[kernel/f19] CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
Josh Boyer
jwboyer at fedoraproject.org
Fri Mar 28 16:30:09 UTC 2014
commit e7c38eeb664653b20d1ac415277fb6846e5bacf1
Author: Josh Boyer <jwboyer at redhat.com>
Date: Fri Mar 28 11:22:42 2014 -0400
CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
kernel.spec | 8 ++
...x-total-length-when-packets-are-too-short.patch | 80 ++++++++++++++++++++
2 files changed, 88 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 1107065..fad3da2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -799,6 +799,10 @@ Patch25049: nfqueue-Orphan-frags-in-nfqnl_zcopy-and-handle-error.patch
#CVE-2014-0055 rhbz 1062577 1081503
Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
+#CVE-2014-0077 rhbz 1064440 1081504
+Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
+
+
# END OF PATCH DEFINITIONS
%endif
@@ -1544,6 +1548,9 @@ ApplyPatch nfqueue-Orphan-frags-in-nfqnl_zcopy-and-handle-error.patch
#CVE-2014-0055 rhbz 1062577 1081503
ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
+#CVE-2014-0077 rhbz 1064440 1081504
+ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2357,6 +2364,7 @@ fi
%changelog
* Fri Mar 28 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
- CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
diff --git a/net-vhost-fix-total-length-when-packets-are-too-short.patch b/net-vhost-fix-total-length-when-packets-are-too-short.patch
new file mode 100644
index 0000000..a867794
--- /dev/null
+++ b/net-vhost-fix-total-length-when-packets-are-too-short.patch
@@ -0,0 +1,80 @@
+Bugzilla: 1081504
+Upstream-status: Sent to netdev list
+
+From patchwork Thu Mar 27 10:00:26 2014
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [PATCHv2,net] vhost: fix total length when packets are too short
+From: "Michael S. Tsirkin" <mst at redhat.com>
+X-Patchwork-Id: 334283
+Message-Id: <20140327100026.GA30715 at redhat.com>
+To: linux-kernel at vger.kernel.org
+Cc: kvm at vger.kernel.org, virtio-dev at lists.oasis-open.org,
+ virtualization at lists.linux-foundation.org, netdev at vger.kernel.org,
+ Jason Wang <jasowang at redhat.com>, David Miller <davem at davemloft.net>
+Date: Thu, 27 Mar 2014 12:00:26 +0200
+
+When mergeable buffers are disabled, and the
+incoming packet is too large for the rx buffer,
+get_rx_bufs returns success.
+
+This was intentional in order for make recvmsg
+truncate the packet and then handle_rx would
+detect err != sock_len and drop it.
+
+Unfortunately we pass the original sock_len to
+recvmsg - which means we use parts of iov not fully
+validated.
+
+Fix this up by detecting this overrun and doing packet drop
+immediately.
+
+CVE-2014-0077
+
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+
+---
+Changes from v1:
+ Fix CVE# in the commit log.
+ Patch is unchanged.
+
+Note: this is needed for -stable.
+
+I wonder if this can still make the release.
+
+ drivers/vhost/net.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index a0fa5de..026be58 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
+ *iovcount = seg;
+ if (unlikely(log))
+ *log_num = nlogs;
++
++ /* Detect overrun */
++ if (unlikely(datalen > 0)) {
++ r = UIO_MAXIOV + 1;
++ goto err;
++ }
+ return headcount;
+ err:
+ vhost_discard_vq_desc(vq, headcount);
+@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
+ /* On error, stop handling until the next kick. */
+ if (unlikely(headcount < 0))
+ break;
++ /* On overrun, truncate and discard */
++ if (unlikely(headcount > UIO_MAXIOV)) {
++ msg.msg_iovlen = 1;
++ err = sock->ops->recvmsg(NULL, sock, &msg,
++ 1, MSG_DONTWAIT | MSG_TRUNC);
++ pr_debug("Discarded rx packet: len %zd\n", sock_len);
++ continue;
++ }
+ /* OK, now we need to know about added descriptors. */
+ if (!headcount) {
+ if (unlikely(vhost_enable_notify(&net->dev, vq))) {
More information about the scm-commits
mailing list