vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
This commit is contained in:
parent
241912ed84
commit
2c376b16e6
|
@ -4,6 +4,7 @@ linux (4.19.98-1+deb10u1) UNRELEASED; urgency=medium
|
|||
* do_last(): fetch directory ->i_mode and ->i_uid before it's too late
|
||||
(CVE-2020-8428)
|
||||
* vfs: fix do_last() regression
|
||||
* vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 26 Apr 2020 20:32:58 +0200
|
||||
|
||||
|
|
57
debian/patches/bugfix/all/vhost-Check-docket-sk_family-instead-of-call-getname.patch
vendored
Normal file
57
debian/patches/bugfix/all/vhost-Check-docket-sk_family-instead-of-call-getname.patch
vendored
Normal file
|
@ -0,0 +1,57 @@
|
|||
From: =?UTF-8?q?Eugenio=20P=C3=A9rez?= <eperezma@redhat.com>
|
||||
Date: Fri, 21 Feb 2020 12:06:56 +0100
|
||||
Subject: vhost: Check docket sk_family instead of call getname
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-10942
|
||||
|
||||
Doing so, we save one call to get data we already have in the struct.
|
||||
|
||||
Also, since there is no guarantee that getname use sockaddr_ll
|
||||
parameter beyond its size, we add a little bit of security here.
|
||||
It should do not do beyond MAX_ADDR_LEN, but syzbot found that
|
||||
ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,
|
||||
versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).
|
||||
|
||||
Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
|
||||
Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com
|
||||
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
|
||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/vhost/net.c | 10 +---------
|
||||
1 file changed, 1 insertion(+), 9 deletions(-)
|
||||
|
||||
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
|
||||
index e158159671fa..18e205eeb9af 100644
|
||||
--- a/drivers/vhost/net.c
|
||||
+++ b/drivers/vhost/net.c
|
||||
@@ -1414,10 +1414,6 @@ static int vhost_net_release(struct inode *inode, struct file *f)
|
||||
|
||||
static struct socket *get_raw_socket(int fd)
|
||||
{
|
||||
- struct {
|
||||
- struct sockaddr_ll sa;
|
||||
- char buf[MAX_ADDR_LEN];
|
||||
- } uaddr;
|
||||
int r;
|
||||
struct socket *sock = sockfd_lookup(fd, &r);
|
||||
|
||||
@@ -1430,11 +1426,7 @@ static struct socket *get_raw_socket(int fd)
|
||||
goto err;
|
||||
}
|
||||
|
||||
- r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa, 0);
|
||||
- if (r < 0)
|
||||
- goto err;
|
||||
-
|
||||
- if (uaddr.sa.sll_family != AF_PACKET) {
|
||||
+ if (sock->sk->sk_family != AF_PACKET) {
|
||||
r = -EPFNOSUPPORT;
|
||||
goto err;
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -307,6 +307,7 @@ bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
|
|||
bugfix/x86/KVM-nVMX-Don-t-emulate-instructions-in-guest-mode.patch
|
||||
bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch
|
||||
bugfix/all/vfs-fix-do_last-regression.patch
|
||||
bugfix/all/vhost-Check-docket-sk_family-instead-of-call-getname.patch
|
||||
|
||||
# Backported change to provide boot-time entropy
|
||||
bugfix/all/random-try-to-actively-add-entropy-rather-than-passi.patch
|
||||
|
|
Loading…
Reference in New Issue