diff mbox series

[5.8,115/186] net/packet: fix overflow in tpacket_rcv

Message ID	20200908152247.210099253@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=jcEg=CR=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Or Cohen <orcohen@paloaltonetworks.com>, Eric Dumazet <edumazet@google.com>, Linus Torvalds <torvalds@linux-foundation.org>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.8 115/186] net/packet: fix overflow in tpacket_rcv Date: Tue, 8 Sep 2020 17:24:17 +0200 Message-Id: <20200908152247.210099253@linuxfoundation.org> In-Reply-To: <20200908152241.646390211@linuxfoundation.org> References: <20200908152241.646390211@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [5.8,002/186] HID: quirks: Always poll three more Lenovo PixArt mice [5.8,003/186] drm/msm/dpu: Fix reservation failures in modeset [5.8,004/186] drm/msm/dpu: Fix scale params in plane validation [5.8,005/186] drm/msm/dpu: fix unitialized variable error [5.8,006/186] tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup [5.8,007/186] drm/msm: add shutdown support for display platform_driver [5.8,008/186] hwmon: (applesmc) check status earlier. [5.8,009/186] nvmet: Disable keep-alive timer when kato is cleared to 0h [5.8,010/186] drm/msm: enable vblank during atomic commits [5.8,011/186] habanalabs: unmap PCI bars upon iATU failure [5.8,012/186] habanalabs: validate packet id during CB parse [5.8,013/186] habanalabs: set clock gating according to mask [5.8,014/186] habanalabs: proper handling of alloc size in coresight [5.8,015/186] habanalabs: set max power according to card type [5.8,016/186] habanalabs: validate FW file size [5.8,017/186] habanalabs: check correct vmalloc return code [5.8,018/186] drm/msm/a6xx: fix gmu start on newer firmware [5.8,019/186] gfs2: add some much needed cleanup for log flushes that fail [5.8,020/186] hv_utils: return error if host timesysnc update is stale [5.8,021/186] hv_utils: drain the timesync packets on onchannelcallback [5.8,022/186] ceph: dont allow setlease on cephfs [5.8,023/186] i2c: iproc: Fix shifting 31 bits [5.8,024/186] drm/omap: fix incorrect lock state [5.8,025/186] irqchip/ingenic: Leave parent IRQ unmasked on suspend [5.8,026/186] cpuidle: Fixup IRQ state [5.8,027/186] nbd: restore default timeout when setting it to zero [5.8,028/186] s390: dont trace preemption in percpu macros [5.8,029/186] drm/amd/display: should check error using DC_OK [5.8,030/186] drm/amd/display: Reject overlay plane configurations in multi-display scenarios [5.8,031/186] drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_upd... [5.8,032/186] drm/amd/display: Revert HDCP disable sequence change [5.8,033/186] drm/amd/display: Fix passive dongle mistaken as active dongle in EDID emulation [5.8,034/186] drm/amd/display: Keep current gain when ABM disable immediately [5.8,035/186] drm/amd/display: Retry AUX write when fail occurs [5.8,036/186] drm/amd/display: Fix memleak in amdgpu_dm_mode_config_init [5.8,037/186] xen/xenbus: Fix granting of vmallocd memory [5.8,038/186] fsldma: fix very broken 32-bit ppc ioread64 functionality [5.8,039/186] dmaengine: of-dma: Fix of_dma_router_xlates of_dma_xlate handling [5.8,040/186] batman-adv: Avoid uninitialized chaddr when handling DHCP [5.8,041/186] batman-adv: Fix own OGM check in aggregated OGMs [5.8,042/186] batman-adv: bla: use netif_rx_ni when not in interrupt context [5.8,043/186] dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate() [5.8,044/186] dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate() [5.8,045/186] dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate() [5.8,046/186] rxrpc: Keep the ACK serial in a var in rxrpc_input_ack() [5.8,047/186] rxrpc: Fix loss of RTT samples due to interposed ACK [5.8,048/186] rxrpc: Make rxrpc_kernel_get_srtt() indicate validity [5.8,049/186] MIPS: mm: BMIPS5000 has inclusive physical caches [5.8,050/186] MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores [5.8,051/186] mmc: sdhci-acpi: Fix HS400 tuning for AMDI0040 [5.8,052/186] perf sched timehist: Fix use of CPU list with summary option [5.8,053/186] perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set [5.8,054/186] netfilter: nf_tables: add NFTA_SET_USERDATA if not null [5.8,055/186] netfilter: nf_tables: incorrect enum nft_list_attributes definition [5.8,056/186] netfilter: nf_tables: fix destination register zeroing [5.8,057/186] net: hns: Fix memleak in hns_nic_dev_probe [5.8,058/186] net: systemport: Fix memleak in bcm_sysport_probe [5.8,059/186] ravb: Fixed to be able to unload modules [5.8,060/186] net: arc_emac: Fix memleak in arc_mdio_probe [5.8,061/186] bpf: Fix a buffer out-of-bound access when filling raw_tp link_info [5.8,062/186] dmaengine: pl330: Fix burst length if burst size is smaller than bus width [5.8,063/186] dmaengine: ti: k3-udma: Fix the TR initialization for prep_slave_sg [5.8,064/186] gtp: add GTPA_LINK info to msg sent to userspace [5.8,065/186] net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port [5.8,066/186] net: ethernet: ti: cpsw_new: fix clean up of vlan mc entries for host port [5.8,067/186] bnxt_en: Dont query FW when netif_running() is false. [5.8,068/186] bnxt_en: Check for zero dir entries in NVRAM. [5.8,069/186] bnxt_en: Fix ethtool -S statitics with XDP or TCs enabled. [5.8,070/186] bnxt_en: Fix PCI AER error recovery flow [5.8,071/186] bnxt_en: Fix possible crash in bnxt_fw_reset_task(). [5.8,072/186] bnxt_en: fix HWRM error when querying VF temperature [5.8,073/186] xfs: finish dfops on every insert range shift iteration [5.8,074/186] xfs: fix boundary test in xfs_attr_shortform_verify [5.8,075/186] bnxt: dont enable NAPI until rings are ready [5.8,076/186] media: vicodec: add missing v4l2_ctrl_request_hdl_put() [5.8,077/186] media: cedrus: Add missing v4l2_ctrl_request_hdl_put() [5.8,078/186] net: ethernet: ti: cpsw_new: fix error handling in cpsw_ndo_vlan_rx_kill_vid() [5.8,079/186] media: i2c: imx214: select V4L2_FWNODE [5.8,080/186] selftests/bpf: Fix massive output from test_maps [5.8,081/186] net: dsa: mt7530: fix advertising unsupported 1000baseT_Half [5.8,082/186] netfilter: nfnetlink: nfnetlink_unicast() reports EAGAIN instead of ENOBUFS [5.8,083/186] nvmet-fc: Fix a missed _irqsave version of spin_lock in nvmet_fc_fod_op_done() [5.8,084/186] nvme: fix controller instance leak [5.8,085/186] netfilter: conntrack: do not auto-delete clash entries on reply [5.8,086/186] opp: Dont drop reference for an OPP table that was never parsed [5.8,087/186] cxgb4: fix thermal zone device registration [5.8,088/186] net: ethernet: ti: am65-cpsw: fix rmii 100Mbit link mode [5.8,089/186] MIPS: perf: Fix wrong check condition of Loongson event IDs [5.8,090/186] block: fix locking in bdev_del_partition [5.8,091/186] perf top/report: Fix infinite loop in the TUI for grouped events [5.8,092/186] perf cs-etm: Fix corrupt data after perf inject from [5.8,093/186] perf intel-pt: Fix corrupt data after perf inject from [5.8,094/186] perf tools: Correct SNOOPX field offset [5.8,095/186] net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() [5.8,096/186] fix regression in "epoll: Keep a reference on files added to the check list" [5.8,097/186] net: bcmgenet: fix mask check in bcmgenet_validate_flow() [5.8,098/186] net: gemini: Fix another missing clk_disable_unprepare() in probe [5.8,099/186] nfp: flower: fix ABI mismatch between driver and firmware [5.8,100/186] net: dp83867: Fix WoL SecureOn password [5.8,101/186] drm/radeon: Prefer lower feedback dividers [5.8,102/186] MIPS: add missing MSACSR and upper MSA initialization [5.8,103/186] MIPS: SNI: Fix SCSI interrupt [5.8,104/186] xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files [5.8,105/186] perf jevents: Fix suspicious code in fixregex() [5.8,106/186] perf stat: Turn off summary for interval mode by default [5.8,107/186] perf bench: The do_run_multi_threaded() function must use IS_ERR(perf_session__new()) [5.8,108/186] tg3: Fix soft lockup when tg3_reset_task() fails. [5.8,109/186] x86, fakenuma: Fix invalid starting node ID [5.8,110/186] iommu/vt-d: Serialize IOMMU GCMD register modifications [5.8,111/186] thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 [5.8,112/186] thermal: qcom-spmi-temp-alarm: Dont suppress negative temp [5.8,113/186] iommu/amd: Restore IRTE.RemapEn bit after programming IRTE [5.8,114/186] iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE [5.8,115/186] net/packet: fix overflow in tpacket_rcv [5.8,116/186] include/linux/log2.h: add missing () around n in roundup_pow_of_two() [5.8,117/186] iommu/vt-d: Handle 36bit addressing for x86-32 [5.8,118/186] tracing/kprobes, x86/ptrace: Fix regs argument order for i386 [5.8,119/186] x86/entry: Fix AC assertion [5.8,120/186] x86/debug: Allow a single level of #DB recursion [5.8,121/186] ext2: dont update mtime on COW faults [5.8,122/186] xfs: dont update mtime on COW faults [5.8,123/186] ARC: perf: dont bail setup if pct irq missing in device-tree [5.8,124/186] arc: fix memory initialization for systems with two memory banks [5.8,125/186] btrfs: drop path before adding new uuid tree entry [5.8,126/186] btrfs: fix potential deadlock in the search ioctl [5.8,127/186] btrfs: allocate scrub workqueues outside of locks [5.8,128/186] btrfs: set the correct lockdep class for new nodes [5.8,129/186] btrfs: set the lockdep class for log tree extent buffers [5.8,130/186] btrfs: block-group: fix free-space bitmap threshold [5.8,131/186] btrfs: tree-checker: fix the error message for transid error [5.8,132/186] Bluetooth: Return NOTIFY_DONE for hci_suspend_notifier [5.8,133/186] x86/mm/32: Bring back vmalloc faulting on x86_32 [5.8,134/186] Revert "ALSA: hda: Add support for Loongson 7A1000 controller" [5.8,135/186] ALSA: ca0106: fix error code handling [5.8,136/186] ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2 [5.8,137/186] ALSA: usb-audio: Add implicit feedback quirk for UR22C [5.8,138/186] ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check [5.8,139/186] ALSA: hda/hdmi: always check pin power status in i915 pin fixup [5.8,140/186] ALSA: firewire-digi00x: exclude Avid Adrenaline from detection [5.8,141/186] ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO [5.8,142/186] ALSA; firewire-tascam: exclude Tascam FE-8 from detection [5.8,143/186] ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A [5.8,144/186] ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen [5.8,145/186] arm64: dts: mt7622: add reset node for mmc device [5.8,146/186] mmc: mediatek: add optional module reset property [5.8,147/186] mmc: dt-bindings: Add resets/reset-names for Mediatek MMC bindings [5.8,148/186] mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers [5.8,149/186] media: rc: do not access device via sysfs after rc_unregister_device() [5.8,150/186] media: rc: uevent sysfs file races with rc_unregister_device() [5.8,151/186] affs: fix basic permission bits to actually work [5.8,152/186] block: allow for_each_bvec to support zero len bvec [5.8,153/186] block: ensure bdi->io_pages is always initialized [5.8,154/186] io_uring: set table->files[i] to NULL when io_sqe_file_register failed [5.8,155/186] io_uring: fix removing the wrong file in __io_sqe_files_update() [5.8,156/186] s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig [5.8,157/186] libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks [5.8,158/186] mips/oprofile: Fix fallthrough placement [5.8,159/186] blk-iocost: ioc_pd_free() shouldnt assume irq disabled [5.8,160/186] blk-stat: make q->stats->lock irqsafe [5.8,161/186] dmaengine: dw-edma: Fix scatter-gather address calculation [5.8,162/186] drm/i915: Fix sha_text population code [5.8,163/186] drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting [5.8,164/186] drm/amdgpu: Specify get_argument function for ci_smu_funcs [5.8,165/186] dm writecache: handle DAX to partitions on persistent memory correctly [5.8,166/186] dm mpath: fix racey management of PG initialization [5.8,167/186] dm integrity: fix error reporting in bitmap mode after creation [5.8,168/186] dm crypt: Initialize crypto wait structures [5.8,169/186] dm cache metadata: Avoid returning cmd->bm wild pointer on error [5.8,170/186] dm thin metadata: Avoid returning cmd->bm wild pointer on error [5.8,171/186] dm thin metadata: Fix use-after-free in dm_bm_set_read_only [5.8,172/186] mm: slub: fix conversion of freelist_corrupted() [5.8,173/186] mm: track page table modifications in __apply_to_page_range() [5.8,174/186] mm: madvise: fix vma user-after-free [5.8,175/186] mm/rmap: fixup copying of soft dirty and uffd ptes [5.8,176/186] io_uring: no read/write-retry on -EAGAIN error and O_NONBLOCK marked file [5.8,177/186] perf record: Correct the help info of option "--no-bpf-event" [5.8,178/186] kconfig: streamline_config.pl: check defined(ENV variable) before using it [5.8,179/186] sdhci: tegra: Add missing TMCLK for data timeout [5.8,180/186] checkpatch: fix the usage of capture group ( ... ) [5.8,181/186] mm/migrate: fixup setting UFFD_WP flag [5.8,182/186] mm/hugetlb: try preferred node first when alloc gigantic page from cma [5.8,183/186] mm/hugetlb: fix a race between hugetlb sysctl handlers [5.8,184/186] mm/khugepaged.c: fix khugepageds request size in collapse_file [5.8,185/186] cfg80211: regulatory: reject invalid hints [5.8,186/186] net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()

Commit Message

Greg Kroah-Hartman Sept. 8, 2020, 3:24 p.m. UTC

From: Or Cohen <orcohen@paloaltonetworks.com>

[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ]

Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.

This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.

The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.

This addresses CVE-2020-14386

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/packet/af_packet.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 301f41d4929bd..82f7802983797 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2170,7 +2170,8 @@  static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
 	int skb_len = skb->len;
 	unsigned int snaplen, res;
 	unsigned long status = TP_STATUS_USER;
-	unsigned short macoff, netoff, hdrlen;
+	unsigned short macoff, hdrlen;
+	unsigned int netoff;
 	struct sk_buff *copy_skb = NULL;
 	struct timespec64 ts;
 	__u32 ts_status;
@@ -2239,6 +2240,10 @@  static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
 		}
 		macoff = netoff - maclen;
 	}
+	if (netoff > USHRT_MAX) {
+		atomic_inc(&po->tp_drops);
+		goto drop_n_restore;
+	}
 	if (po->tp_version <= TPACKET_V2) {
 		if (macoff + snaplen > po->rx_ring.frame_size) {
 			if (po->copy_thresh &&