Bug 1828884 (CVE-2020-10724)

Summary: CVE-2020-10724 dpdk: librte_vhost Missing inputs validation in Vhost-crypto
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, apevec, chrisw, ctrautma, dbecker, dblechte, dfediuck, eedri, fhallal, fleitner, hvyas, jhsiao, jjoyce, jschluet, kbasil, lhh, linville, lpeer, maxime.coquelin, mburns, mcascell, mgoldboi, michal.skrivanek, mmirecki, nhorman, ovs-qe, ovs-team, ralongi, rhos-maint, rkhan, sbonazzo, sclewis, security-response-team, sherold, slinaber, tredaelli, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dpdk 20.02.1, dpdk 19.11.2, dkdk 18.11.8 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in DPDK versions 18.11 and above. The vhost-crypto library code is missing validations for user-supplied values, potentially allowing an information leak through an out-of-bounds memory read.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-18 21:15:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1831388, 1831389, 1831390, 1831391, 1831392, 1831393, 1831394, 1831395, 1831396, 1835014, 1835015, 1837057    
Bug Blocks: 1828925    

Description Michael Kaplan 2020-04-28 14:11:01 UTC 
A vulnerability was found in DPDK through version 18.11, The vhost crypto library code contains a post message handler (vhost_crypto_msg_post_handler) which calls vhost_crypto_create_sess() which in turn calls transform_cipher_param() depending on the operation type. It is transform_cipher_param() that handles the payload data. The payload contains a cipher key length and a static VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH (64) byte key buffer. When transform_cipher_param() handles the payload data it does not check to see if the buffer length doesn't exceed VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH. This missing check can cause out of bound reads which could trigger a crash or a potential information leak. Also, the vhost crypto library code contains a post message handler (vhost_crypto_msg_post_handler) which calls vhost_crypto_create_sess() which in turn calls transform_chain_param() depending on the operation type. It is transform_chain_param() that handles the payload data. The payload contains a cipher key length and a static VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH (64) byte key buffer, it also contains a digest length and a static authentication key buffer (size: VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH(512)) and authentication key buffer length. None of these length values are validated. Which can lead to reading out of bound.
Comment 1 Michael Kaplan 2020-04-28 14:11:05 UTC 
Acknowledgments:

Name: Ferruh Yigit (Reporter)
Comment 4 Anten Skrabec 2020-05-05 03:42:56 UTC 
Removed OpenStack 7 affects and added missing affects for OpenStack and Fast Datapath.
Comment 11 Anten Skrabec 2020-05-13 01:15:52 UTC 
Marked all openvswitch affects as notaffected as vhost-crypto backend is compiled out of the packages we ship. Thanks to maxime.coquelin.
Comment 14 Nick Tait 2020-05-18 18:05:35 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/05/18/2
https://bugs.dpdk.org/show_bug.cgi?id=269
Comment 15 Nick Tait 2020-05-18 18:37:28 UTC 
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 1837057]
Comment 16 Product Security DevOps Team 2020-05-18 21:15:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10724
Comment 17 Mauro Matteo Cascella 2020-05-19 13:23:18 UTC 
Upstream fix:
https://git.dpdk.org/dpdk/commit/?id=acd4c92fa693bbea695f2bb42bb93fb8567c3ca5
Comment 18 errata-xmlrpc 2020-05-26 11:20:50 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2297 https://access.redhat.com/errata/RHSA-2020:2297
Comment 19 errata-xmlrpc 2020-05-26 11:23:37 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2295 https://access.redhat.com/errata/RHSA-2020:2295
Comment 20 errata-xmlrpc 2020-05-26 11:25:12 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2296 https://access.redhat.com/errata/RHSA-2020:2296
Comment 21 Mauro Matteo Cascella 2020-05-26 12:56:10 UTC 
Statement:

This issue did not affect the versions of Ceph as shipped with Red Hat Ceph Storage 3 and 4, as they did not include support for DPDK. Red Hat Enterprise Linux 7 and 8 are not affected by this flaw, as vhost-crypto backend is not built and shipped in DPDK packages.
Comment 22 errata-xmlrpc 2021-03-18 13:07:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931