Bug 1828874 (CVE-2020-10723) - CVE-2020-10723 dpdk: librte_vhost Integer truncation in vhost_user_check_and_alloc_queue_pair()
Summary: CVE-2020-10723 dpdk: librte_vhost Integer truncation in vhost_user_check_and_...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10723
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1831390 1831397 1836842 1837024 1831388 1831391 1831392 1831393 1831394 1831395 1831396 1835014 1835015 1835044 1835045 1837025 1837056
Blocks: 1828925
TreeView+ depends on / blocked
 
Reported: 2020-04-28 13:59 UTC by Michael Kaplan
Modified: 2020-09-07 10:26 UTC (History)
37 users (show)

Fixed In Version: dpdk 20.02.1, dpdk 19.11.2, dkdk 18.11.8
Doc Type: If docs needed, set a value
Doc Text:
A memory corruption issue was found in DPDK versions 17.05 and above. This flaw is caused by an integer truncation on the index of a payload. Under certain circumstances, the index (a UInt) is copied and truncated into a uint16, which can lead to out of bound indexing and possible memory corruption.
Clone Of:
Environment:
Last Closed: 2020-05-26 15:15:26 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2295 None None None 2020-05-26 11:23:44 UTC
Red Hat Product Errata RHSA-2020:2296 None None None 2020-05-26 11:25:14 UTC
Red Hat Product Errata RHSA-2020:2297 None None None 2020-05-26 11:20:54 UTC
Red Hat Product Errata RHSA-2020:2298 None None None 2020-05-26 11:29:06 UTC
Red Hat Product Errata RHSA-2020:2683 None None None 2020-06-23 14:26:38 UTC

Description Michael Kaplan 2020-04-28 13:59:43 UTC
A vulnerability was found in DPDK through version 18.11, vhost_user_check_and_alloc_queue_pair() is used to extract a vring index from a payload. This function validates the index and is called early on in when performing message handling. Most message handlers depend on it correctly validating the vring index. Depending on the message type the vring index is in different parts of the payload. The function contains a switch/case for each type and copies the index. This is stored in a uint16. This index is then validated. Depending on the message, the source index is an unsigned int. If integer truncation occurs (uint->uint16) the top 16 bits of the index are never validated. When they are used later on  (e.g. in vhost_user_set_vring_num() or vhost_user_set_vring_addr()) it can lead to out of bound indexing. The out of bound indexed data gets written to, and hence this can cause memory corruption.

Comment 1 Michael Kaplan 2020-04-28 13:59:47 UTC
Acknowledgments:

Name: Ferruh Yigit (Reporter)

Comment 4 Anten Skrabec 2020-05-05 03:39:17 UTC
Removed OpenStack 7 affects and added missing affects for OpenStack and Fast Datapath.

Comment 11 RaTasha Tillery-Smith 2020-05-18 15:15:50 UTC
Statement:

This issue did not affect the versions of Ceph as shipped with Red Hat Ceph Storage 3 and 4, as they did not include support for DPDK.

Comment 12 Mauro Matteo Cascella 2020-05-18 15:51:00 UTC
Commit that first introduced the affected `uint16_t vring_idx` variable in DPDK upstream version 17.05:
  -> http://git.dpdk.org/dpdk/commit/?id=160cbc815b41f45af826136785806c887a7851a1

I've altered the DocText to include that version.

Comment 15 Nick Tait 2020-05-18 18:36:58 UTC
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 1837056]

Comment 16 Mauro Matteo Cascella 2020-05-19 13:21:27 UTC
Upstream fix:
https://git.dpdk.org/dpdk/commit/?id=c78d94189dced04def987a17f16097fcb197a186

Comment 18 errata-xmlrpc 2020-05-26 11:20:49 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2297 https://access.redhat.com/errata/RHSA-2020:2297

Comment 19 errata-xmlrpc 2020-05-26 11:23:37 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2295 https://access.redhat.com/errata/RHSA-2020:2295

Comment 20 errata-xmlrpc 2020-05-26 11:25:10 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2296 https://access.redhat.com/errata/RHSA-2020:2296

Comment 21 errata-xmlrpc 2020-05-26 11:29:00 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2298 https://access.redhat.com/errata/RHSA-2020:2298

Comment 22 Product Security DevOps Team 2020-05-26 15:15:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10723

Comment 24 errata-xmlrpc 2020-06-23 14:26:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:2683 https://access.redhat.com/errata/RHSA-2020:2683


Note You need to log in before you can comment on or make changes to this bug.