Bug 1828884 (CVE-2020-10724) - CVE-2020-10724 dpdk: librte_vhost Missing inputs validation in Vhost-crypto [NEEDINFO]
Summary: CVE-2020-10724 dpdk: librte_vhost Missing inputs validation in Vhost-crypto
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-10724
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1831389 1831390 1831388 1831391 1831392 1831393 1831394 1831395 1831396 1835014 1835015 1837057
Blocks: 1828925
TreeView+ depends on / blocked
 
Reported: 2020-04-28 14:11 UTC by Michael Kaplan
Modified: 2020-05-26 12:56 UTC (History)
36 users (show)

Fixed In Version: dpdk 20.02.1, dpdk 19.11.2, dkdk 18.11.8
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in DPDK versions 18.11 and above. The vhost-crypto library code is missing validations for user-supplied values, potentially allowing an information leak through an out-of-bounds memory read.
Clone Of:
Environment:
Last Closed: 2020-05-18 21:15:21 UTC
mcascell: needinfo? (maxime.coquelin)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2295 None None None 2020-05-26 11:23:44 UTC
Red Hat Product Errata RHSA-2020:2296 None None None 2020-05-26 11:25:16 UTC
Red Hat Product Errata RHSA-2020:2297 None None None 2020-05-26 11:20:54 UTC

Description Michael Kaplan 2020-04-28 14:11:01 UTC
A vulnerability was found in DPDK through version 18.11, The vhost crypto library code contains a post message handler (vhost_crypto_msg_post_handler) which calls vhost_crypto_create_sess() which in turn calls transform_cipher_param() depending on the operation type. It is transform_cipher_param() that handles the payload data. The payload contains a cipher key length and a static VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH (64) byte key buffer. When transform_cipher_param() handles the payload data it does not check to see if the buffer length doesn't exceed VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH. This missing check can cause out of bound reads which could trigger a crash or a potential information leak. Also, the vhost crypto library code contains a post message handler (vhost_crypto_msg_post_handler) which calls vhost_crypto_create_sess() which in turn calls transform_chain_param() depending on the operation type. It is transform_chain_param() that handles the payload data. The payload contains a cipher key length and a static VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH (64) byte key buffer, it also contains a digest length and a static authentication key buffer (size: VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH(512)) and authentication key buffer length. None of these length values are validated. Which can lead to reading out of bound.

Comment 1 Michael Kaplan 2020-04-28 14:11:05 UTC
Acknowledgments:

Name: Ferruh Yigit (Reporter)

Comment 4 Anten Skrabec 2020-05-05 03:42:56 UTC
Removed OpenStack 7 affects and added missing affects for OpenStack and Fast Datapath.

Comment 11 Anten Skrabec 2020-05-13 01:15:52 UTC
Marked all openvswitch affects as notaffected as vhost-crypto backend is compiled out of the packages we ship. Thanks to maxime.coquelin@redhat.com.

Comment 15 Nick Tait 2020-05-18 18:37:28 UTC
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 1837057]

Comment 16 Product Security DevOps Team 2020-05-18 21:15:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10724

Comment 17 Mauro Matteo Cascella 2020-05-19 13:23:18 UTC
Upstream fix:
https://git.dpdk.org/dpdk/commit/?id=acd4c92fa693bbea695f2bb42bb93fb8567c3ca5

Comment 18 errata-xmlrpc 2020-05-26 11:20:50 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2297 https://access.redhat.com/errata/RHSA-2020:2297

Comment 19 errata-xmlrpc 2020-05-26 11:23:37 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2020:2295 https://access.redhat.com/errata/RHSA-2020:2295

Comment 20 errata-xmlrpc 2020-05-26 11:25:12 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2020:2296 https://access.redhat.com/errata/RHSA-2020:2296

Comment 21 Mauro Matteo Cascella 2020-05-26 12:56:10 UTC
Statement:

This issue did not affect the versions of Ceph as shipped with Red Hat Ceph Storage 3 and 4, as they did not include support for DPDK. Red Hat Enterprise Linux 7 and 8 are not affected by this flaw, as vhost-crypto backend is not built and shipped in DPDK packages.


Note You need to log in before you can comment on or make changes to this bug.