Michael S. Tsirkin
2014-Mar-27 10:00 UTC
[PATCHv2 net] vhost: fix total length when packets are too short
When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- Changes from v1: Fix CVE# in the commit log. Patch is unchanged. Note: this is needed for -stable. I wonder if this can still make the release. drivers/vhost/net.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index a0fa5de..026be58 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq, *iovcount = seg; if (unlikely(log)) *log_num = nlogs; + + /* Detect overrun */ + if (unlikely(datalen > 0)) { + r = UIO_MAXIOV + 1; + goto err; + } return headcount; err: vhost_discard_vq_desc(vq, headcount); @@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net) /* On error, stop handling until the next kick. */ if (unlikely(headcount < 0)) break; + /* On overrun, truncate and discard */ + if (unlikely(headcount > UIO_MAXIOV)) { + msg.msg_iovlen = 1; + err = sock->ops->recvmsg(NULL, sock, &msg, + 1, MSG_DONTWAIT | MSG_TRUNC); + pr_debug("Discarded rx packet: len %zd\n", sock_len); + continue; + } /* OK, now we need to know about added descriptors. */ if (!headcount) { if (unlikely(vhost_enable_notify(&net->dev, vq))) { -- MST
David Miller
2014-Mar-28 20:09 UTC
[PATCHv2 net] vhost: fix total length when packets are too short
From: "Michael S. Tsirkin" <mst at redhat.com> Date: Thu, 27 Mar 2014 12:00:26 +0200> When mergeable buffers are disabled, and the > incoming packet is too large for the rx buffer, > get_rx_bufs returns success. > > This was intentional in order for make recvmsg > truncate the packet and then handle_rx would > detect err != sock_len and drop it. > > Unfortunately we pass the original sock_len to > recvmsg - which means we use parts of iov not fully > validated. > > Fix this up by detecting this overrun and doing packet drop > immediately. > > CVE-2014-0077 > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > --- > > Changes from v1: > Fix CVE# in the commit log. > Patch is unchanged. > > Note: this is needed for -stable.Applied and queued up for -stable.> I wonder if this can still make the release.I will try but no promises.
Maybe Matching Threads
- [PATCHv2 net] vhost: fix total length when packets are too short
- [PATCH net] vhost: fix total length when packets are too short
- [PATCH net] vhost: fix total length when packets are too short
- [PATCH net,stable v2] vhost: fix skb leak in handle_rx()
- [PATCH net,stable v2] vhost: fix skb leak in handle_rx()