CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
This commit is contained in:
parent
6676648289
commit
db8999a3dc
@ -648,6 +648,10 @@ Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-err
|
|||||||
#CVE-2014-0055 rhbz 1062577 1081503
|
#CVE-2014-0055 rhbz 1062577 1081503
|
||||||
Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
|
Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
|
||||||
|
|
||||||
|
#CVE-2014-0077 rhbz 1064440 1081504
|
||||||
|
Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
|
||||||
|
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1301,6 +1305,9 @@ ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-erro
|
|||||||
#CVE-2014-0055 rhbz 1062577 1081503
|
#CVE-2014-0055 rhbz 1062577 1081503
|
||||||
ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
|
ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
|
||||||
|
|
||||||
|
#CVE-2014-0077 rhbz 1064440 1081504
|
||||||
|
ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2081,6 +2088,7 @@ fi
|
|||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
* Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
|
||||||
- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
|
- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
|
||||||
- CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
|
- CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
|
||||||
|
|
||||||
|
80
net-vhost-fix-total-length-when-packets-are-too-short.patch
Normal file
80
net-vhost-fix-total-length-when-packets-are-too-short.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
Bugzilla: 1081504
|
||||||
|
Upstream-status: Sent to netdev list
|
||||||
|
|
||||||
|
From patchwork Thu Mar 27 10:00:26 2014
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
Subject: [PATCHv2,net] vhost: fix total length when packets are too short
|
||||||
|
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||||
|
X-Patchwork-Id: 334283
|
||||||
|
Message-Id: <20140327100026.GA30715@redhat.com>
|
||||||
|
To: linux-kernel@vger.kernel.org
|
||||||
|
Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org,
|
||||||
|
virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
|
||||||
|
Jason Wang <jasowang@redhat.com>, David Miller <davem@davemloft.net>
|
||||||
|
Date: Thu, 27 Mar 2014 12:00:26 +0200
|
||||||
|
|
||||||
|
When mergeable buffers are disabled, and the
|
||||||
|
incoming packet is too large for the rx buffer,
|
||||||
|
get_rx_bufs returns success.
|
||||||
|
|
||||||
|
This was intentional in order for make recvmsg
|
||||||
|
truncate the packet and then handle_rx would
|
||||||
|
detect err != sock_len and drop it.
|
||||||
|
|
||||||
|
Unfortunately we pass the original sock_len to
|
||||||
|
recvmsg - which means we use parts of iov not fully
|
||||||
|
validated.
|
||||||
|
|
||||||
|
Fix this up by detecting this overrun and doing packet drop
|
||||||
|
immediately.
|
||||||
|
|
||||||
|
CVE-2014-0077
|
||||||
|
|
||||||
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
Changes from v1:
|
||||||
|
Fix CVE# in the commit log.
|
||||||
|
Patch is unchanged.
|
||||||
|
|
||||||
|
Note: this is needed for -stable.
|
||||||
|
|
||||||
|
I wonder if this can still make the release.
|
||||||
|
|
||||||
|
drivers/vhost/net.c | 14 ++++++++++++++
|
||||||
|
1 file changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
|
||||||
|
index a0fa5de..026be58 100644
|
||||||
|
--- a/drivers/vhost/net.c
|
||||||
|
+++ b/drivers/vhost/net.c
|
||||||
|
@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
|
||||||
|
*iovcount = seg;
|
||||||
|
if (unlikely(log))
|
||||||
|
*log_num = nlogs;
|
||||||
|
+
|
||||||
|
+ /* Detect overrun */
|
||||||
|
+ if (unlikely(datalen > 0)) {
|
||||||
|
+ r = UIO_MAXIOV + 1;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
return headcount;
|
||||||
|
err:
|
||||||
|
vhost_discard_vq_desc(vq, headcount);
|
||||||
|
@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
|
||||||
|
/* On error, stop handling until the next kick. */
|
||||||
|
if (unlikely(headcount < 0))
|
||||||
|
break;
|
||||||
|
+ /* On overrun, truncate and discard */
|
||||||
|
+ if (unlikely(headcount > UIO_MAXIOV)) {
|
||||||
|
+ msg.msg_iovlen = 1;
|
||||||
|
+ err = sock->ops->recvmsg(NULL, sock, &msg,
|
||||||
|
+ 1, MSG_DONTWAIT | MSG_TRUNC);
|
||||||
|
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
/* OK, now we need to know about added descriptors. */
|
||||||
|
if (!headcount) {
|
||||||
|
if (unlikely(vhost_enable_notify(&net->dev, vq))) {
|
Loading…
Reference in New Issue
Block a user