Bug 1828884 (CVE-2020-10724) - CVE-2020-10724 dpdk: librte_vhost Missing inputs validation in Vhost-crypto
Summary: CVE-2020-10724 dpdk: librte_vhost Missing inputs validation in Vhost-crypto
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-10724
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1831388 1831389 1831390 1831391 1831392 1831393 1831394 1831395 1831396 1835014 1835015 1837057
Blocks: 1828925
TreeView+ depends on / blocked
 
Reported: 2020-04-28 14:11 UTC by Michael Kaplan
Modified: 2021-03-18 13:08 UTC (History)
37 users (show)

Fixed In Version: dpdk 20.02.1, dpdk 19.11.2, dkdk 18.11.8
Clone Of:
Environment:
Last Closed: 2020-05-18 21:15:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2295 0 None None None 2020-05-26 11:23:44 UTC
Red Hat Product Errata RHSA-2020:2296 0 None None None 2020-05-26 11:25:16 UTC
Red Hat Product Errata RHSA-2020:2297 0 None None None 2020-05-26 11:20:54 UTC
Red Hat Product Errata RHSA-2021:0931 0 None None None 2021-03-18 13:08:03 UTC

Description Michael Kaplan 2020-04-28 14:11:01 UTC 
A vulnerability was found in DPDK through version 18.11, The vhost crypto library code contains a post message handler (vhost_crypto_msg_post_handler) which calls vhost_crypto_create_sess() which in turn calls transform_cipher_param() depending on the operation type. It is transform_cipher_param() that handles the payload data. The payload contains a cipher key length and a static VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH (64) byte key buffer. When transform_cipher_param() handles the payload data it does not check to see if the buffer length doesn't exceed VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH. This missing check can cause out of bound reads which could trigger a crash or a potential information leak. Also, the vhost crypto library code contains a post message handler (vhost_crypto_msg_post_handler) which calls vhost_crypto_create_sess() which in turn calls transform_chain_param() depending on the operation type. It is transform_chain_param() that handles the payload data. The payload contains a cipher key length and a static VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH (64) byte key buffer, it also contains a digest length and a static authentication key buffer (size: VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH(512)) and authentication key buffer length. None of these length values are validated. Which can lead to reading out of bound.
Comment 1 Michael Kaplan 2020-04-28 14:11:05 UTC 
Acknowledgments:

Name: Ferruh Yigit (Reporter)
Comment 4 Anten Skrabec 2020-05-05 03:42:56 UTC 
Removed OpenStack 7 affects and added missing affects for OpenStack and Fast Datapath.
Comment 11 Anten Skrabec 2020-05-13 01:15:52 UTC 
Marked all openvswitch affects as notaffected as vhost-crypto backend is compiled out of the packages we ship. Thanks to maxime.coquelin.
Comment 14 Nick Tait 2020-05-18 18:05:35 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/05/18/2
https://bugs.dpdk.org/show_bug.cgi?id=269
Comment 15 Nick Tait 2020-05-18 18:37:28 UTC 
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 1837057]
Comment 16 Product Security DevOps Team 2020-05-18 21:15:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10724
Comment 17 Mauro Matteo Cascella 2020-05-19 13:23:18 UTC 
Upstream fix:
https://git.dpdk.org/dpdk/commit/?id=acd4c92fa693bbea695f2bb42bb93fb8567c3ca5
Comment 18 errata-xmlrpc 2020-05-26 11:20:50 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2297 https://access.redhat.com/errata/RHSA-2020:2297
Comment 19 errata-xmlrpc 2020-05-26 11:23:37 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2295 https://access.redhat.com/errata/RHSA-2020:2295
Comment 20 errata-xmlrpc 2020-05-26 11:25:12 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2296 https://access.redhat.com/errata/RHSA-2020:2296
Comment 21 Mauro Matteo Cascella 2020-05-26 12:56:10 UTC 
Statement:

This issue did not affect the versions of Ceph as shipped with Red Hat Ceph Storage 3 and 4, as they did not include support for DPDK. Red Hat Enterprise Linux 7 and 8 are not affected by this flaw, as vhost-crypto backend is not built and shipped in DPDK packages.
Comment 22 errata-xmlrpc 2021-03-18 13:07:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931
Note You need to log in before you can comment on or make changes to this bug.