From patchwork Mon Sep 28 10:59:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 79010 X-Patchwork-Delegate: thomas@monjalon.net Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 61FD6A04C3; Mon, 28 Sep 2020 13:00:52 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E09151D910; Mon, 28 Sep 2020 12:59:40 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 699C91D902; Mon, 28 Sep 2020 12:59:36 +0200 (CEST) IronPort-SDR: VSo++zm9WpIsVEKMc2HFJtwADnr3478nCcJZAcpUV+Ct28TpCZwK/OBarO5I7PWLR8je6QcFB/ cBksvycqj30w== X-IronPort-AV: E=McAfee;i="6000,8403,9757"; a="226122061" X-IronPort-AV: E=Sophos;i="5.77,313,1596524400"; d="scan'208";a="226122061" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Sep 2020 03:59:35 -0700 IronPort-SDR: 5JYP7fmgSxX2g+BtmNEyxQ/Gcy9zLana6J41w1J2zuo+cQAr4ejkvvqwpnFtjJ+nKKTU+Af07O 2pmK1HV1W6Aw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,313,1596524400"; d="scan'208";a="514212888" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by fmsmga005.fm.intel.com with ESMTP; 28 Sep 2020 03:59:34 -0700 From: Ferruh Yigit To: Maxime Coquelin , Chenbo Xia , Zhihong Wang , Fan Zhang Cc: dev@dpdk.org, Ferruh Yigit , stable@dpdk.org Date: Mon, 28 Sep 2020 11:59:17 +0100 Message-Id: <20200928105918.740807-5-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200928105918.740807-1-ferruh.yigit@intel.com> References: <20200928105918.740807-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 5/6] vhost/crypto: fix data length check X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Fan Zhang This patch fixes the incorrect data length check to vhost crypto. Instead of blindly accepting the descriptor length as data length, the change compare the request provided data length and descriptor length first. The security issue CVE-2020-14374 is not fixed alone by this patch, part of the fix is done through: "vhost/crypto: fix missed request check for copy mode". CVE-2020-14374 Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers") Cc: stable@dpdk.org Signed-off-by: Fan Zhang Acked-by: Chenbo Xia --- lib/librte_vhost/vhost_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index f1cc32a9b2..cf9aa2566b 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req, desc = &vc_req->head[desc->next]; rte_prefetch0(&vc_req->head[desc->next]); to_copy = RTE_MIN(desc->len, (uint32_t)left); - dlen = desc->len; + dlen = to_copy; src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen, VHOST_ACCESS_RO); if (unlikely(!src || !dlen)) {