[kernel/f19] CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)

Josh Boyer jwboyer at fedoraproject.org
Fri Mar 28 16:30:09 UTC 2014 

commit e7c38eeb664653b20d1ac415277fb6846e5bacf1
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Mar 28 11:22:42 2014 -0400

    CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)

 kernel.spec                                        |    8 ++
 ...x-total-length-when-packets-are-too-short.patch |   80 ++++++++++++++++++++
 2 files changed, 88 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 1107065..fad3da2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -799,6 +799,10 @@ Patch25049: nfqueue-Orphan-frags-in-nfqnl_zcopy-and-handle-error.patch
 #CVE-2014-0055 rhbz 1062577 1081503
 Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
 
+#CVE-2014-0077 rhbz 1064440 1081504
+Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
+
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1544,6 +1548,9 @@ ApplyPatch nfqueue-Orphan-frags-in-nfqnl_zcopy-and-handle-error.patch
 #CVE-2014-0055 rhbz 1062577 1081503
 ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
 
+#CVE-2014-0077 rhbz 1064440 1081504
+ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2357,6 +2364,7 @@ fi
 
 %changelog
 * Fri Mar 28 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
 - CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
 - CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
 
diff --git a/net-vhost-fix-total-length-when-packets-are-too-short.patch b/net-vhost-fix-total-length-when-packets-are-too-short.patch
new file mode 100644
index 0000000..a867794
--- /dev/null
+++ b/net-vhost-fix-total-length-when-packets-are-too-short.patch
@@ -0,0 +1,80 @@
+Bugzilla: 1081504
+Upstream-status: Sent to netdev list
+
+From patchwork Thu Mar 27 10:00:26 2014
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [PATCHv2,net] vhost: fix total length when packets are too short
+From: "Michael S. Tsirkin" <mst at redhat.com>
+X-Patchwork-Id: 334283
+Message-Id: <20140327100026.GA30715 at redhat.com>
+To: linux-kernel at vger.kernel.org
+Cc: kvm at vger.kernel.org, virtio-dev at lists.oasis-open.org,
+ virtualization at lists.linux-foundation.org, netdev at vger.kernel.org,
+ Jason Wang <jasowang at redhat.com>, David Miller <davem at davemloft.net>
+Date: Thu, 27 Mar 2014 12:00:26 +0200
+
+When mergeable buffers are disabled, and the
+incoming packet is too large for the rx buffer,
+get_rx_bufs returns success.
+
+This was intentional in order for make recvmsg
+truncate the packet and then handle_rx would
+detect err != sock_len and drop it.
+
+Unfortunately we pass the original sock_len to
+recvmsg - which means we use parts of iov not fully
+validated.
+
+Fix this up by detecting this overrun and doing packet drop
+immediately.
+
+CVE-2014-0077
+
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+
+---
+Changes from v1:
+	Fix CVE# in the commit log.
+	Patch is unchanged.
+
+Note: this is needed for -stable.
+
+I wonder if this can still make the release.
+
+ drivers/vhost/net.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index a0fa5de..026be58 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
+ 	*iovcount = seg;
+ 	if (unlikely(log))
+ 		*log_num = nlogs;
++
++	/* Detect overrun */
++	if (unlikely(datalen > 0)) {
++		r = UIO_MAXIOV + 1;
++		goto err;
++	}
+ 	return headcount;
+ err:
+ 	vhost_discard_vq_desc(vq, headcount);
+@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
+ 		/* On error, stop handling until the next kick. */
+ 		if (unlikely(headcount < 0))
+ 			break;
++		/* On overrun, truncate and discard */
++		if (unlikely(headcount > UIO_MAXIOV)) {
++			msg.msg_iovlen = 1;
++			err = sock->ops->recvmsg(NULL, sock, &msg,
++						 1, MSG_DONTWAIT | MSG_TRUNC);
++			pr_debug("Discarded rx packet: len %zd\n", sock_len);
++			continue;
++		}
+ 		/* OK, now we need to know about added descriptors. */
+ 		if (!headcount) {
+ 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {

More information about the scm-commits mailing list