From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC69FC43461 for ; Fri, 4 Sep 2020 14:36:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B42CF206F2 for ; Fri, 4 Sep 2020 14:36:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599230197; bh=SJlEO4N5TR/khQclPBpz+ffvQxoaMzhtcy+BXKr8CN4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=XlmYZ40Me0bO2MfpNYKg+ISPCn/M8ITIMcEXq0qWaHK4ax9tsyr1NhxNzK5olXZ/y 9AsOjnpJiJcW0F/4MNKv0NT9K5tkfSeNtRefSUCiXYiZnvR0S4gNGDfXglwiduu/Me 9YpF58Uss4eHLWUVyYSKZ0tBWrLSf1tbRcdxPScI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730488AbgIDOgg (ORCPT ); Fri, 4 Sep 2020 10:36:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:41732 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730416AbgIDOg2 (ORCPT ); Fri, 4 Sep 2020 10:36:28 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5DF80206F2; Fri, 4 Sep 2020 14:36:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599230187; bh=SJlEO4N5TR/khQclPBpz+ffvQxoaMzhtcy+BXKr8CN4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=RSsNrw0B7NTAEh5S2xDcxMCwg9oo3qOuYcnBcEO9fUkmRH51/vrsJYuf5TNAGBLN7 QHceADKwaHesQ7q1qSl51AelLujPDfeZRNKCIhPXCdXy7NEKN1Rn4AJe2wyyN/12Ra k+2NmfnZGXK1Xah4n6Wy2wOBczhAFf6b6uowzIj0= Date: Fri, 4 Sep 2020 16:36:48 +0200 From: "gregkh@linuxfoundation.org" To: "Nuernberger, Stefan" Cc: "netdev@vger.kernel.org" , "orcohen@paloaltonetworks.com" , "Woodhouse, David" , "stable@vger.kernel.org" , "edumazet@google.com" , "Shah, Amit" Subject: Re: [PATCH] net/packet: fix overflow in tpacket_rcv Message-ID: <20200904143648.GA3212511@kroah.com> References: <20200904133052.20299-1-snu@amazon.com> <20200904141617.GA3185752@kroah.com> <1599229365.17829.3.camel@amazon.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1599229365.17829.3.camel@amazon.de> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Fri, Sep 04, 2020 at 02:22:46PM +0000, Nuernberger, Stefan wrote: > On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote: > > On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote: > > > > > > From: Or Cohen > > > > > > Using tp_reserve to calculate netoff can overflow as > > > tp_reserve is unsigned int and netoff is unsigned short. > > > > > > This may lead to macoff receving a smaller value then > > > sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr > > > is set, an out-of-bounds write will occur when > > > calling virtio_net_hdr_from_skb. > > > > > > The bug is fixed by converting netoff to unsigned int > > > and checking if it exceeds USHRT_MAX. > > > > > > This addresses CVE-2020-14386 > > > > > > Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") > > > Signed-off-by: Or Cohen > > > Signed-off-by: Eric Dumazet > > > > > > [ snu: backported to 4.9, changed tp_drops counting/locking ] > > > > > > Signed-off-by: Stefan Nuernberger > > > CC: David Woodhouse > > > CC: Amit Shah > > > CC: stable@vger.kernel.org > > > --- > > >  net/packet/af_packet.c | 9 ++++++++- > > >  1 file changed, 8 insertions(+), 1 deletion(-) > > What is the git commit id of this patch in Linus's tree? > > > > Sorry, this isn't merged on Linus' tree yet. It's a heads up that the > backport isn't straightforward. Ok, please be more specific about this when sending patches out... greg k-h