A vulnerability was found in DPDK through version 18.11, vhost_user_check_and_alloc_queue_pair() is used to extract a vring index from a payload. This function validates the index and is called early on in when performing message handling. Most message handlers depend on it correctly validating the vring index. Depending on the message type the vring index is in different parts of the payload. The function contains a switch/case for each type and copies the index. This is stored in a uint16. This index is then validated. Depending on the message, the source index is an unsigned int. If integer truncation occurs (uint->uint16) the top 16 bits of the index are never validated. When they are used later on (e.g. in vhost_user_set_vring_num() or vhost_user_set_vring_addr()) it can lead to out of bound indexing. The out of bound indexed data gets written to, and hence this can cause memory corruption.
Acknowledgments: Name: Ferruh Yigit (Reporter)
Removed OpenStack 7 affects and added missing affects for OpenStack and Fast Datapath.
Statement: This issue did not affect the versions of Ceph as shipped with Red Hat Ceph Storage 3 and 4, as they did not include support for DPDK.
Commit that first introduced the affected `uint16_t vring_idx` variable in DPDK upstream version 17.05: -> http://git.dpdk.org/dpdk/commit/?id=160cbc815b41f45af826136785806c887a7851a1 I've altered the DocText to include that version.
External References: https://www.openwall.com/lists/oss-security/2020/05/18/2 https://bugs.dpdk.org/show_bug.cgi?id=268
Created dpdk tracking bugs for this issue: Affects: fedora-all [bug 1837056]
Upstream fix: https://git.dpdk.org/dpdk/commit/?id=c78d94189dced04def987a17f16097fcb197a186
This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 8 Via RHSA-2020:2297 https://access.redhat.com/errata/RHSA-2020:2297
This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 8 Via RHSA-2020:2295 https://access.redhat.com/errata/RHSA-2020:2295
This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 7 Via RHSA-2020:2296 https://access.redhat.com/errata/RHSA-2020:2296
This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 7 Via RHSA-2020:2298 https://access.redhat.com/errata/RHSA-2020:2298
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10723
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2683 https://access.redhat.com/errata/RHSA-2020:2683
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Red Hat Virtualization Engine 4.3 Via RHSA-2020:4114 https://access.redhat.com/errata/RHSA-2020:4114
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4806 https://access.redhat.com/errata/RHSA-2020:4806
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931