From: "Nuernberger, Stefan" <snu@amazon.de>
To: "Nuernberger, Stefan" <snu@amazon.de>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"orcohen@paloaltonetworks.com" <orcohen@paloaltonetworks.com>,
"Woodhouse, David" <dwmw@amazon.co.uk>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"edumazet@google.com" <edumazet@google.com>,
"Shah, Amit" <aams@amazon.de>
Subject: Re: [PATCH] net/packet: fix overflow in tpacket_rcv
Date: Fri, 4 Sep 2020 14:22:46 +0000 [thread overview]
Message-ID: <1599229365.17829.3.camel@amazon.de> (raw)
In-Reply-To: <20200904141617.GA3185752@kroah.com>
On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> >
> > From: Or Cohen <orcohen@paloaltonetworks.com>
> >
> > Using tp_reserve to calculate netoff can overflow as
> > tp_reserve is unsigned int and netoff is unsigned short.
> >
> > This may lead to macoff receving a smaller value then
> > sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> > is set, an out-of-bounds write will occur when
> > calling virtio_net_hdr_from_skb.
> >
> > The bug is fixed by converting netoff to unsigned int
> > and checking if it exceeds USHRT_MAX.
> >
> > This addresses CVE-2020-14386
> >
> > Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> > Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> >
> > [ snu: backported to 4.9, changed tp_drops counting/locking ]
> >
> > Signed-off-by: Stefan Nuernberger <snu@amazon.com>
> > CC: David Woodhouse <dwmw@amazon.co.uk>
> > CC: Amit Shah <aams@amazon.com>
> > CC: stable@vger.kernel.org
> > ---
> > net/packet/af_packet.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> What is the git commit id of this patch in Linus's tree?
>
Sorry, this isn't merged on Linus' tree yet. It's a heads up that the
backport isn't straightforward.
Best,
Stefan
> thanks,
>
> greg k-h
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
next prev parent reply other threads:[~2020-09-04 14:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 17:07 Vulnerability report - af_packet.c - CVE-2020-14386 Or Cohen
2020-09-04 13:30 ` [PATCH] net/packet: fix overflow in tpacket_rcv Stefan Nuernberger
2020-09-04 14:16 ` Greg Kroah-Hartman
2020-09-04 14:22 ` Nuernberger, Stefan [this message]
2020-09-04 14:36 ` gregkh
2020-09-05 6:54 ` Salvatore Bonaccorso
2020-09-21 17:02 ` Stefan Nuernberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1599229365.17829.3.camel@amazon.de \
--to=snu@amazon.de \
--cc=aams@amazon.de \
--cc=dwmw@amazon.co.uk \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=netdev@vger.kernel.org \
--cc=orcohen@paloaltonetworks.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.