Bug 1040
| Summary: | Vhost-crypto: possible out of bounds access of vhost_crypto_desc array | ||
|---|---|---|---|
| Product: | DPDK | Reporter: | Maxime Coquelin (maxime.coquelin) |
| Component: | vhost/virtio | Assignee: | Fan Zhang (roy.fan.zhang) |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | 22.03 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
Hi Maxime, I will do a proper refactor to the code. Please expect the change done before 23.01 Regards, Fan |
In vhost_crypto_process_one_req(), we have: /** * Process on descriptor */ static __rte_always_inline int vhost_crypto_process_one_req(struct vhost_crypto *vcrypto, struct vhost_virtqueue *vq, struct rte_crypto_op *op, struct vring_desc *head, struct vhost_crypto_desc *descs, uint16_t desc_idx) { <\snip> nb_descs = max_n_descs = dlen / sizeof(struct vring_desc); <\snip> if (unlikely(copy_data(&req, vc_req, descs, &desc, sizeof(req), max_n_descs) < 0)) { err = VIRTIO_CRYPTO_BADMSG; VC_LOG_ERR("Invalid descriptor"); goto error_exit; } /* desc is advanced by 1 now */ max_n_descs -= 1; max_n_descs is decremented by one, but copy_data can process more than a single descriptors. Since &desc is also incremented in copy_data by the number of descriptors parsed, max_n_descs should be decremented by the same amount, otherwise out of bounds accesses to desc array could happen.