* [PATCHv2 net] vhost: fix total length when packets are too short
@ 2014-03-27 10:00 Michael S. Tsirkin
2014-03-28 20:09 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Michael S. Tsirkin @ 2014-03-27 10:00 UTC (permalink / raw)
To: linux-kernel
Cc: kvm, virtio-dev, virtualization, netdev, Jason Wang, David Miller
When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.
This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.
Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.
Fix this up by detecting this overrun and doing packet drop
immediately.
CVE-2014-0077
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
Changes from v1:
Fix CVE# in the commit log.
Patch is unchanged.
Note: this is needed for -stable.
I wonder if this can still make the release.
drivers/vhost/net.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index a0fa5de..026be58 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
*iovcount = seg;
if (unlikely(log))
*log_num = nlogs;
+
+ /* Detect overrun */
+ if (unlikely(datalen > 0)) {
+ r = UIO_MAXIOV + 1;
+ goto err;
+ }
return headcount;
err:
vhost_discard_vq_desc(vq, headcount);
@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
/* On error, stop handling until the next kick. */
if (unlikely(headcount < 0))
break;
+ /* On overrun, truncate and discard */
+ if (unlikely(headcount > UIO_MAXIOV)) {
+ msg.msg_iovlen = 1;
+ err = sock->ops->recvmsg(NULL, sock, &msg,
+ 1, MSG_DONTWAIT | MSG_TRUNC);
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
+ continue;
+ }
/* OK, now we need to know about added descriptors. */
if (!headcount) {
if (unlikely(vhost_enable_notify(&net->dev, vq))) {
--
MST
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCHv2 net] vhost: fix total length when packets are too short
2014-03-27 10:00 [PATCHv2 net] vhost: fix total length when packets are too short Michael S. Tsirkin
@ 2014-03-28 20:09 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2014-03-28 20:09 UTC (permalink / raw)
To: mst; +Cc: virtio-dev, kvm, netdev, linux-kernel, virtualization
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 27 Mar 2014 12:00:26 +0200
> When mergeable buffers are disabled, and the
> incoming packet is too large for the rx buffer,
> get_rx_bufs returns success.
>
> This was intentional in order for make recvmsg
> truncate the packet and then handle_rx would
> detect err != sock_len and drop it.
>
> Unfortunately we pass the original sock_len to
> recvmsg - which means we use parts of iov not fully
> validated.
>
> Fix this up by detecting this overrun and doing packet drop
> immediately.
>
> CVE-2014-0077
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> Changes from v1:
> Fix CVE# in the commit log.
> Patch is unchanged.
>
> Note: this is needed for -stable.
Applied and queued up for -stable.
> I wonder if this can still make the release.
I will try but no promises.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-03-28 20:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-27 10:00 [PATCHv2 net] vhost: fix total length when packets are too short Michael S. Tsirkin
2014-03-28 20:09 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).