Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753123AbdFSSfn (ORCPT + 2 others); Mon, 19 Jun 2017 14:35:43 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:52151 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753088AbdFSSfi (ORCPT ); Mon, 19 Jun 2017 14:35:38 -0400 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: Willem de Bruijn , Eric Dumazet , "David S . Miller" , Willy Tarreau Subject: [PATCH 3.10 263/268] tun: read vnet_hdr_sz once Date: Mon, 19 Jun 2017 20:32:42 +0200 Message-Id: <1497897167-14556-264-git-send-email-w@1wt.eu> X-Mailer: git-send-email 2.8.0.rc2.1.gbe9624a In-Reply-To: <1497897167-14556-1-git-send-email-w@1wt.eu> References: <1497897167-14556-1-git-send-email-w@1wt.eu> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: From: Willem de Bruijn commit e1edab87faf6ca30cd137e0795bc73aa9a9a22ec upstream. When IFF_VNET_HDR is enabled, a virtio_net header must precede data. Data length is verified to be greater than or equal to expected header length tun->vnet_hdr_sz before copying. Read this value once and cache locally, as it can be updated between the test and use (TOCTOU). [js] we have TUN_VNET_HDR in 3.12 Signed-off-by: Willem de Bruijn Reported-by: Dmitry Vyukov CC: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: David S. Miller [wt: s/READ_ONCE/ACCESS_ONCE] Signed-off-by: Willy Tarreau --- drivers/net/tun.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index ea6ada3..7bbc43f 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1087,9 +1087,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, } if (tun->flags & TUN_VNET_HDR) { - if (len < tun->vnet_hdr_sz) + int vnet_hdr_sz = ACCESS_ONCE(tun->vnet_hdr_sz); + + if (len < vnet_hdr_sz) return -EINVAL; - len -= tun->vnet_hdr_sz; + len -= vnet_hdr_sz; if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso))) return -EFAULT; @@ -1100,7 +1102,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, if (gso.hdr_len > len) return -EINVAL; - offset += tun->vnet_hdr_sz; + offset += vnet_hdr_sz; } if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) { @@ -1275,7 +1277,7 @@ static ssize_t tun_put_user(struct tun_struct *tun, int vnet_hdr_sz = 0; if (tun->flags & TUN_VNET_HDR) - vnet_hdr_sz = tun->vnet_hdr_sz; + vnet_hdr_sz = ACCESS_ONCE(tun->vnet_hdr_sz); if (!(tun->flags & TUN_NO_PI)) { if ((len -= sizeof(pi)) < 0) -- 2.8.0.rc2.1.gbe9624a