* [PATCH] net/packet: fix overflow in tpacket_rcv
[not found] <CAM6JnLf_8nwzq+UGO+amXpeApCDarJjwzOEHQd5qBhU7YKm3DQ@mail.gmail.com>
@ 2020-09-04 13:30 ` Stefan Nuernberger
2020-09-04 14:16 ` Greg Kroah-Hartman
0 siblings, 1 reply; 6+ messages in thread
From: Stefan Nuernberger @ 2020-09-04 13:30 UTC (permalink / raw)
To: orcohen
Cc: netdev, Greg Kroah-Hartman, Eric Dumazet, Stefan Nuernberger,
David Woodhouse, Amit Shah, stable
From: Or Cohen <orcohen@paloaltonetworks.com>
Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.
This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.
The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.
This addresses CVE-2020-14386
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
[ snu: backported to 4.9, changed tp_drops counting/locking ]
Signed-off-by: Stefan Nuernberger <snu@amazon.com>
CC: David Woodhouse <dwmw@amazon.co.uk>
CC: Amit Shah <aams@amazon.com>
CC: stable@vger.kernel.org
---
net/packet/af_packet.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index fb643945e424..b5b79f501541 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2161,7 +2161,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
int skb_len = skb->len;
unsigned int snaplen, res;
unsigned long status = TP_STATUS_USER;
- unsigned short macoff, netoff, hdrlen;
+ unsigned short macoff, hdrlen;
+ unsigned int netoff;
struct sk_buff *copy_skb = NULL;
struct timespec ts;
__u32 ts_status;
@@ -2223,6 +2224,12 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
}
macoff = netoff - maclen;
}
+ if (netoff > USHRT_MAX) {
+ spin_lock(&sk->sk_receive_queue.lock);
+ po->stats.stats1.tp_drops++;
+ spin_unlock(&sk->sk_receive_queue.lock);
+ goto drop_n_restore;
+ }
if (po->tp_version <= TPACKET_V2) {
if (macoff + snaplen > po->rx_ring.frame_size) {
if (po->copy_thresh &&
--
2.28.0
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] net/packet: fix overflow in tpacket_rcv
2020-09-04 13:30 ` [PATCH] net/packet: fix overflow in tpacket_rcv Stefan Nuernberger
@ 2020-09-04 14:16 ` Greg Kroah-Hartman
2020-09-04 14:22 ` Nuernberger, Stefan
0 siblings, 1 reply; 6+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-04 14:16 UTC (permalink / raw)
To: Stefan Nuernberger
Cc: orcohen, netdev, Eric Dumazet, David Woodhouse, Amit Shah, stable
On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> From: Or Cohen <orcohen@paloaltonetworks.com>
>
> Using tp_reserve to calculate netoff can overflow as
> tp_reserve is unsigned int and netoff is unsigned short.
>
> This may lead to macoff receving a smaller value then
> sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> is set, an out-of-bounds write will occur when
> calling virtio_net_hdr_from_skb.
>
> The bug is fixed by converting netoff to unsigned int
> and checking if it exceeds USHRT_MAX.
>
> This addresses CVE-2020-14386
>
> Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
>
> [ snu: backported to 4.9, changed tp_drops counting/locking ]
>
> Signed-off-by: Stefan Nuernberger <snu@amazon.com>
> CC: David Woodhouse <dwmw@amazon.co.uk>
> CC: Amit Shah <aams@amazon.com>
> CC: stable@vger.kernel.org
> ---
> net/packet/af_packet.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
What is the git commit id of this patch in Linus's tree?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] net/packet: fix overflow in tpacket_rcv
2020-09-04 14:16 ` Greg Kroah-Hartman
@ 2020-09-04 14:22 ` Nuernberger, Stefan
2020-09-04 14:36 ` gregkh
0 siblings, 1 reply; 6+ messages in thread
From: Nuernberger, Stefan @ 2020-09-04 14:22 UTC (permalink / raw)
To: Nuernberger, Stefan, gregkh@linuxfoundation.org
Cc: netdev@vger.kernel.org, orcohen@paloaltonetworks.com,
Woodhouse, David, stable@vger.kernel.org, edumazet@google.com,
Shah, Amit
On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> >
> > From: Or Cohen <orcohen@paloaltonetworks.com>
> >
> > Using tp_reserve to calculate netoff can overflow as
> > tp_reserve is unsigned int and netoff is unsigned short.
> >
> > This may lead to macoff receving a smaller value then
> > sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> > is set, an out-of-bounds write will occur when
> > calling virtio_net_hdr_from_skb.
> >
> > The bug is fixed by converting netoff to unsigned int
> > and checking if it exceeds USHRT_MAX.
> >
> > This addresses CVE-2020-14386
> >
> > Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> > Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> >
> > [ snu: backported to 4.9, changed tp_drops counting/locking ]
> >
> > Signed-off-by: Stefan Nuernberger <snu@amazon.com>
> > CC: David Woodhouse <dwmw@amazon.co.uk>
> > CC: Amit Shah <aams@amazon.com>
> > CC: stable@vger.kernel.org
> > ---
> > net/packet/af_packet.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> What is the git commit id of this patch in Linus's tree?
>
Sorry, this isn't merged on Linus' tree yet. It's a heads up that the
backport isn't straightforward.
Best,
Stefan
> thanks,
>
> greg k-h
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] net/packet: fix overflow in tpacket_rcv
2020-09-04 14:22 ` Nuernberger, Stefan
@ 2020-09-04 14:36 ` gregkh
2020-09-05 6:54 ` Salvatore Bonaccorso
0 siblings, 1 reply; 6+ messages in thread
From: gregkh @ 2020-09-04 14:36 UTC (permalink / raw)
To: Nuernberger, Stefan
Cc: netdev@vger.kernel.org, orcohen@paloaltonetworks.com,
Woodhouse, David, stable@vger.kernel.org, edumazet@google.com,
Shah, Amit
On Fri, Sep 04, 2020 at 02:22:46PM +0000, Nuernberger, Stefan wrote:
> On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> > On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> > >
> > > From: Or Cohen <orcohen@paloaltonetworks.com>
> > >
> > > Using tp_reserve to calculate netoff can overflow as
> > > tp_reserve is unsigned int and netoff is unsigned short.
> > >
> > > This may lead to macoff receving a smaller value then
> > > sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> > > is set, an out-of-bounds write will occur when
> > > calling virtio_net_hdr_from_skb.
> > >
> > > The bug is fixed by converting netoff to unsigned int
> > > and checking if it exceeds USHRT_MAX.
> > >
> > > This addresses CVE-2020-14386
> > >
> > > Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> > > Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
> > > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > >
> > > [ snu: backported to 4.9, changed tp_drops counting/locking ]
> > >
> > > Signed-off-by: Stefan Nuernberger <snu@amazon.com>
> > > CC: David Woodhouse <dwmw@amazon.co.uk>
> > > CC: Amit Shah <aams@amazon.com>
> > > CC: stable@vger.kernel.org
> > > ---
> > > net/packet/af_packet.c | 9 ++++++++-
> > > 1 file changed, 8 insertions(+), 1 deletion(-)
> > What is the git commit id of this patch in Linus's tree?
> >
>
> Sorry, this isn't merged on Linus' tree yet. It's a heads up that the
> backport isn't straightforward.
Ok, please be more specific about this when sending patches out...
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] net/packet: fix overflow in tpacket_rcv
2020-09-04 14:36 ` gregkh
@ 2020-09-05 6:54 ` Salvatore Bonaccorso
2020-09-21 17:02 ` Stefan Nuernberger
0 siblings, 1 reply; 6+ messages in thread
From: Salvatore Bonaccorso @ 2020-09-05 6:54 UTC (permalink / raw)
To: gregkh@linuxfoundation.org
Cc: Nuernberger, Stefan, netdev@vger.kernel.org,
orcohen@paloaltonetworks.com, Woodhouse, David,
stable@vger.kernel.org, edumazet@google.com, Shah, Amit
Hi,
On Fri, Sep 04, 2020 at 04:36:48PM +0200, gregkh@linuxfoundation.org wrote:
> On Fri, Sep 04, 2020 at 02:22:46PM +0000, Nuernberger, Stefan wrote:
> > On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> > > On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> > > >
> > > > From: Or Cohen <orcohen@paloaltonetworks.com>
> > > >
> > > > Using tp_reserve to calculate netoff can overflow as
> > > > tp_reserve is unsigned int and netoff is unsigned short.
> > > >
> > > > This may lead to macoff receving a smaller value then
> > > > sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> > > > is set, an out-of-bounds write will occur when
> > > > calling virtio_net_hdr_from_skb.
> > > >
> > > > The bug is fixed by converting netoff to unsigned int
> > > > and checking if it exceeds USHRT_MAX.
> > > >
> > > > This addresses CVE-2020-14386
> > > >
> > > > Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> > > > Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
> > > > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > > >
> > > > [ snu: backported to 4.9, changed tp_drops counting/locking ]
> > > >
> > > > Signed-off-by: Stefan Nuernberger <snu@amazon.com>
> > > > CC: David Woodhouse <dwmw@amazon.co.uk>
> > > > CC: Amit Shah <aams@amazon.com>
> > > > CC: stable@vger.kernel.org
> > > > ---
> > > > net/packet/af_packet.c | 9 ++++++++-
> > > > 1 file changed, 8 insertions(+), 1 deletion(-)
> > > What is the git commit id of this patch in Linus's tree?
> > >
> >
> > Sorry, this isn't merged on Linus' tree yet. It's a heads up that the
> > backport isn't straightforward.
>
> Ok, please be more specific about this when sending patches out...
The commit is in Linux' tree now as
acf69c946233259ab4d64f8869d4037a198c7f06 .
Older stable series, which do not have 8e8e2951e309 ("net/packet: make
tp_drops atomic") will though need a backport as per above AFICS.
Regards,
Salvatore
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] net/packet: fix overflow in tpacket_rcv
2020-09-05 6:54 ` Salvatore Bonaccorso
@ 2020-09-21 17:02 ` Stefan Nuernberger
0 siblings, 0 replies; 6+ messages in thread
From: Stefan Nuernberger @ 2020-09-21 17:02 UTC (permalink / raw)
To: carnil
Cc: aams, dwmw, edumazet, gregkh, netdev, orcohen, snu, stable,
Stefan Nuernberger, Amit Shah
From: Or Cohen <orcohen@paloaltonetworks.com>
commit acf69c946233259ab4d64f8869d4037a198c7f06 upstream.
Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.
This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.
The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.
This addresses CVE-2020-14386
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
[ snu: backported to pre-5.3, changed tp_drops counting/locking ]
Signed-off-by: Stefan Nuernberger <snu@amazon.com>
CC: David Woodhouse <dwmw@amazon.co.uk>
CC: Amit Shah <aams@amazon.com>
CC: stable@vger.kernel.org
---
net/packet/af_packet.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index fb643945e424..b5b79f501541 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2161,7 +2161,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
int skb_len = skb->len;
unsigned int snaplen, res;
unsigned long status = TP_STATUS_USER;
- unsigned short macoff, netoff, hdrlen;
+ unsigned short macoff, hdrlen;
+ unsigned int netoff;
struct sk_buff *copy_skb = NULL;
struct timespec ts;
__u32 ts_status;
@@ -2223,6 +2224,12 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
}
macoff = netoff - maclen;
}
+ if (netoff > USHRT_MAX) {
+ spin_lock(&sk->sk_receive_queue.lock);
+ po->stats.stats1.tp_drops++;
+ spin_unlock(&sk->sk_receive_queue.lock);
+ goto drop_n_restore;
+ }
if (po->tp_version <= TPACKET_V2) {
if (macoff + snaplen > po->rx_ring.frame_size) {
if (po->copy_thresh &&
--
2.28.0
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-09-21 17:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAM6JnLf_8nwzq+UGO+amXpeApCDarJjwzOEHQd5qBhU7YKm3DQ@mail.gmail.com>
2020-09-04 13:30 ` [PATCH] net/packet: fix overflow in tpacket_rcv Stefan Nuernberger
2020-09-04 14:16 ` Greg Kroah-Hartman
2020-09-04 14:22 ` Nuernberger, Stefan
2020-09-04 14:36 ` gregkh
2020-09-05 6:54 ` Salvatore Bonaccorso
2020-09-21 17:02 ` Stefan Nuernberger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox