Michael S. Tsirkin
2014-Mar-27 09:38 UTC
[PATCH net] vhost: fix total length when packets are too short
When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.
This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.
Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.
Fix this up by detecting this overrun and doing packet drop
immediately.
CVE-2014-0055
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
---
Note: this is needed for -stable.
I wonder if this can still make the release.
drivers/vhost/net.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index a0fa5de..026be58 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
*iovcount = seg;
if (unlikely(log))
*log_num = nlogs;
+
+ /* Detect overrun */
+ if (unlikely(datalen > 0)) {
+ r = UIO_MAXIOV + 1;
+ goto err;
+ }
return headcount;
err:
vhost_discard_vq_desc(vq, headcount);
@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
/* On error, stop handling until the next kick. */
if (unlikely(headcount < 0))
break;
+ /* On overrun, truncate and discard */
+ if (unlikely(headcount > UIO_MAXIOV)) {
+ msg.msg_iovlen = 1;
+ err = sock->ops->recvmsg(NULL, sock, &msg,
+ 1, MSG_DONTWAIT | MSG_TRUNC);
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
+ continue;
+ }
/* OK, now we need to know about added descriptors. */
if (!headcount) {
if (unlikely(vhost_enable_notify(&net->dev, vq))) {
--
MST
Michael S. Tsirkin
2014-Mar-27 09:58 UTC
[PATCH net] vhost: fix total length when packets are too short
On Thu, Mar 27, 2014 at 11:38:41AM +0200, Michael S. Tsirkin wrote:> When mergeable buffers are disabled, and the > incoming packet is too large for the rx buffer, > get_rx_bufs returns success. > > This was intentional in order for make recvmsg > truncate the packet and then handle_rx would > detect err != sock_len and drop it. > > Unfortunately we pass the original sock_len to > recvmsg - which means we use parts of iov not fully > validated. > > Fix this up by detecting this overrun and doing packet drop > immediately. > > CVE-2014-0055Ouch wrong CVE#. It's CVE-2014-0077 actually. Will resend V2 with the corrected commit log now.> Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > --- > > Note: this is needed for -stable. > > I wonder if this can still make the release. > > drivers/vhost/net.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c > index a0fa5de..026be58 100644 > --- a/drivers/vhost/net.c > +++ b/drivers/vhost/net.c > @@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq, > *iovcount = seg; > if (unlikely(log)) > *log_num = nlogs; > + > + /* Detect overrun */ > + if (unlikely(datalen > 0)) { > + r = UIO_MAXIOV + 1; > + goto err; > + } > return headcount; > err: > vhost_discard_vq_desc(vq, headcount); > @@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net) > /* On error, stop handling until the next kick. */ > if (unlikely(headcount < 0)) > break; > + /* On overrun, truncate and discard */ > + if (unlikely(headcount > UIO_MAXIOV)) { > + msg.msg_iovlen = 1; > + err = sock->ops->recvmsg(NULL, sock, &msg, > + 1, MSG_DONTWAIT | MSG_TRUNC); > + pr_debug("Discarded rx packet: len %zd\n", sock_len); > + continue; > + } > /* OK, now we need to know about added descriptors. */ > if (!headcount) { > if (unlikely(vhost_enable_notify(&net->dev, vq))) { > -- > MST
Apparently Analagous Threads
- [PATCH net] vhost: fix total length when packets are too short
- [PATCHv2 net] vhost: fix total length when packets are too short
- [PATCHv2 net] vhost: fix total length when packets are too short
- [PATCH net,stable v2] vhost: fix skb leak in handle_rx()
- [PATCH net,stable v2] vhost: fix skb leak in handle_rx()