From 21364b62864c7f116a9ddbe4570422cc910b1695 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 11 Aug 2015 22:54:01 +0200 Subject: [PATCH] virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) --- debian/changelog | 1 + .../virtio-net-drop-netif_f_fraglist.patch | 41 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 43 insertions(+) create mode 100644 debian/patches/bugfix/all/virtio-net-drop-netif_f_fraglist.patch diff --git a/debian/changelog b/debian/changelog index dd5614cc4..67bb99989 100644 --- a/debian/changelog +++ b/debian/changelog @@ -344,6 +344,7 @@ linux (4.1.5-1) UNRELEASED; urgency=medium - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * Bump ABI to 2 + * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) -- Ian Campbell Tue, 04 Aug 2015 19:31:45 +0100 diff --git a/debian/patches/bugfix/all/virtio-net-drop-netif_f_fraglist.patch b/debian/patches/bugfix/all/virtio-net-drop-netif_f_fraglist.patch new file mode 100644 index 000000000..6474d0c4e --- /dev/null +++ b/debian/patches/bugfix/all/virtio-net-drop-netif_f_fraglist.patch @@ -0,0 +1,41 @@ +From: Jason Wang +Subject: [PATCH net] virtio-net: drop NETIF_F_FRAGLIST +Date: Tue, 4 Aug 2015 17:55:45 +0800 +Origin: http://permalink.gmane.org/gmane.linux.kernel/2012169 + +virtio declares support for NETIF_F_FRAGLIST, but assumes +that there are at most MAX_SKB_FRAGS + 2 fragments which isn't +always true with a fraglist. + +A longer fraglist in the skb will make the call to skb_to_sgvec overflow +the sg array, leading to memory corruption. + +Drop NETIF_F_FRAGLIST so we only get what we can handle. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- +The patch is needed for stable. +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 7fbca37..2347a73 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device *vdev) + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index ee3abd845..756d4fa37 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -96,3 +96,4 @@ features/all/grsecurity/grsecurity-kconfig.patch # Disabled until we add code into the grsecurity/ directory #features/all/grsecurity/grsecurity-kbuild.patch features/all/grsecurity/grkernsec_perf_harden.patch +bugfix/all/virtio-net-drop-netif_f_fraglist.patch