Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp4003870pxu; Mon, 12 Oct 2020 07:08:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzbsZ5uUVLA7p44mwcLk5N2a8+SYPPLBGWsqFHgCE/v8ywBqiTA6efBem9f8q8QOytAmX2h X-Received: by 2002:a50:abc3:: with SMTP id u61mr14354033edc.253.1602511709752; Mon, 12 Oct 2020 07:08:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602511709; cv=none; d=google.com; s=arc-20160816; b=NwVC9pcbpYypTT6/GqKUzUrFuSNnJdNYrgIMHyRWCVejeP+9GetKa05EQz5pbbHCD8 pL9usQtcXE8oRJR8tf9bVB+aGsZowBlvCDV4nKf0v2VhEhXf27OTDJzwy/DfD7/6UwN4 zFMPrMHxZv47PaH5ANs+3t0RsYneuBjprYW23vupk4b7mwKSK99nKwrkOwxFrtnSbQ25 CyJtq5aI72b2K6Z+6eQZ50kHnz/8reOG9aMr0rBV5JXWbay/osdJOPpNjqkhg4gjV/wm l/ihaa74jwS/8cTrQAYeMgeXJ9lnboK7Yk+flTT34qR4IeIBAo3kB2vFDb1LYyJYzcNU OTxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DnqxDwr4dxpkrEoybhEsSWC4kPdg3BbrEKY91IYiEng=; b=IXSxiPyye3bgsV12Ia9DbJr0bAXkOwU0Gvdlo7CfW7DJItN7hI5W7ccjF4lfcWDJ/F 75aHg80B+1q6dA44vAG0ooz8wEjMYSbkk/T1sf855TsMJ48ossymzEniM3B04JyTe90v SIp2n87gNsQ7/kIpZ3zMt1ev7hOAQaP/Q2LJJSFmoTItUTrQoDbFUzTWfQSJnk3EKThz tXnNIH+XtZ7WB3JRahsYeB9C2lNhznnpGuOMWUObMyGRhiBjFIj3UM5T+ATt7yPkjwiu KNO9WZLXC1guOYUdB6W4mo4sMqvm/z66EXRfxzs0wEpIQmDijmPKbZkfSyd+89TnJHp7 JFmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Bc1h5QbS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g19si7254961ejd.105.2020.10.12.07.08.05; Mon, 12 Oct 2020 07:08:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Bc1h5QbS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390892AbgJLOEI (ORCPT + 99 others); Mon, 12 Oct 2020 10:04:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:38966 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388668AbgJLNgQ (ORCPT ); Mon, 12 Oct 2020 09:36:16 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C33D72076E; Mon, 12 Oct 2020 13:36:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602509776; bh=cAc9SVIjfg6BCU3+Mi+hwrdDWDsKxVFO2cw2CcXk7YE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Bc1h5QbSC7fQBhf1yaZpdLwASMlGDl88G52yY4Vl1ej2ky+0V/Vlv1SXVKUnGH6gt jnrmPwSROAi7eJ8FaJvRhuBpjpPiY+qDH4HGAfoJLDqF1lRwZfEGDVLgJGkFQ10Ccj P4BSpBmS450m/+rp8Fiz4DZ5GvbAy7LcqtxEZkaw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Or Cohen , Eric Dumazet , Linus Torvalds , Stefan Nuernberger , David Woodhouse , Amit Shah Subject: [PATCH 4.14 25/70] net/packet: fix overflow in tpacket_rcv Date: Mon, 12 Oct 2020 15:26:41 +0200 Message-Id: <20201012132631.426074555@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201012132630.201442517@linuxfoundation.org> References: <20201012132630.201442517@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Or Cohen commit acf69c946233259ab4d64f8869d4037a198c7f06 upstream. Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. This addresses CVE-2020-14386 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen Signed-off-by: Eric Dumazet Signed-off-by: Linus Torvalds [ snu: backported to pre-5.3, changed tp_drops counting/locking ] Signed-off-by: Stefan Nuernberger CC: David Woodhouse CC: Amit Shah CC: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2201,7 +2201,8 @@ static int tpacket_rcv(struct sk_buff *s int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; - unsigned short macoff, netoff, hdrlen; + unsigned short macoff, hdrlen; + unsigned int netoff; struct sk_buff *copy_skb = NULL; struct timespec ts; __u32 ts_status; @@ -2264,6 +2265,12 @@ static int tpacket_rcv(struct sk_buff *s } macoff = netoff - maclen; } + if (netoff > USHRT_MAX) { + spin_lock(&sk->sk_receive_queue.lock); + po->stats.stats1.tp_drops++; + spin_unlock(&sk->sk_receive_queue.lock); + goto drop_n_restore; + } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&