dpdk: fix CVE-2024-11614

An out-of-bounds read vulnerability was found in DPDK's Vhost
library checksum offload feature. This issue enables an
untrusted or compromised guest to crash the hypervisor's vSwitch
by forging Virtio descriptors to cause out-of-bounds reads. This
flaw allows an attacker with a malicious VM using a virtio driver
to cause the vhost-user side to crash by sending a packet with a
Tx checksum offload request and an invalid csum_start offset.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-11614
https://security-tracker.debian.org/tracker/CVE-2024-11614

Upstream-patch:
https://git.dpdk.org/dpdk/commit/?id=4dc4e33ffa108e945fc8a1e2bbc7819791faa61e

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This commit is contained in:
Divya Chellam 2025-05-16 13:20:17 +05:30 committed by Anuj Mittal
parent 2dbfc6edce
commit 68dec754fd
No known key found for this signature in database
GPG Key ID: B749E1556041E1B2
2 changed files with 44 additions and 0 deletions

View File

@ -0,0 +1,43 @@
From 4dc4e33ffa108e945fc8a1e2bbc7819791faa61e Mon Sep 17 00:00:00 2001
From: Olivier Matz <olivier.matz@6wind.com>
Date: Thu, 28 Nov 2024 12:09:56 +0100
Subject: [PATCH] net/virtio: fix Rx checksum calculation
If hdr->csum_start is larger than packet length, the len argument passed
to rte_raw_cksum_mbuf() overflows and causes a segmentation fault.
Ignore checksum computation in this case.
CVE-2024-11614
Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path")
Signed-off-by: Maxime Gouin <maxime.gouin@6wind.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
CVE: CVE-2024-11614
Upstream-Status: Backport [https://git.dpdk.org/dpdk/commit/?id=4dc4e33ffa108e945fc8a1e2bbc7819791faa61e]
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
lib/vhost/virtio_net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index fa0779d03d..038ac6a774 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2261,6 +2261,9 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m,
*/
uint16_t csum = 0, off;
+ if (hdr->csum_start >= rte_pktmbuf_pkt_len(m))
+ return;
+
if (rte_raw_cksum_mbuf(m, hdr->csum_start,
rte_pktmbuf_pkt_len(m) - hdr->csum_start, &csum) < 0)
return;
--
2.40.0

View File

@ -2,6 +2,7 @@ include dpdk.inc
SRC_URI += " \
file://0001-meson.build-march-and-mcpu-already-passed-by-Yocto-21.11.patch \
file://CVE-2024-11614.patch \
"
STABLE = "-stable"