From patchwork Fri Oct 19 09:46:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 986643
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42c1JX3vFsz9sDK;
	Fri, 19 Oct 2018 20:46:20 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gDRME-0005xc-EG; Fri, 19 Oct 2018 09:46:14 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1gDRM9-0005wp-H8
	for kernel-team@lists.ubuntu.com; Fri, 19 Oct 2018 09:46:09 +0000
Received: from mail-wr1-f71.google.com ([209.85.221.71])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1gDRM9-0002xa-9W
	for kernel-team@lists.ubuntu.com; Fri, 19 Oct 2018 09:46:09 +0000
Received: by mail-wr1-f71.google.com with SMTP id 110-v6so22327101wra.9
	for <kernel-team@lists.ubuntu.com>;
	Fri, 19 Oct 2018 02:46:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=81SArbU+Y2yg8tFLupaayQgGvGQaIdhtqYTOSI5tYf0=;
	b=RGd8Y9gDixsgwq2/CE7pOQoYSZ7OyTFbwVFamylqa/r7RR89cJakfwdDmUeyx/UZtM
	gJg01z3P2Q4CGN47Ej05PoMq3BjoiE7s7j/lCtM1uN96WJY43vL/IM4SsrY33rtZMzqp
	56jVvcWjSXKEmrZMr0Pl4FvcRCSUNCBwkWOBmZMbEMT0WDAVD/lP95szNYbP3I8cWhSK
	OZbQogePSkzErfLqyU7G/GkQiK5k+5qJz7nSMW5FCW4AJjK/WaGgFFkZCklOduhEyUIv
	AaLGNHstnEikZAQutvuFoCoZIWmoBoOuNNZbsHrYtasHZFGefs5Fns2Zx7Oh52hqZZZw
	DH6g==
X-Gm-Message-State: AGRZ1gJHTfgXoTCg3Trebl3OKD6rDDTe5K4/0j8i7QcyJT1A1Ett2EyE
	JheLDoc/AEIB0GNrw4JLC6Z4wnq6gPuqwDoEkho9y6HCsyCLeHEZt9uswsMFHYnGlYCzVTHptoG
	oV+kKMJy9VTnW1EQcQzwn5kPcG8BlE/+QJZgoHm+nQA==
X-Received: by 2002:a1c:cf4e:: with SMTP id
	f75-v6mr4072428wmg.81.1539942368632;
	Fri, 19 Oct 2018 02:46:08 -0700 (PDT)
X-Google-Smtp-Source: 
 ACcGV63+aZBXOE8ncZaOlRKUMz/RFCIIhLXFs3MxJG1X3krFjJfoWeJ4FA2UM6KFyaae9DsyeFmhsQ==
X-Received: by 2002:a1c:cf4e:: with SMTP id
	f75-v6mr4072407wmg.81.1539942368328;
	Fri, 19 Oct 2018 02:46:08 -0700 (PDT)
Received: from localhost ([212.121.131.210])
	by smtp.gmail.com with ESMTPSA id
	m2-v6sm14377929wrj.80.2018.10.19.02.46.07
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 19 Oct 2018 02:46:07 -0700 (PDT)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Bionic][Cosmic][PATCH 1/1] xen-netback: fix input validation
	in xenvif_set_hash_mapping()
Date: Fri, 19 Oct 2018 11:46:04 +0200
Message-Id: <20181019094604.14422-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181019094604.14422-1-kleber.souza@canonical.com>
References: <20181019094604.14422-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jan Beulich <JBeulich@suse.com>

Both len and off are frontend specified values, so we need to make
sure there's no overflow when adding the two for the bounds check. We
also want to avoid undefined behavior and hence use off to index into
->hash.mapping[] only after bounds checking. This at the same time
allows to take care of not applying off twice for the bounds checking
against vif->num_queues.

It is also insufficient to bounds check copy_op.len, as this is len
truncated to 16 bits.

This is XSA-270 / CVE-2018-15471.

Reported-by: Felix Wilhelm <fwilhelm@google.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Tested-by: Paul Durrant <paul.durrant@citrix.com>
Cc: stable@vger.kernel.org [4.7 onwards]
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2018-15471
(cherry picked from commit 780e83c259fc33e8959fed8dfdad17e378d72b62)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/net/xen-netback/hash.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
index 3c4c58b9fe76..3b6fb5b3bdb2 100644
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size)
 u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
 			    u32 off)
 {
-	u32 *mapping = &vif->hash.mapping[off];
+	u32 *mapping = vif->hash.mapping;
 	struct gnttab_copy copy_op = {
 		.source.u.ref = gref,
 		.source.domid = vif->domid,
-		.dest.u.gmfn = virt_to_gfn(mapping),
 		.dest.domid = DOMID_SELF,
-		.dest.offset = xen_offset_in_page(mapping),
-		.len = len * sizeof(u32),
+		.len = len * sizeof(*mapping),
 		.flags = GNTCOPY_source_gref
 	};
 
-	if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE)
+	if ((off + len < off) || (off + len > vif->hash.size) ||
+	    len > XEN_PAGE_SIZE / sizeof(*mapping))
 		return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
 
+	copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
+	copy_op.dest.offset = xen_offset_in_page(mapping + off);
+
 	while (len-- != 0)
 		if (mapping[off++] >= vif->num_queues)
 			return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;