Bug 267 - librte_vhost: Interger overflow in vhost_user_set_log_base()
Summary: librte_vhost: Interger overflow in vhost_user_set_log_base()
Status: RESOLVED FIXED
Alias: None
Product: DPDK
Classification: Unclassified
Component: other (show other bugs)
Version: unspecified
Hardware: All All
: Normal normal
Target Milestone: future
Assignee: Security Team
URL:
Depends on:
Blocks:
 
Reported: 2019-05-06 14:35 CEST by Thomas Monjalon
Modified: 2020-05-18 16:34 CEST (History)
3 users (show)



Attachments
vhost: check log mmap offset and size overflow (1.82 KB, application/mbox)
2020-05-18 13:51 CEST, Ferruh YIGIT
Details

Description Thomas Monjalon 2019-05-06 14:35:08 CEST

    
Comment 1 Ferruh YIGIT 2020-04-28 18:46:04 CEST
CVE-2020-10722
Comment 2 Ferruh YIGIT 2020-05-18 13:28:29 CEST
DPDK librte_vhost: Interger overflow in vhost_user_set_log_base()
[PRODUCT]: DPDK (https://dpdk.org)
[VERSION]: v18.11+
[SEVERITY]: 5.1 (Medium) - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
[REFERENCES]: https://bugs.dpdk.org/show_bug.cgi?id=267
[DESCRIPTION]:
  vhost_user_set_log_base() is a message handler that is called to
handle the VHOST_USER_SET_LOG_BASE message. Its payload contains a 64
bit size and offset. Both are added up and used as a size when calling
mmap(). There is no integer overflow check. If an integer overflow
occurs a smaller memory map would be created than requested. Since the
returned mapping is mapped as writable and used for logging, it seems
highly likely that memory corruption can occur.
Comment 3 Ferruh YIGIT 2020-05-18 13:31:24 CEST
Reporter: Ilja Van Sprundel <ivansprundel@ioactive.com>
Comment 4 Ferruh YIGIT 2020-05-18 13:51:46 CEST
Created attachment 99 [details]
vhost: check log mmap offset and size overflow

Note You need to log in before you can comment on or make changes to this bug.