[dpdk-dev] [dpdk-stable] [PATCH 6/6] vhost/crypto: fix possible TOCTOU attack

Thomas Monjalon thomas at monjalon.net
Mon Sep 28 17:19:14 CEST 2020


> From: Fan Zhang <roy.fan.zhang at intel.com>
> 
> This patch fixes the possible time-of-check to time-of-use (TOCTOU)
> attack problem by copying request data and descriptor index to local
> variable prior to process.
> 
> Also the original sequential read of descriptors may lead to TOCTOU
> attack. This patch fixes the problem by loading all descriptors of a
> request to local buffer before processing.
> 
> CVE-2020-14375
> Fixes: 3bb595ecd682 ("vhost/crypto: add request handler")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Fan Zhang <roy.fan.zhang at intel.com>
> Acked-by: Chenbo Xia <chenbo.xia at intel.com>

Series applied in the main repository, thanks.




More information about the dev mailing list