dpdk: fix CVE-2024-11614kirkstone

An out-of-bounds read vulnerability was found in DPDK's Vhost library checksum offload feature. This issue enables an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors to cause out-of-bounds reads. This flaw allows an attacker with a malicious VM using a virtio driver to cause the vhost-user side to crash by sending a packet with a Tx checksum offload request and an invalid csum_start offset. References: https://nvd.nist.gov/vuln/detail/CVE-2024-11614 https://security-tracker.debian.org/tracker/CVE-2024-11614 Upstream-patch: https://git.dpdk.org/dpdk/commit/?id=4dc4e33ffa108e945fc8a1e2bbc7819791faa61e Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-05-16 13:20:17 +0530
committer: Anuj Mittal <anuj.mittal@intel.com> 2025-05-19 11:56:49 +0800
commit: 68dec754fd9f56dcd50d3f8ddfb96651f86d0a4a (patch)
tree: 6360a777f3b3b47455861eb1a022e728bd01cdbf
parent: 2dbfc6edce775344526a1080a127491747515d88 (diff)
download: meta-dpdk-kirkstone.tar.gz
2 files changed, 44 insertions, 0 deletions
diff --git a/recipes-extended/dpdk/dpdk/CVE-2024-11614.patch b/recipes-extended/dpdk/dpdk/CVE-2024-11614.patch
new file mode 100644
index 0000000..ea80403
--- /dev/null
+++ b/recipes-extended/dpdk/dpdk/CVE-2024-11614.patch
@@ -0,0 +1,43 @@
+From 4dc4e33ffa108e945fc8a1e2bbc7819791faa61e Mon Sep 17 00:00:00 2001
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 28 Nov 2024 12:09:56 +0100
+Subject: [PATCH] net/virtio: fix Rx checksum calculation
+If hdr->csum_start is larger than packet length, the len argument passed
+to rte_raw_cksum_mbuf() overflows and causes a segmentation fault.
+Ignore checksum computation in this case.
+CVE-2024-11614
+Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path")
+Signed-off-by: Maxime Gouin <maxime.gouin@6wind.com>
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+CVE: CVE-2024-11614
+Upstream-Status: Backport [https://git.dpdk.org/dpdk/commit/?id=4dc4e33ffa108e945fc8a1e2bbc7819791faa61e]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/vhost/virtio_net.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
+index fa0779d03d..038ac6a774 100644
+--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
+@@ -2261,6 +2261,9 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m,
+                         */
+                        uint16_t csum = 0, off;
+                       if (hdr->csum_start >= rte_pktmbuf_pkt_len(m))
+                               return;
+
+                        if (rte_raw_cksum_mbuf(m, hdr->csum_start,
+                                        rte_pktmbuf_pkt_len(m) - hdr->csum_start, &csum) < 0)
+                                return;
+--
+2.40.0
diff --git a/recipes-extended/dpdk/dpdk_21.11.7.bb b/recipes-extended/dpdk/dpdk_21.11.7.bb
index 848a4b2..1e20e39 100644
--- a/recipes-extended/dpdk/dpdk_21.11.7.bb
+++ b/recipes-extended/dpdk/dpdk_21.11.7.bb
@@ -2,6 +2,7 @@ include dpdk.inc
 SRC_URI += " \
            file://0001-meson.build-march-and-mcpu-already-passed-by-Yocto-21.11.patch \
+            file://CVE-2024-11614.patch \
 "
 STABLE = "-stable"
author	Divya Chellam <divya.chellam@windriver.com>	2025-05-16 13:20:17 +0530
committer	Anuj Mittal <anuj.mittal@intel.com>	2025-05-19 11:56:49 +0800
commit	68dec754fd9f56dcd50d3f8ddfb96651f86d0a4a (patch)
tree	6360a777f3b3b47455861eb1a022e728bd01cdbf
parent	2dbfc6edce775344526a1080a127491747515d88 (diff)
download	meta-dpdk-kirkstone.tar.gz

diff --git a/recipes-extended/dpdk/dpdk/CVE-2024-11614.patch b/recipes-extended/dpdk/dpdk/CVE-2024-11614.patch new file mode 100644 index 0000000..ea80403 --- /dev/null +++ b/recipes-extended/dpdk/dpdk/CVE-2024-11614.patch
@@ -0,0 +1,43 @@
		1	From 4dc4e33ffa108e945fc8a1e2bbc7819791faa61e Mon Sep 17 00:00:00 2001
		2	From: Olivier Matz <olivier.matz@6wind.com>
		3	Date: Thu, 28 Nov 2024 12:09:56 +0100
		4	Subject: [PATCH] net/virtio: fix Rx checksum calculation
		5
		6	If hdr->csum_start is larger than packet length, the len argument passed
		7	to rte_raw_cksum_mbuf() overflows and causes a segmentation fault.
		8
		9	Ignore checksum computation in this case.
		10
		11	CVE-2024-11614
		12
		13	Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path")
		14
		15	Signed-off-by: Maxime Gouin <maxime.gouin@6wind.com>
		16	Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
		17	Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
		18
		19	CVE: CVE-2024-11614
		20
		21	Upstream-Status: Backport [https://git.dpdk.org/dpdk/commit/?id=4dc4e33ffa108e945fc8a1e2bbc7819791faa61e]
		22
		23	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		24	---
		25	lib/vhost/virtio_net.c \| 3 +++
		26	1 file changed, 3 insertions(+)
		27
		28	diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
		29	index fa0779d03d..038ac6a774 100644
		30	--- a/lib/vhost/virtio_net.c
		31	+++ b/lib/vhost/virtio_net.c
		32	@@ -2261,6 +2261,9 @@ vhost_dequeue_offload(struct virtio_net_hdr hdr, struct rte_mbuf m,
		33	*/
		34	uint16_t csum = 0, off;
		35
		36	+ if (hdr->csum_start >= rte_pktmbuf_pkt_len(m))
		37	+ return;
		38	+
		39	if (rte_raw_cksum_mbuf(m, hdr->csum_start,
		40	rte_pktmbuf_pkt_len(m) - hdr->csum_start, &csum) < 0)
		41	return;
		42	--
		43	2.40.0


diff --git a/recipes-extended/dpdk/dpdk_21.11.7.bb b/recipes-extended/dpdk/dpdk_21.11.7.bb index 848a4b2..1e20e39 100644 --- a/recipes-extended/dpdk/dpdk_21.11.7.bb +++ b/recipes-extended/dpdk/dpdk_21.11.7.bb
@@ -2,6 +2,7 @@ include dpdk.inc
2		2
3	SRC_URI += " \	3	SRC_URI += " \
4	file://0001-meson.build-march-and-mcpu-already-passed-by-Yocto-21.11.patch \	4	file://0001-meson.build-march-and-mcpu-already-passed-by-Yocto-21.11.patch \
		5	file://CVE-2024-11614.patch \
5	"	6	"
6		7
7	STABLE = "-stable"	8	STABLE = "-stable"