Bug 1828874 (CVE-2020-10723)

Summary: CVE-2020-10723 dpdk: librte_vhost Integer truncation in vhost_user_check_and_alloc_queue_pair()
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, apevec, chrisw, ctrautma, dbecker, dblechte, dfediuck, eedri, fhallal, fleitner, hvyas, jhsiao, jjoyce, jschluet, kbasil, kfida, lhh, linville, lpeer, maxime.coquelin, mburns, mgoldboi, michal.skrivanek, mmirecki, nhorman, ovs-qe, ovs-team, ralongi, rhos-maint, rkhan, sbonazzo, sclewis, security-response-team, sherold, slinaber, tredaelli, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dpdk 20.02.1, dpdk 19.11.2, dkdk 18.11.8 Doc Type: If docs needed, set a value
Doc Text:
A memory corruption issue was found in DPDK versions 17.05 and above. This flaw is caused by an integer truncation on the index of a payload. Under certain circumstances, the index (a UInt) is copied and truncated into a uint16, which can lead to out of bound indexing and possible memory corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-26 15:15:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1831388, 1831390, 1831391, 1831392, 1831393, 1831394, 1831395, 1831396, 1831397, 1835014, 1835015, 1835044, 1835045, 1836842, 1837024, 1837025, 1837056    
Bug Blocks: 1828925    

Description Michael Kaplan 2020-04-28 13:59:43 UTC 
A vulnerability was found in DPDK through version 18.11, vhost_user_check_and_alloc_queue_pair() is used to extract a vring index from a payload. This function validates the index and is called early on in when performing message handling. Most message handlers depend on it correctly validating the vring index. Depending on the message type the vring index is in different parts of the payload. The function contains a switch/case for each type and copies the index. This is stored in a uint16. This index is then validated. Depending on the message, the source index is an unsigned int. If integer truncation occurs (uint->uint16) the top 16 bits of the index are never validated. When they are used later on  (e.g. in vhost_user_set_vring_num() or vhost_user_set_vring_addr()) it can lead to out of bound indexing. The out of bound indexed data gets written to, and hence this can cause memory corruption.
Comment 1 Michael Kaplan 2020-04-28 13:59:47 UTC 
Acknowledgments:

Name: Ferruh Yigit (Reporter)
Comment 4 Anten Skrabec 2020-05-05 03:39:17 UTC 
Removed OpenStack 7 affects and added missing affects for OpenStack and Fast Datapath.
Comment 11 RaTasha Tillery-Smith 2020-05-18 15:15:50 UTC 
Statement:

This issue did not affect the versions of Ceph as shipped with Red Hat Ceph Storage 3 and 4, as they did not include support for DPDK.
Comment 12 Mauro Matteo Cascella 2020-05-18 15:51:00 UTC 
Commit that first introduced the affected `uint16_t vring_idx` variable in DPDK upstream version 17.05:
  -> http://git.dpdk.org/dpdk/commit/?id=160cbc815b41f45af826136785806c887a7851a1

I've altered the DocText to include that version.
Comment 14 Nick Tait 2020-05-18 18:04:42 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/05/18/2
https://bugs.dpdk.org/show_bug.cgi?id=268
Comment 15 Nick Tait 2020-05-18 18:36:58 UTC 
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 1837056]
Comment 16 Mauro Matteo Cascella 2020-05-19 13:21:27 UTC 
Upstream fix:
https://git.dpdk.org/dpdk/commit/?id=c78d94189dced04def987a17f16097fcb197a186
Comment 18 errata-xmlrpc 2020-05-26 11:20:49 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2297 https://access.redhat.com/errata/RHSA-2020:2297
Comment 19 errata-xmlrpc 2020-05-26 11:23:37 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2295 https://access.redhat.com/errata/RHSA-2020:2295
Comment 20 errata-xmlrpc 2020-05-26 11:25:10 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2296 https://access.redhat.com/errata/RHSA-2020:2296
Comment 21 errata-xmlrpc 2020-05-26 11:29:00 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2298 https://access.redhat.com/errata/RHSA-2020:2298
Comment 22 Product Security DevOps Team 2020-05-26 15:15:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10723
Comment 24 errata-xmlrpc 2020-06-23 14:26:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:2683 https://access.redhat.com/errata/RHSA-2020:2683
Comment 27 errata-xmlrpc 2020-09-30 10:10:31 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:4114 https://access.redhat.com/errata/RHSA-2020:4114
Comment 28 errata-xmlrpc 2020-11-04 04:02:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4806 https://access.redhat.com/errata/RHSA-2020:4806
Comment 29 errata-xmlrpc 2021-03-18 13:07:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931