1040 – Vhost-crypto: possible out of bounds access of vhost_crypto_desc array

Bug 1040 - Vhost-crypto: possible out of bounds access of vhost_crypto_desc array

Summary: Vhost-crypto: possible out of bounds access of vhost_crypto_desc array

Status:	UNCONFIRMED

Alias:	None

Product:	DPDK
Classification:	Unclassified
Component:	vhost/virtio (show other bugs)
Version:	22.03
Hardware:	All All

Importance:	Normal normal
Target Milestone:	---
Assignee:	Fan Zhang

URL:

Depends on:
Blocks:

Reported:	2022-06-22 14:12 CEST by Maxime Coquelin
Modified:	2022-06-22 16:58 CEST (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Maxime Coquelin 2022-06-22 14:12:49 CEST

In vhost_crypto_process_one_req(), we have:

/**
 * Process on descriptor
 */
static __rte_always_inline int
vhost_crypto_process_one_req(struct vhost_crypto *vcrypto,
		struct vhost_virtqueue *vq, struct rte_crypto_op *op,
		struct vring_desc *head, struct vhost_crypto_desc *descs,
		uint16_t desc_idx)
{

<\snip>

	nb_descs = max_n_descs = dlen / sizeof(struct vring_desc);

<\snip>

	if (unlikely(copy_data(&req, vc_req, descs, &desc, sizeof(req),
			max_n_descs) < 0)) {
		err = VIRTIO_CRYPTO_BADMSG;
		VC_LOG_ERR("Invalid descriptor");
		goto error_exit;
	}

	/* desc is advanced by 1 now */
	max_n_descs -= 1;

max_n_descs is decremented by one, but copy_data can process more than a single descriptors.
Since &desc is also incremented in copy_data by the number of descriptors parsed, 
max_n_descs should be decremented by the same amount, otherwise out of bounds 
accesses to desc array could happen.

Comment 1 Fan Zhang 2022-06-22 16:58:15 CEST

Hi Maxime,

I will do a proper refactor to the code.
Please expect the change done before 23.01

Regards,
Fan

Note You need to log in before you can comment on or make changes to this bug.