diff mbox series

[3/6] vhost/crypto: validate keys lengths

Message ID	20200518131704.715877-4-ferruh.yigit@intel.com (mailing list archive)
State	Accepted, archived
Delegated to:	David Marchand
Headers	IronPort-SDR: t77w/I/+OLMdQdSTvIbmwpZt+NtEERfJRRdNfWSNl7c49EEXzOPgXQgn3+kvfANYpCSkUXX754 6KZYXb+lHMUQ== IronPort-SDR: x0GrdGgg16cnDfaj21MH0GwLihlVDbZwBN2kCaanWHklquPmOt1kfF0DY1Gf9YNU/D3TPi0WmF Ly2W2JPdnikA== From: Ferruh Yigit <ferruh.yigit@intel.com> To: dev@dpdk.org Cc: Ferruh Yigit <ferruh.yigit@intel.com>, Maxime Coquelin <maxime.coquelin@redhat.com>, stable@dpdk.org, Ilja Van Sprundel <ivansprundel@ioactive.com>, Xiaolong Ye <xiaolong.ye@intel.com> Date: Mon, 18 May 2020 14:17:01 +0100 Message-Id: <20200518131704.715877-4-ferruh.yigit@intel.com> In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH 3/6] vhost/crypto: validate keys lengths Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	Fix vhost security issues \| [0/6] Fix vhost security issues [1/6] vhost: check log mmap offset and size overflow [2/6] vhost: fix vring index check [3/6] vhost/crypto: validate keys lengths [4/6] vhost: fix translated address not checked [5/6] vhost: fix potential memory space leak [6/6] vhost: fix potential fd leak

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/Intel-compilation	success	Compilation OK

Commit Message

Ferruh Yigit May 18, 2020, 1:17 p.m. UTC

  From: Maxime Coquelin <maxime.coquelin@redhat.com>

transform_cipher_param() and transform_chain_param() handle
the payload data for the VHOST_USER_CRYPTO_CREATE_SESS
message. These payloads have to be validated, since it
could come from untrusted sources.

Two buffers and their lenghts are defined in this payload,
one the the auth key and one for the cipher key. But above
functions do not validate the key length inputs, which could
lead to read out of bounds, as buffers have static sizes of
64 bytes for the cipher key and 512 bytes for the auth key.

This patch adds necessary checks on the key length field
before being used.

CVE-2020-10724
Fixes: e80a98708166 ("vhost/crypto: add session message handler")
Cc: stable@dpdk.org

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
---
 lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff mbox series

Patch

diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
index 2e52ecae87..0f9df4059d 100644
--- a/lib/librte_vhost/vhost_crypto.c
+++ b/lib/librte_vhost/vhost_crypto.c
@@ -238,6 +238,11 @@  transform_cipher_param(struct rte_crypto_sym_xform *xform,
 	if (unlikely(ret < 0))
 		return ret;
 
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 	xform->cipher.key.length = param->cipher_key_len;
 	if (xform->cipher.key.length > 0)
@@ -288,6 +293,12 @@  transform_chain_param(struct rte_crypto_sym_xform *xforms,
 			&xform_cipher->cipher.algo);
 	if (unlikely(ret < 0))
 		return ret;
+
+	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid cipher key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 	xform_cipher->cipher.key.length = param->cipher_key_len;
 	xform_cipher->cipher.key.data = param->cipher_key_buf;
@@ -302,6 +313,12 @@  transform_chain_param(struct rte_crypto_sym_xform *xforms,
 	ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo);
 	if (unlikely(ret < 0))
 		return ret;
+
+	if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) {
+		VC_LOG_DBG("Invalid auth key length\n");
+		return -VIRTIO_CRYPTO_BADMSG;
+	}
+
 	xform_auth->auth.digest_length = param->digest_len;
 	xform_auth->auth.key.length = param->auth_key_len;
 	xform_auth->auth.key.data = param->auth_key_buf;