Bug 268 - librte_vhost: Integer truncation in vhost_user_check_and_alloc_queue_pair()
Summary: librte_vhost: Integer truncation in vhost_user_check_and_alloc_queue_pair()
Status: RESOLVED FIXED
Alias: None
Product: DPDK
Classification: Unclassified
Component: other (show other bugs)
Version: unspecified
Hardware: All All
: Normal normal
Target Milestone: future
Assignee: Security Team
URL:
Depends on:
Blocks:
 
Reported: 2019-05-06 14:35 CEST by Thomas Monjalon
Modified: 2020-05-18 16:35 CEST (History)
3 users (show)



Attachments
vhost: fix vring index check (2.03 KB, application/mbox)
2020-05-18 13:53 CEST, Ferruh YIGIT
Details

Description Thomas Monjalon 2019-05-06 14:35:19 CEST

    
Comment 1 Ferruh YIGIT 2020-04-28 18:46:56 CEST
CVE-2020-10723
Comment 2 Ferruh YIGIT 2020-05-18 13:52:40 CEST
DPDK librte_vhost: Integer truncation in vhost_user_check_and_alloc_queue_pair()
 * Reporter: Ilja Van Sprundel <ivansprundel@ioactive.com>
 * Severity: 5.1 (Medium) - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
 * Affected versions: v18.11+
 * Acknowledgement: Yes, Ilja Van Sprundel <ivansprundel@ioactive.com>
 * Description:
  vhost_user_check_and_alloc_queue_pair() is used to extract a vring
index from a payload. This function validates the index and is called
early on in when performing message handling. Most message handlers
depend on it correctly validating the vring index. Depending on the
message type the vring index is in different parts of the payload. The
function contains a switch/case for each type and copies the index. This
is stored in a uint16. This index is then validated. Depending on the
message, the source index is an unsigned int. If integer truncation
occurs (uint->uint16) the top 16 bits of the index are never validated.
When they are used later on  (e.g. in vhost_user_set_vring_num() or
vhost_user_set_vring_addr()) it can lead to out of bound indexing. The
out of bound indexed data gets written to, and hence this can cause
memory corruption.
Comment 3 Ferruh YIGIT 2020-05-18 13:53:08 CEST
Created attachment 100 [details]
vhost: fix vring index check

Note You need to log in before you can comment on or make changes to this bug.