| commit | 4d64e87ddd30cd19fb16caaae5cc3fc81a135e16 | [log] [tgz] |
|---|---|---|
| author | Or Cohen <[email protected]> | Sun Aug 30 20:04:51 2020 +0300 |
| committer | Vaibhav Rustagi <[email protected]> | Fri Sep 04 01:02:11 2020 +0000 |
| tree | b29ee163a4cbdf4aecfc3b52cfb1a31ba5bf27f3 | |
| parent | e4e286e9fa35f3e52882d3acbc010c51acb1c3be [diff] |
net/packet: fix overflow in tpacket_rcv Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. BUG=b/167730744 TEST=Manually tried the reproducer before and after this fix. RELEASE_NOTE=Fixed overflow in tpacket_rcv, which caused CVE-2020-14386. SOURCE=FROMLIST(https://www.openwall.com/lists/oss-security/2020/09/03/3) Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen <[email protected]> Signed-off-by: Roy Yang <[email protected]> Change-Id: I119b9e950f948259bbf0e3afeda5f33c0fb40e51 Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/4981 Reviewed-by: Vaibhav Rustagi <[email protected]> Reviewed-by: Robert Kolchmeyer <[email protected]> Tested-by: Robert Kolchmeyer <[email protected]>