virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156)

2015-08-11 22:54:01 +02:00 · 2015-08-11 22:54:01 +02:00 · 21364b6286
parent 279bfdad45
commit 21364b6286
3 changed files with 43 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -344,6 +344,7 @@ linux (4.1.5-1) UNRELEASED; urgency=medium
    - debian/control: Update Vcs-* fields
    - README.Debian, README.source: Update references to svn
  * Bump ABI to 2
+  * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156)

 -- Ian Campbell <ijc@debian.org>  Tue, 04 Aug 2015 19:31:45 +0100

--- a/debian/patches/bugfix/all/virtio-net-drop-netif_f_fraglist.patch
+++ b/debian/patches/bugfix/all/virtio-net-drop-netif_f_fraglist.patch
@ -0,0 +1,41 @@
+From: Jason Wang <jasowang@redhat.com>
+Subject: [PATCH net] virtio-net: drop NETIF_F_FRAGLIST
+Date: Tue,  4 Aug 2015 17:55:45 +0800
+Origin: http://permalink.gmane.org/gmane.linux.kernel/2012169
+
+virtio declares support for NETIF_F_FRAGLIST, but assumes
+that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
+always true with a fraglist.
+
+A longer fraglist in the skb will make the call to skb_to_sgvec overflow
+the sg array, leading to memory corruption.
+
+Drop NETIF_F_FRAGLIST so we only get what we can handle.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+The patch is needed for stable.
+---
+ drivers/net/virtio_net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 7fbca37..2347a73 100644
+--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
+@@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device *vdev)
+ 	/* Do we support "hardware" checksums? */
+ 	if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) {
+ 		/* This opens up the world of extra features. */
+-		dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
+		dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG;
+ 		if (csum)
+-			dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
+			dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG;
+ 
+ 		if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
+ 			dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
+-- 
+2.1.4
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -96,3 +96,4 @@ features/all/grsecurity/grsecurity-kconfig.patch
 # Disabled until we add code into the grsecurity/ directory
 #features/all/grsecurity/grsecurity-kbuild.patch
 features/all/grsecurity/grkernsec_perf_harden.patch
+bugfix/all/virtio-net-drop-netif_f_fraglist.patch