https://git.dpdk.org/dpdk/commit/?id=97ecc1c85c95 https://git.dpdk.org/dpdk/commit/?id=549de54c4f9f https://git.dpdk.org/dpdk/commit/?id=e7debf602633 DPDK 20.02.1 https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=0545a19f5b99 https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=dca5d97491b4 https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=64a4d90c673e https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=47791d99afe4 https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=74b0c5db0f1e https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=a827e27d81cc DPDK 18.11.8 (LTS) https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=338f5eae5de73 https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=d87b67f57ef93 https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=5e4bc0f0e1e48 DPDK 19.11.2 (LTS) https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=2cf9c470ebff https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=8e9652b0b616 https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=963b6eea05f3 https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=cd0ea71bb6a7 https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=95e1f29c2677 https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=c9c630a117cf
to be more accurate: Commits: main repo https://git.dpdk.org/dpdk/commit/?id=3ae4beb079ce DPDK 20.02.1 https://git.dpdk.org/dpdk-stable/commit/?h=20.02&id=0545a19f5b99 DPDK 18.11.8 (LTS) https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=338f5eae5de73 DPDK 19.11.2 (LTS) https://git.dpdk.org/dpdk-stable/commit/?h=19.11&id=2cf9c470ebff