From patchwork Fri Sep 4 18:33:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Henrique Cerri X-Patchwork-Id: 1357793 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BjmXv2nMMz9sTR; Sat, 5 Sep 2020 04:34:06 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kEGXB-0000gG-Vr; Fri, 04 Sep 2020 18:34:01 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kEGXA-0000fc-Kr for kernel-team@lists.ubuntu.com; Fri, 04 Sep 2020 18:34:00 +0000 Received: from mail-qt1-f199.google.com ([209.85.160.199]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kEGXA-0003fh-Ad for kernel-team@lists.ubuntu.com; Fri, 04 Sep 2020 18:34:00 +0000 Received: by mail-qt1-f199.google.com with SMTP id f5so4901324qtk.11 for ; Fri, 04 Sep 2020 11:34:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=gPzRLt4LqVwBz75aAJeuSNCjVTf5JA3ggGs2QZ8CtFg=; b=frUGL1b7Tu3rQpln16klvMYzFqv59/dHF9U6/J56X4R6zRQNCfT6sBsLVewPTdBt0e zIVAnIVAq8TY2Gk4RxtQ24OHAlPxfWMrhfUnx6t1ri28OHVX8eedEiHNaHeTh/HInKOI Yy68wKjePSKWlhsOwWtTPm3AUNjmpLFWIWNlY0iwlJYqSlGLQ5vah4cVE8G+lUyFaL9u CXJ3RncTK4wIw6HraUKnEBI3dzh2NWfhR/UzwUQ4Whx/aiRSn5ZSVN3WqgXl3QH2DaaF 7VzL6kkydoTH+jTjDoVZDdNRtjgAb6xOLt9CznG18HtIZEVB4ywy2I3R3Gj2NfnBSDeH 7EgQ== X-Gm-Message-State: AOAM531ULaqA/T9F3npGHV63W0sBpIiEMuoDJ1wjFz1e4FqGUYJV9ut8 g0wcZUOqlaGmK6t5Ibk84khQAQYtWN2RcraF0ApPb1RyBo3sI0AKH9QTwZjQbS84uFgwHvtcbu6 yWx6Xjg/QvqEThwgk1O1fJr830wBZsaGLAVzuf390 X-Received: by 2002:a37:74c7:: with SMTP id p190mr9091958qkc.194.1599244439135; Fri, 04 Sep 2020 11:33:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+2Uw1yGTHJEfOvbxwqGwhxiaPJfp7XFf7jd9BIJsfUFuLgB04k9W5WWtXqGvA/rVMxUFlvg== X-Received: by 2002:a37:74c7:: with SMTP id p190mr9091924qkc.194.1599244438734; Fri, 04 Sep 2020 11:33:58 -0700 (PDT) Received: from localhost.localdomain ([2804:18:815:f1cd:4968:89e8:7f04:5a67]) by smtp.gmail.com with ESMTPSA id 29sm3717315qkr.114.2020.09.04.11.33.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Sep 2020 11:33:58 -0700 (PDT) From: Marcelo Henrique Cerri To: kernel-team@lists.ubuntu.com Subject: [bionic:linux, bionic:linux-hwe-5.0][PATCH] UBUNTU: SAUCE: net/packet: fix overflow in tpacket_rcv Date: Fri, 4 Sep 2020 15:33:31 -0300 Message-Id: <20200904183331.369621-1-marcelo.cerri@canonical.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Or Cohen CVE-2020-14386 Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. This addresses CVE-2020-14386 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen Signed-off-by: Eric Dumazet [ snu: backported to 4.9, changed tp_drops counting/locking ] Signed-off-by: Stefan Nuernberger CC: David Woodhouse CC: Amit Shah CC: stable@vger.kernel.org [ mhcerri: from the netdev mailing list: https://lore.kernel.org/netdev/CAM6JnLf_8nwzq+UGO+amXpeApCDarJjwzOEHQd5qBhU7YKm3DQ@mail.gmail.com/ This is the fixed proposed on the mailing list for 4.9, this fix should be intended to any kernel that doesn't have commit id 8e8e2951e309 ("net/packet: make tp_drops atomic"). For us, that means any kernel before 5.3. Tested with the reproducer proposed by the author.] Signed-off-by: Marcelo Henrique Cerri Acked-by: Thadeu Lima de Souza Cascardo Acked-by: Khalid Elmously --- net/packet/af_packet.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 89d6b0957d07..cd5fbec69de8 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2160,7 +2160,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, int skb_len = skb->len; unsigned int snaplen, res; unsigned long status = TP_STATUS_USER; - unsigned short macoff, netoff, hdrlen; + unsigned short macoff, hdrlen; + unsigned int netoff; struct sk_buff *copy_skb = NULL; struct timespec ts; __u32 ts_status; @@ -2223,6 +2224,12 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, } macoff = netoff - maclen; } + if (netoff > USHRT_MAX) { + spin_lock(&sk->sk_receive_queue.lock); + po->stats.stats1.tp_drops++; + spin_unlock(&sk->sk_receive_queue.lock); + goto drop_n_restore; + } if (po->tp_version <= TPACKET_V2) { if (macoff + snaplen > po->rx_ring.frame_size) { if (po->copy_thresh &&