git.droids-corp.org - dpdk.git/commit

author	Maxime Coquelin <maxime.coquelin@redhat.com>
	Mon, 18 May 2020 13:17:00 +0000 (14:17 +0100)
committer	David Marchand <david.marchand@redhat.com>
	Mon, 18 May 2020 13:18:58 +0000 (15:18 +0200)
commit	c78d94189dced04def987a17f16097fcb197a186
tree	1e1f073dced12c9b240fbb96dd526042d5ddea8b	tree \| snapshot
parent	3ae4beb079ce242240c34376a066bbccd0c0b23e	commit \| diff

vhost: fix vring index check

vhost_user_check_and_alloc_queue_pair() is used to extract
a vring index from a payload. This function validates the
index and is called early on in when performing message
handling. Most message handlers depend on it correctly
validating the vring index.

Depending on the message type the vring index is in
different parts of the payload. The function contains a
switch/case for each type and copies the index. This is
stored in a uint16. This index is then validated. Depending
on the message, the source index is an unsigned int. If
integer truncation occurs (uint->uint16) the top 16 bits
of the index are never validated.

When they are used later on (e.g. in
vhost_user_set_vring_num() or vhost_user_set_vring_addr())
it can lead to out of bound indexing. The out of bound
indexed data gets written to, and hence this can cause
memory corruption.

This patch fixes this vulnerability by declaring vring
index as an unsigned int in
vhost_user_check_and_alloc_queue_pair().

CVE-2020-10723
Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation")
Cc: stable@dpdk.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>