APPLIED: [bionic:linux,bionic:linux-hwe-5.0][PATCH] UBUNTU: SAUCE: net/packet: fix overflow in tpacket_rcv
Marcelo Henrique Cerri
marcelo.cerri at canonical.com
Sat Sep 5 19:30:53 UTC 2020
Applied. Thanks!
On Fri, Sep 04, 2020 at 03:33:31PM -0300, Marcelo Henrique Cerri wrote:
> From: Or Cohen <orcohen at paloaltonetworks.com>
>
> CVE-2020-14386
>
> Using tp_reserve to calculate netoff can overflow as
> tp_reserve is unsigned int and netoff is unsigned short.
>
> This may lead to macoff receving a smaller value then
> sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> is set, an out-of-bounds write will occur when
> calling virtio_net_hdr_from_skb.
>
> The bug is fixed by converting netoff to unsigned int
> and checking if it exceeds USHRT_MAX.
>
> This addresses CVE-2020-14386
>
> Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> Signed-off-by: Or Cohen <orcohen at paloaltonetworks.com>
> Signed-off-by: Eric Dumazet <edumazet at google.com>
>
> [ snu: backported to 4.9, changed tp_drops counting/locking ]
>
> Signed-off-by: Stefan Nuernberger <snu at amazon.com>
> CC: David Woodhouse <dwmw at amazon.co.uk>
> CC: Amit Shah <aams at amazon.com>
> CC: stable at vger.kernel.org
>
> [ mhcerri: from the netdev mailing list:
> https://lore.kernel.org/netdev/CAM6JnLf_8nwzq+UGO+amXpeApCDarJjwzOEHQd5qBhU7YKm3DQ@mail.gmail.com/
> This is the fixed proposed on the mailing list for 4.9, this fix
> should be intended to any kernel that doesn't have commit id 8e8e2951e309
> ("net/packet: make tp_drops atomic"). For us, that means any kernel
> before 5.3.
> Tested with the reproducer proposed by the author.]
> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri at canonical.com>
> ---
> net/packet/af_packet.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index 89d6b0957d07..cd5fbec69de8 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -2160,7 +2160,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
> int skb_len = skb->len;
> unsigned int snaplen, res;
> unsigned long status = TP_STATUS_USER;
> - unsigned short macoff, netoff, hdrlen;
> + unsigned short macoff, hdrlen;
> + unsigned int netoff;
> struct sk_buff *copy_skb = NULL;
> struct timespec ts;
> __u32 ts_status;
> @@ -2223,6 +2224,12 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
> }
> macoff = netoff - maclen;
> }
> + if (netoff > USHRT_MAX) {
> + spin_lock(&sk->sk_receive_queue.lock);
> + po->stats.stats1.tp_drops++;
> + spin_unlock(&sk->sk_receive_queue.lock);
> + goto drop_n_restore;
> + }
> if (po->tp_version <= TPACKET_V2) {
> if (macoff + snaplen > po->rx_ring.frame_size) {
> if (po->copy_thresh &&
> --
> 2.25.1
>
--
Regards,
Marcelo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200905/e851fc41/attachment.sig>
More information about the kernel-team
mailing list