[4.9,17/54] net/packet: fix overflow in tpacket_rcv

Message ID	20201012132630.392196471@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=uWP8=DT=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Or Cohen <orcohen@paloaltonetworks.com>, Eric Dumazet <edumazet@google.com>, Linus Torvalds <torvalds@linux-foundation.org>, Stefan Nuernberger <snu@amazon.com>, David Woodhouse <dwmw@amazon.co.uk>, Amit Shah <aams@amazon.com> Subject: [PATCH 4.9 17/54] net/packet: fix overflow in tpacket_rcv Date: Mon, 12 Oct 2020 15:26:39 +0200 Message-Id: <20201012132630.392196471@linuxfoundation.org> In-Reply-To: <20201012132629.585664421@linuxfoundation.org> References: <20201012132629.585664421@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [4.9,02/54] vsock/virtio: stop workers during the .remove() [4.9,03/54] USB: gadget: f_ncm: Fix NDP16 datagram validation [4.9,07/54] net: dec: de2104x: Increase receive ring size for Tulip [4.9,08/54] rndis_host: increase sleep time in the query-response loop [4.9,11/54] mac80211: do not allow bigger VHT MPDUs than the hardware supports [4.9,13/54] clk: samsung: exynos4: mark chipid clock as CLK_IGNORE_UNUSED [4.9,15/54] i2c: cpm: Fix i2c_ram structure [4.9,16/54] random32: Restore __latent_entropy attribute on net_rand_state [4.9,17/54] net/packet: fix overflow in tpacket_rcv [4.9,19/54] epoll: replace ->visited/visited_list with generation count [4.9,21/54] ep_create_wakeup_source(): dentry name can change under you... [4.9,24/54] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts [4.9,25/54] Revert "ravb: Fixed to be able to unload modules" [4.9,26/54] fbcon: Fix global-out-of-bounds read in fbcon_get_font() [4.9,29/54] platform/x86: thinkpad_acpi: initialize tp_nvram_state variable [4.9,33/54] mtd: rawnand: sunxi: Fix the probe error path [4.9,35/54] macsec: avoid use-after-free in macsec_handle_frame() [4.9,38/54] team: set dev->needed_headroom in team_setup_by_port() [4.9,39/54] net: team: fix memory leak in __team_options_register [4.9,40/54] openvswitch: handle DNAT tuple collision [4.9,42/54] xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate [4.9,46/54] bonding: set dev->needed_headroom in bond_setup_by_slave() [4.9,47/54] mdio: fix mdio-thunder.c dependency & build error [4.9,50/54] rxrpc: Fix some missing _bh annotations on locking conn->state_lock [4.9,52/54] perf: Fix task_function_call() error handling [4.9,53/54] mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khuge... [4.9,54/54] net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails

Message ID

20201012132630.392196471@linuxfoundation.org

State

Superseded

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Or Cohen <orcohen@paloaltonetworks.com>,
	Eric Dumazet <edumazet@google.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Stefan Nuernberger <snu@amazon.com>, David Woodhouse <dwmw@amazon.co.uk>,
	Amit Shah <aams@amazon.com>
Subject: [PATCH 4.9 17/54] net/packet: fix overflow in tpacket_rcv
Date: Mon, 12 Oct 2020 15:26:39 +0200
Message-Id: <20201012132630.392196471@linuxfoundation.org>
In-Reply-To: <20201012132629.585664421@linuxfoundation.org>
References: <20201012132629.585664421@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman Oct. 12, 2020, 1:26 p.m. UTC

From: Or Cohen <orcohen@paloaltonetworks.com>

commit acf69c946233259ab4d64f8869d4037a198c7f06 upstream.

Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.

This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.

The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.

This addresses CVE-2020-14386

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ snu: backported to pre-5.3, changed tp_drops counting/locking ]
Signed-off-by: Stefan Nuernberger <snu@amazon.com>
CC: David Woodhouse <dwmw@amazon.co.uk>
CC: Amit Shah <aams@amazon.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2161,7 +2161,8 @@  static int tpacket_rcv(struct sk_buff *s
 	int skb_len = skb->len;
 	unsigned int snaplen, res;
 	unsigned long status = TP_STATUS_USER;
-	unsigned short macoff, netoff, hdrlen;
+	unsigned short macoff, hdrlen;
+	unsigned int netoff;
 	struct sk_buff *copy_skb = NULL;
 	struct timespec ts;
 	__u32 ts_status;
@@ -2223,6 +2224,12 @@  static int tpacket_rcv(struct sk_buff *s
 		}
 		macoff = netoff - maclen;
 	}
+	if (netoff > USHRT_MAX) {
+		spin_lock(&sk->sk_receive_queue.lock);
+		po->stats.stats1.tp_drops++;
+		spin_unlock(&sk->sk_receive_queue.lock);
+		goto drop_n_restore;
+	}
 	if (po->tp_version <= TPACKET_V2) {
 		if (macoff + snaplen > po->rx_ring.frame_size) {
 			if (po->copy_thresh &&

[4.9,17/54] net/packet: fix overflow in tpacket_rcv

Commit Message

Patch