From b3a3711d07804954a9466a21d7cb7ac28c0004ef Mon Sep 17 00:00:00 2001 From: Michal Kubecek Date: Sep 03 2020 22:48:37 +0000 Subject: net/packet: fix overflow in tpacket_rcv (CVE-2020-14386 bsc#1176069). --- diff --git a/patches.suse/net-packet-fix-overflow-in-tpacket_rcv.patch b/patches.suse/net-packet-fix-overflow-in-tpacket_rcv.patch new file mode 100644 index 0000000..35b7534 --- /dev/null +++ b/patches.suse/net-packet-fix-overflow-in-tpacket_rcv.patch @@ -0,0 +1,46 @@ +From: Or Cohen +Subject: net/packet: fix overflow in tpacket_rcv +Patch-mainline: Submitted - 2020-09-03 - CAM6JnLf_8nwzq+UGO+amXpeApCDarJjwzOEHQd5qBhU7YKm3DQ@mail.gmail.com (improperly) +References: CVE-2020-14386 bsc#1176069 + +Using tp_reserve to calculate netoff can overflow as +tp_reserve is unsigned int and netoff is unsigned short. + +This may lead to macoff receving a smaller value then +sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr +is set, an out-of-bounds write will occur when +calling virtio_net_hdr_from_skb. + +The bug is fixed by converting netoff to unsigned int +and checking if it exceeds USHRT_MAX. + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Signed-off-by: Or Cohen +Acked-by: Michal Kubecek +--- + net/packet/af_packet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2167,7 +2167,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec ts; + __u32 ts_status; +@@ -2236,6 +2237,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ atomic_inc(&po->tp_drops); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && diff --git a/series.conf b/series.conf index 29ca94a..1ba10c8 100644 --- a/series.conf +++ b/series.conf @@ -14466,6 +14466,7 @@ patches.suse/vgacon-fix-out-of-bounds-write-to-the-scrollback-buf.patch patches.suse/firmware_loader-fix-memory-leak-for-paged-buffer.patch patches.suse/ibmveth-Fix-use-of-ibmveth-in-a-bridge.patch + patches.suse/net-packet-fix-overflow-in-tpacket_rcv.patch ######################################################## # kbuild/module infrastructure fixes