Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3447670pxk; Mon, 5 Oct 2020 09:52:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwWSGUim1YZIQ7JhqOBHIu6QqUysuts/BqXlbMU7t/vX+WMExZ8e+9GWkH4KEv0gJjr2B6r X-Received: by 2002:a05:6402:890:: with SMTP id e16mr590744edy.272.1601916740014; Mon, 05 Oct 2020 09:52:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601916740; cv=none; d=google.com; s=arc-20160816; b=CtpxzL3/jrW8cObn3KLs9yGTRrit5SKZWDhIeYo7i8dLiVqtUSFJDzBv4NA7ATsC1W 1V7EiQP95Znq0aJh0/2L4qJcltf837UUHIQQL6SCad6zEfSfrGWhmD/BMfX4w1owpfTC gkwXXOuorclJUm5DGE9284FL8Np66iCyufSZsnkPgTJFQksErduGHxox5uAa7uRG/VI9 LYbQDTmpBpcIeqcQ6eILSCa+UFGKCqdmnotinIBVfA85KdbNL2E++5k2Lu6udGvMSuzC c+HG4441b4SVC1rYZ0lNykSogYWocSUDKF68WgtzOWhWUFTETu0QsArmlFIRHe4AjVO4 x6yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pD9BRLyuJgmDir3aIIGsj2kG9WCtUsE1P+4SpMEPE6s=; b=PA1C9bUIpYFWab17c4eVpYROBLL5Dhlery1fdpKA0aGI40VR80VrGDW4Y+vI0vAr5K 6MqzQl5LLutSNq65/oW87FFqHO+10slfKMR8dpa+tBhCftH8it8033Xkj6YPZYqrbjBJ qmeCqS0U0CpcndoQ/b7CgKbn+h+B4rdJ1+IyVJ7sQDenXlYGKrmqi4Wo4/pvK5bNju1q huDKuVQYINZoA7Tr/kv4v8i2jF+Zn8Ecz/jXzc4szEuapomcpt6fA3/h3wfPe8+rhqWr Y7S5BOnQjd81RW14yzgizn+DTBdg+ZGfYzr8sIcBA/088kczHkLqwDexZ5O381XtmfKe bzzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=w+OFwt0b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rk14si138565ejb.56.2020.10.05.09.51.56; Mon, 05 Oct 2020 09:52:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=w+OFwt0b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727352AbgJEP2M (ORCPT + 99 others); Mon, 5 Oct 2020 11:28:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:52694 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727260AbgJEP15 (ORCPT ); Mon, 5 Oct 2020 11:27:57 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AE97420B80; Mon, 5 Oct 2020 15:27:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601911675; bh=j4oVaPjWeJ+MXFCZagiH8DF+SGIz1nEB5A0wWdeWGdI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w+OFwt0bAJKG6FABs8JJ3F2XAERlZnsCiL/BXrZk95MHQ2Civ20uMxbCXCkJjUmKe ZgbKD1b4oqWxAfKO8YF6lsVtdzf/0zazqvxTWYlY8vItMx71mm7xaoAybIEKJjwQjd fPK0w58Rw1wg5wEbU2JEtHa9mVYaK/HRpkOqO0vk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Or Cohen , Eric Dumazet , Linus Torvalds , Stefan Nuernberger , David Woodhouse , Amit Shah Subject: [PATCH 4.19 33/38] net/packet: fix overflow in tpacket_rcv Date: Mon, 5 Oct 2020 17:26:50 +0200 Message-Id: <20201005142110.273161307@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201005142108.650363140@linuxfoundation.org> References: <20201005142108.650363140@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Or Cohen commit acf69c946233259ab4d64f8869d4037a198c7f06 upstream. Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. This addresses CVE-2020-14386 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen Signed-off-by: Eric Dumazet Signed-off-by: Linus Torvalds [ snu: backported to pre-5.3, changed tp_drops counting/locking ] Signed-off-by: Stefan Nuernberger CC: David Woodhouse CC: Amit Shah CC: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; - unsigned short macoff, netoff, hdrlen; + unsigned short macoff, hdrlen; + unsigned int netoff; struct sk_buff *copy_skb = NULL; struct timespec ts; __u32 ts_status; @@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s } macoff = netoff - maclen; } + if (netoff > USHRT_MAX) { + spin_lock(&sk->sk_receive_queue.lock); + po->stats.stats1.tp_drops++; + spin_unlock(&sk->sk_receive_queue.lock); + goto drop_n_restore; + } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&