[Zesty][SRU][PATCH 0/1] Fix for CVE-2017-14497

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Zesty][SRU][PATCH 0/1] Fix for CVE-2017-14497

Po-Hsu Lin (Sam)
From our tracker, only Zesty needs this patch and it can be cherry-picked.

It looks like this issue will be triggered when tp_reserve is too big, causing
mac_off greater than the rx_ring.frame_size.
This will be fixed in this patch.

Benjamin Poirier (1):
  packet: Don't write vnet header beyond end of buffer

 net/packet/af_packet.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2017-14497][Zesty][SRU][PATCH 1/1] packet: Don't write vnet header beyond end of buffer

Po-Hsu Lin (Sam)
From: Benjamin Poirier <[hidden email]>

CVE-2017-14497

... which may happen with certain values of tp_reserve and maclen.

Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
Signed-off-by: Benjamin Poirier <[hidden email]>
Cc: Willem de Bruijn <[hidden email]>
Acked-by: Willem de Bruijn <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
(cherry picked from commit edbd58be15a957f6a760c4a514cd475217eb97fd)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 net/packet/af_packet.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index ede751d..9651ff2 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2140,6 +2140,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
  struct timespec ts;
  __u32 ts_status;
  bool is_drop_n_account = false;
+ bool do_vnet = false;
 
  /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
  * We may add members to them until current aligned size without forcing
@@ -2190,8 +2191,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
  netoff = TPACKET_ALIGN(po->tp_hdrlen +
        (maclen < 16 ? 16 : maclen)) +
        po->tp_reserve;
- if (po->has_vnet_hdr)
+ if (po->has_vnet_hdr) {
  netoff += sizeof(struct virtio_net_hdr);
+ do_vnet = true;
+ }
  macoff = netoff - maclen;
  }
  if (po->tp_version <= TPACKET_V2) {
@@ -2208,8 +2211,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
  skb_set_owner_r(copy_skb, sk);
  }
  snaplen = po->rx_ring.frame_size - macoff;
- if ((int)snaplen < 0)
+ if ((int)snaplen < 0) {
  snaplen = 0;
+ do_vnet = false;
+ }
  }
  } else if (unlikely(macoff + snaplen >
     GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
@@ -2222,6 +2227,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
  if (unlikely((int)snaplen < 0)) {
  snaplen = 0;
  macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
+ do_vnet = false;
  }
  }
  spin_lock(&sk->sk_receive_queue.lock);
@@ -2247,7 +2253,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
  }
  spin_unlock(&sk->sk_receive_queue.lock);
 
- if (po->has_vnet_hdr) {
+ if (do_vnet) {
  if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
     sizeof(struct virtio_net_hdr),
     vio_le(), true)) {
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team