net/packet: fix overflow in tpacket_rcv (CVE-2020-14386)
This commit is contained in:
parent
78087d6f60
commit
ad72e888ee
|
@ -732,6 +732,7 @@ linux (4.19.143-1) UNRELEASED; urgency=medium
|
||||||
* ACPI: configfs: Disallow loading ACPI tables when locked down
|
* ACPI: configfs: Disallow loading ACPI tables when locked down
|
||||||
(CVE-2020-15780)
|
(CVE-2020-15780)
|
||||||
* [rt] Update to 4.19.142-rt63
|
* [rt] Update to 4.19.142-rt63
|
||||||
|
* net/packet: fix overflow in tpacket_rcv (CVE-2020-14386)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 04 Aug 2020 16:33:40 +0200
|
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 04 Aug 2020 16:33:40 +0200
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
From: Or Cohen <orcohen@paloaltonetworks.com>
|
||||||
|
Date: Thu, 3 Sep 2020 21:05:28 -0700
|
||||||
|
Subject: net/packet: fix overflow in tpacket_rcv
|
||||||
|
Origin: https://git.kernel.org/linus/acf69c946233259ab4d64f8869d4037a198c7f06
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14386
|
||||||
|
|
||||||
|
Using tp_reserve to calculate netoff can overflow as
|
||||||
|
tp_reserve is unsigned int and netoff is unsigned short.
|
||||||
|
|
||||||
|
This may lead to macoff receving a smaller value then
|
||||||
|
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
|
||||||
|
is set, an out-of-bounds write will occur when
|
||||||
|
calling virtio_net_hdr_from_skb.
|
||||||
|
|
||||||
|
The bug is fixed by converting netoff to unsigned int
|
||||||
|
and checking if it exceeds USHRT_MAX.
|
||||||
|
|
||||||
|
This addresses CVE-2020-14386
|
||||||
|
|
||||||
|
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
|
||||||
|
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
|
||||||
|
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
[Salvatore Bonaccorso: Backport to v4.19.y:
|
||||||
|
- Adjust for context changes
|
||||||
|
- Revert change to use atomic_inc as v4.19.y does not contain 8e8e2951e309
|
||||||
|
("net/packet: make tp_drops atomic") introduced in v5.3-rc1
|
||||||
|
]
|
||||||
|
---
|
||||||
|
net/packet/af_packet.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/net/packet/af_packet.c
|
||||||
|
+++ b/net/packet/af_packet.c
|
||||||
|
@@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
int skb_len = skb->len;
|
||||||
|
unsigned int snaplen, res;
|
||||||
|
unsigned long status = TP_STATUS_USER;
|
||||||
|
- unsigned short macoff, netoff, hdrlen;
|
||||||
|
+ unsigned short macoff, hdrlen;
|
||||||
|
+ unsigned int netoff;
|
||||||
|
struct sk_buff *copy_skb = NULL;
|
||||||
|
struct timespec ts;
|
||||||
|
__u32 ts_status;
|
||||||
|
@@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
}
|
||||||
|
macoff = netoff - maclen;
|
||||||
|
}
|
||||||
|
+ if (netoff > USHRT_MAX) {
|
||||||
|
+ spin_lock(&sk->sk_receive_queue.lock);
|
||||||
|
+ po->stats.stats1.tp_drops++;
|
||||||
|
+ spin_unlock(&sk->sk_receive_queue.lock);
|
||||||
|
+ goto drop_n_restore;
|
||||||
|
+ }
|
||||||
|
if (po->tp_version <= TPACKET_V2) {
|
||||||
|
if (macoff + snaplen > po->rx_ring.frame_size) {
|
||||||
|
if (po->copy_thresh &&
|
|
@ -297,5 +297,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
debian/ntfs-mark-it-as-broken.patch
|
debian/ntfs-mark-it-as-broken.patch
|
||||||
|
bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch
|
||||||
|
|
||||||
# ABI maintenance
|
# ABI maintenance
|
||||||
|
|
Loading…
Reference in New Issue