commit dpdk for openSUSE:Factory

29 Sep 2020

Hello community,

here is the log from the commit of package dpdk for openSUSE:Factory checked in at 2020-09-29 19:05:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dpdk (Old)
 and      /work/SRC/openSUSE:Factory/.dpdk.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "dpdk"

Tue Sep 29 19:05:32 2020 rev:46 rq:838580 version:19.11.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/dpdk/dpdk.changes	2020-09-22 21:17:17.420250101 +0200
+++ /work/SRC/openSUSE:Factory/.dpdk.new.4249/dpdk.changes	2020-09-29 19:05:46.002051611 +0200
@@ -1,0 +2,14 @@
+Tue Sep 29 09:13:17 UTC 2020 - Jaime Caamaño Ruiz <jcaamano@suse.com>
+
+- Add patches to fix vulnerability where malicious guest can harm the host
+  using vhost crypto, this includes executing code in host (VM Escape),
+  reading host application memory space to guest and causing partially
+  denial of service in the host (bsc#1176590).
+  * 0001-vhost-crypto-fix-pool-allocation.patch
+  * 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch
+  * 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch
+  * 0004-vhost-crypto-fix-incorrect-write-back-source.patch
+  * 0005-vhost-crypto-fix-data-length-check.patch
+  * 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch
+
+-------------------------------------------------------------------

New:
----
  0001-vhost-crypto-fix-pool-allocation.patch
  0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch
  0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch
  0004-vhost-crypto-fix-incorrect-write-back-source.patch
  0005-vhost-crypto-fix-data-length-check.patch
  0006-vhost-crypto-fix-possible-TOCTOU-attack.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ dpdk.spec ++++++
--- /var/tmp/diff_new_pack.jMaBue/_old	2020-09-29 19:05:46.666052282 +0200
+++ /var/tmp/diff_new_pack.jMaBue/_new	2020-09-29 19:05:46.674052290 +0200
@@ -63,6 +63,12 @@
 Source1:        preamble
 Patch1:         0001-fix-cpu-compatibility.patch
 Patch2:         0001-SLE15-SP3-compatibility-patch-for-kni.patch
+Patch3:         0001-vhost-crypto-fix-pool-allocation.patch
+Patch4:         0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch
+Patch5:         0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch
+Patch6:         0004-vhost-crypto-fix-incorrect-write-back-source.patch
+Patch7:         0005-vhost-crypto-fix-data-length-check.patch
+Patch8:         0006-vhost-crypto-fix-possible-TOCTOU-attack.patch
 BuildRequires:  doxygen
 BuildRequires:  fdupes
 BuildRequires:  libelf-devel
@@ -161,6 +167,12 @@
 %setup -q -n dpdk-stable-%{version}
 %patch1 -p1 -z .init
 %patch2 -p1 -z .init
+%patch3 -p1 -z .init
+%patch4 -p1 -z .init
+%patch5 -p1 -z .init
+%patch6 -p1 -z .init
+%patch7 -p1 -z .init
+%patch8 -p1 -z .init
 
 # This fixes CROSS compilation (broken) in the mk file for ThunderX
 sed -i '/^CROSS /s/^/#/'  mk/machine/thunderx/rte.vars.mk

++++++ 0001-vhost-crypto-fix-pool-allocation.patch ++++++
...
From b04635713247368935040234d11d33914312096c Mon Sep 17 00:00:00 2001
From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Tue, 14 Apr 2020 16:19:51 +0100
Subject: [PATCH 1/6] vhost/crypto: fix pool allocation
This patch fixes the missing iv space allocation in crypto
operation mempool.

Fixes: 709521f4c2cd ("examples/vhost_crypto: support multi-core")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 examples/vhost_crypto/main.c        | 2 +-
 lib/librte_vhost/rte_vhost_crypto.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/examples/vhost_crypto/main.c b/examples/vhost_crypto/main.c
index 1d7ba9419..11b022e81 100644
--- a/examples/vhost_crypto/main.c
+++ b/examples/vhost_crypto/main.c
@@ -544,7 +544,7 @@ main(int argc, char *argv[])
 		snprintf(name, 127, "COPPOOL_%u", lo->lcore_id);
 		info->cop_pool = rte_crypto_op_pool_create(name,
 				RTE_CRYPTO_OP_TYPE_SYMMETRIC, NB_MEMPOOL_OBJS,
-				NB_CACHE_OBJS, 0,
+				NB_CACHE_OBJS, VHOST_CRYPTO_MAX_IV_LEN,
 				rte_lcore_to_socket_id(lo->lcore_id));
 
 		if (!info->cop_pool) {
diff --git a/lib/librte_vhost/rte_vhost_crypto.h b/lib/librte_vhost/rte_vhost_crypto.h
index d29871c7e..866a592a5 100644
--- a/lib/librte_vhost/rte_vhost_crypto.h
+++ b/lib/librte_vhost/rte_vhost_crypto.h
@@ -10,6 +10,7 @@
 #define VHOST_CRYPTO_SESSION_MAP_ENTRIES	(1024) /**< Max nb sessions */
 /** max nb virtual queues in a burst for finalizing*/
 #define VIRTIO_CRYPTO_MAX_NUM_BURST_VQS		(64)
+#define VHOST_CRYPTO_MAX_IV_LEN			(32)
 
 enum rte_vhost_crypto_zero_copy {
 	RTE_VHOST_CRYPTO_ZERO_COPY_DISABLE = 0,
-- 
2.26.2

++++++ 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch ++++++
...
From b485f950c85374f4969c5fa380b574b34622df91 Mon Sep 17 00:00:00 2001
From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Tue, 14 Apr 2020 16:52:47 +0100
Subject: [PATCH 2/6] vhost/crypto: fix incorrect descriptor deduction
This patch fixes the incorrect descriptor deduction for vhost crypto.

CVE-2020-14378
Fixes: 16d2e718b8ce ("vhost/crypto: fix possible out of bound access")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/librte_vhost/vhost_crypto.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index 0f9df4059..86747dd5f 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -530,13 +530,14 @@ move_desc(struct vring_desc *head, struct vring_desc **cur_desc,
 	int left = size - desc->len;
 
 	while ((desc->flags & VRING_DESC_F_NEXT) && left > 0) {
-		(*nb_descs)--;
 		if (unlikely(*nb_descs == 0 || desc->next >= vq_size))
 			return -1;
 
 		desc = &head[desc->next];
 		rte_prefetch0(&head[desc->next]);
 		left -= desc->len;
+		if (left > 0)
+			(*nb_descs)--;
 	}
 
 	if (unlikely(left > 0))
-- 
2.26.2

++++++ 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch ++++++
...
From 50d3b2ef804fed4c46515dc67ec51d4b08c4165b Mon Sep 17 00:00:00 2001
From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Tue, 14 Apr 2020 17:26:48 +0100
Subject: [PATCH 3/6] vhost/crypto: fix missed request check for copy mode
This patch fixes the missed request check to vhost crypto
copy mode.

CVE-2020-14376
CVE-2020-14377
Fixes: 3bb595ecd682 ("vhost/crypto: add request handler")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/librte_vhost/vhost_crypto.c | 68 +++++++++++++++++++++++----------
 1 file changed, 47 insertions(+), 21 deletions(-)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index 86747dd5f..494f49084 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -756,7 +756,7 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req,
 		}
 
 		wb_data->dst = dst;
-		wb_data->len = desc->len - offset;
+		wb_data->len = RTE_MIN(desc->len - offset, write_back_len);
 		write_back_len -= wb_data->len;
 		src += offset + wb_data->len;
 		offset = 0;
@@ -840,6 +840,17 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req,
 	return NULL;
 }
 
+static __rte_always_inline uint8_t
+vhost_crypto_check_cipher_request(struct virtio_crypto_cipher_data_req *req)
+{
+	if (likely((req->para.iv_len <= VHOST_CRYPTO_MAX_IV_LEN) &&
+		(req->para.src_data_len <= RTE_MBUF_DEFAULT_BUF_SIZE) &&
+		(req->para.dst_data_len >= req->para.src_data_len) &&
+		(req->para.dst_data_len <= RTE_MBUF_DEFAULT_BUF_SIZE)))
+		return VIRTIO_CRYPTO_OK;
+	return VIRTIO_CRYPTO_BADMSG;
+}
+
 static uint8_t
 prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 		struct vhost_crypto_data_req *vc_req,
@@ -851,7 +862,10 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 	struct vhost_crypto_writeback_data *ewb = NULL;
 	struct rte_mbuf *m_src = op->sym->m_src, *m_dst = op->sym->m_dst;
 	uint8_t *iv_data = rte_crypto_op_ctod_offset(op, uint8_t *, IV_OFFSET);
-	uint8_t ret = 0;
+	uint8_t ret = vhost_crypto_check_cipher_request(cipher);
+
+	if (unlikely(ret != VIRTIO_CRYPTO_OK))
+		goto error_exit;
 
 	/* prepare */
 	/* iv */
@@ -861,10 +875,9 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 		goto error_exit;
 	}
 
-	m_src->data_len = cipher->para.src_data_len;
-
 	switch (vcrypto->option) {
 	case RTE_VHOST_CRYPTO_ZERO_COPY_ENABLE:
+		m_src->data_len = cipher->para.src_data_len;
 		m_src->buf_iova = gpa_to_hpa(vcrypto->dev, desc->addr,
 				cipher->para.src_data_len);
 		m_src->buf_addr = get_data_ptr(vc_req, desc, VHOST_ACCESS_RO);
@@ -886,13 +899,7 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 		break;
 	case RTE_VHOST_CRYPTO_ZERO_COPY_DISABLE:
 		vc_req->wb_pool = vcrypto->wb_pool;
-
-		if (unlikely(cipher->para.src_data_len >
-				RTE_MBUF_DEFAULT_BUF_SIZE)) {
-			VC_LOG_ERR("Not enough space to do data copy");
-			ret = VIRTIO_CRYPTO_ERR;
-			goto error_exit;
-		}
+		m_src->data_len = cipher->para.src_data_len;
 		if (unlikely(copy_data(rte_pktmbuf_mtod(m_src, uint8_t *),
 				vc_req, &desc, cipher->para.src_data_len,
 				nb_descs, vq_size) < 0)) {
@@ -975,6 +982,29 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 	return ret;
 }
 
+static __rte_always_inline uint8_t
+vhost_crypto_check_chain_request(struct virtio_crypto_alg_chain_data_req *req)
+{
+	if (likely((req->para.iv_len <= VHOST_CRYPTO_MAX_IV_LEN) &&
+		(req->para.src_data_len <= RTE_MBUF_DEFAULT_DATAROOM) &&
+		(req->para.dst_data_len >= req->para.src_data_len) &&
+		(req->para.dst_data_len <= RTE_MBUF_DEFAULT_DATAROOM) &&
+		(req->para.cipher_start_src_offset <
+			RTE_MBUF_DEFAULT_DATAROOM) &&
+		(req->para.len_to_cipher < RTE_MBUF_DEFAULT_DATAROOM) &&
+		(req->para.hash_start_src_offset <
+			RTE_MBUF_DEFAULT_DATAROOM) &&
+		(req->para.len_to_hash < RTE_MBUF_DEFAULT_DATAROOM) &&
+		(req->para.cipher_start_src_offset + req->para.len_to_cipher <=
+			req->para.src_data_len) &&
+		(req->para.hash_start_src_offset + req->para.len_to_hash <=
+			req->para.src_data_len) &&
+		(req->para.dst_data_len + req->para.hash_result_len <=
+			RTE_MBUF_DEFAULT_DATAROOM)))
+		return VIRTIO_CRYPTO_OK;
+	return VIRTIO_CRYPTO_BADMSG;
+}
+
 static uint8_t
 prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 		struct vhost_crypto_data_req *vc_req,
@@ -988,7 +1018,10 @@ prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 	uint8_t *iv_data = rte_crypto_op_ctod_offset(op, uint8_t *, IV_OFFSET);
 	uint32_t digest_offset;
 	void *digest_addr;
-	uint8_t ret = 0;
+	uint8_t ret = vhost_crypto_check_chain_request(chain);
+
+	if (unlikely(ret != VIRTIO_CRYPTO_OK))
+		goto error_exit;
 
 	/* prepare */
 	/* iv */
@@ -998,10 +1031,9 @@ prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 		goto error_exit;
 	}
 
-	m_src->data_len = chain->para.src_data_len;
-
 	switch (vcrypto->option) {
 	case RTE_VHOST_CRYPTO_ZERO_COPY_ENABLE:
+		m_src->data_len = chain->para.src_data_len;
 		m_dst->data_len = chain->para.dst_data_len;
 
 		m_src->buf_iova = gpa_to_hpa(vcrypto->dev, desc->addr,
@@ -1023,13 +1055,7 @@ prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op,
 		break;
 	case RTE_VHOST_CRYPTO_ZERO_COPY_DISABLE:
 		vc_req->wb_pool = vcrypto->wb_pool;
-
-		if (unlikely(chain->para.src_data_len >
-				RTE_MBUF_DEFAULT_BUF_SIZE)) {
-			VC_LOG_ERR("Not enough space to do data copy");
-			ret = VIRTIO_CRYPTO_ERR;
-			goto error_exit;
-		}
+		m_src->data_len = chain->para.src_data_len;
 		if (unlikely(copy_data(rte_pktmbuf_mtod(m_src, uint8_t *),
 				vc_req, &desc, chain->para.src_data_len,
 				nb_descs, vq_size) < 0)) {
-- 
2.26.2

++++++ 0004-vhost-crypto-fix-incorrect-write-back-source.patch ++++++
...
From 03aa702205544346d11ed7ca5693f9382ef51922 Mon Sep 17 00:00:00 2001
From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Wed, 15 Apr 2020 11:48:52 +0100
Subject: [PATCH 4/6] vhost/crypto: fix incorrect write back source
This patch fixes vhost crypto library for the incorrect source and
destination buffer calculation in the copy mode.

Fixes: cd1e8f03abf0 ("vhost/crypto: fix packet copy in chaining mode")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/librte_vhost/vhost_crypto.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index 494f49084..f1cc32a9b 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -749,14 +749,14 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req,
 		wb_data->src = src + offset;
 		dlen = desc->len;
 		dst = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr,
-			&dlen, VHOST_ACCESS_RW) + offset;
+			&dlen, VHOST_ACCESS_RW);
 		if (unlikely(!dst || dlen != desc->len)) {
 			VC_LOG_ERR("Failed to map descriptor");
 			goto error_exit;
 		}
 
-		wb_data->dst = dst;
-		wb_data->len = RTE_MIN(desc->len - offset, write_back_len);
+		wb_data->dst = dst + offset;
+		wb_data->len = RTE_MIN(dlen - offset, write_back_len);
 		write_back_len -= wb_data->len;
 		src += offset + wb_data->len;
 		offset = 0;
@@ -801,7 +801,7 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req,
 			goto error_exit;
 		}
 
-		wb_data->src = src;
+		wb_data->src = src + offset;
 		wb_data->dst = dst;
 		wb_data->len = RTE_MIN(desc->len - offset, write_back_len);
 		write_back_len -= wb_data->len;
-- 
2.26.2

++++++ 0005-vhost-crypto-fix-data-length-check.patch ++++++
...
From 2fca489d58acfee297d0b9a7dc14e7fa119e8867 Mon Sep 17 00:00:00 2001
From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Thu, 16 Apr 2020 11:29:06 +0100
Subject: [PATCH 5/6] vhost/crypto: fix data length check
This patch fixes the incorrect data length check to vhost crypto.
Instead of blindly accepting the descriptor length as data length, the
change compare the request provided data length and descriptor length
first. The security issue CVE-2020-14374 is not fixed alone by this
patch, part of the fix is done through:
"vhost/crypto: fix missed request check for copy mode".

CVE-2020-14374
Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers")
Cc: stable@dpdk.org

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/librte_vhost/vhost_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index f1cc32a9b..cf9aa2566 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req,
 		desc = &vc_req->head[desc->next];
 		rte_prefetch0(&vc_req->head[desc->next]);
 		to_copy = RTE_MIN(desc->len, (uint32_t)left);
-		dlen = desc->len;
+		dlen = to_copy;
 		src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen,
 				VHOST_ACCESS_RO);
 		if (unlikely(!src || !dlen)) {
-- 
2.26.2

++++++ 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch ++++++
++++ 801 lines (skipped)

    

root

tags

participants (1)