From ad72e888ee47432a98990f88ec3ec7b1890dd0cd Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 5 Sep 2020 00:13:19 +0200 Subject: [PATCH] net/packet: fix overflow in tpacket_rcv (CVE-2020-14386) --- debian/changelog | 1 + ...t-packet-fix-overflow-in-tpacket_rcv.patch | 57 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch diff --git a/debian/changelog b/debian/changelog index 2342673f3..9557df4ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -732,6 +732,7 @@ linux (4.19.143-1) UNRELEASED; urgency=medium * ACPI: configfs: Disallow loading ACPI tables when locked down (CVE-2020-15780) * [rt] Update to 4.19.142-rt63 + * net/packet: fix overflow in tpacket_rcv (CVE-2020-14386) -- Salvatore Bonaccorso Tue, 04 Aug 2020 16:33:40 +0200 diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch new file mode 100644 index 000000000..b54fe3ec5 --- /dev/null +++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch @@ -0,0 +1,57 @@ +From: Or Cohen +Date: Thu, 3 Sep 2020 21:05:28 -0700 +Subject: net/packet: fix overflow in tpacket_rcv +Origin: https://git.kernel.org/linus/acf69c946233259ab4d64f8869d4037a198c7f06 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14386 + +Using tp_reserve to calculate netoff can overflow as +tp_reserve is unsigned int and netoff is unsigned short. + +This may lead to macoff receving a smaller value then +sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr +is set, an out-of-bounds write will occur when +calling virtio_net_hdr_from_skb. + +The bug is fixed by converting netoff to unsigned int +and checking if it exceeds USHRT_MAX. + +This addresses CVE-2020-14386 + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Signed-off-by: Or Cohen +Signed-off-by: Eric Dumazet +Signed-off-by: Linus Torvalds +[Salvatore Bonaccorso: Backport to v4.19.y: + - Adjust for context changes + - Revert change to use atomic_inc as v4.19.y does not contain 8e8e2951e309 + ("net/packet: make tp_drops atomic") introduced in v5.3-rc1 +] +--- + net/packet/af_packet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec ts; + __u32 ts_status; +@@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ spin_lock(&sk->sk_receive_queue.lock); ++ po->stats.stats1.tp_drops++; ++ spin_unlock(&sk->sk_receive_queue.lock); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && diff --git a/debian/patches/series b/debian/patches/series index 99578b307..6b00380a4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -297,5 +297,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch +bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch # ABI maintenance