diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-09-16 12:16:05 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-09-16 12:16:05 -0400 |
commit | cc75c5863889c3f1db4521455ca4d0bd3f7d5fcd (patch) | |
tree | 9dd007857bd9940d56787d2bbe7ccd42e6c549a9 | |
parent | 631b9befe483852e1da29e8677c76c2489a4522d (diff) | |
download | longterm-queue-5.2-cc75c5863889c3f1db4521455ca4d0bd3f7d5fcd.tar.gz |
net: add overflow CVE fix
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/net-packet-fix-overflow-in-tpacket_rcv.patch | 53 | ||||
-rw-r--r-- | queue/series | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/queue/net-packet-fix-overflow-in-tpacket_rcv.patch b/queue/net-packet-fix-overflow-in-tpacket_rcv.patch new file mode 100644 index 00000000..8390fbcd --- /dev/null +++ b/queue/net-packet-fix-overflow-in-tpacket_rcv.patch @@ -0,0 +1,53 @@ +From acf69c946233259ab4d64f8869d4037a198c7f06 Mon Sep 17 00:00:00 2001 +From: Or Cohen <orcohen@paloaltonetworks.com> +Date: Thu, 3 Sep 2020 21:05:28 -0700 +Subject: [PATCH] net/packet: fix overflow in tpacket_rcv + +commit acf69c946233259ab4d64f8869d4037a198c7f06 upstream. + +Using tp_reserve to calculate netoff can overflow as +tp_reserve is unsigned int and netoff is unsigned short. + +This may lead to macoff receving a smaller value then +sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr +is set, an out-of-bounds write will occur when +calling virtio_net_hdr_from_skb. + +The bug is fixed by converting netoff to unsigned int +and checking if it exceeds USHRT_MAX. + +This addresses CVE-2020-14386 + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index da8254e680f9..2b33e977a905 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec64 ts; + __u32 ts_status; +@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ atomic_inc(&po->tp_drops); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && +-- +2.27.0 + diff --git a/queue/series b/queue/series index d5db781a..88cbe562 100644 --- a/queue/series +++ b/queue/series @@ -148,3 +148,4 @@ drm-Added-orientation-quirk-for-ASUS-tablet-model-T1.patch drm-fix-drm_dp_mst_port-refcount-leaks-in-drm_dp_mst.patch drm-amdgpu-Fix-bug-where-DPM-is-not-enabled-after-hi.patch drm-amd-display-dchubbub-p-state-warning-during-surf.patch +net-packet-fix-overflow-in-tpacket_rcv.patch |