59 lines
1.7 KiB
Diff
59 lines
1.7 KiB
Diff
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Thu, 27 Mar 2014 12:00:26 +0200
|
|
Subject: [1/2] vhost: fix total length when packets are too short
|
|
Origin: https://git.kernel.org/linus/d8316f3991d207fe32881a9ac20241be8fa2bad0
|
|
|
|
When mergeable buffers are disabled, and the
|
|
incoming packet is too large for the rx buffer,
|
|
get_rx_bufs returns success.
|
|
|
|
This was intentional in order for make recvmsg
|
|
truncate the packet and then handle_rx would
|
|
detect err != sock_len and drop it.
|
|
|
|
Unfortunately we pass the original sock_len to
|
|
recvmsg - which means we use parts of iov not fully
|
|
validated.
|
|
|
|
Fix this up by detecting this overrun and doing packet drop
|
|
immediately.
|
|
|
|
CVE-2014-0077
|
|
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
---
|
|
drivers/vhost/net.c | 14 ++++++++++++++
|
|
1 file changed, 14 insertions(+)
|
|
|
|
--- a/drivers/vhost/net.c
|
|
+++ b/drivers/vhost/net.c
|
|
@@ -528,6 +528,12 @@ static int get_rx_bufs(struct vhost_virt
|
|
*iovcount = seg;
|
|
if (unlikely(log))
|
|
*log_num = nlogs;
|
|
+
|
|
+ /* Detect overrun */
|
|
+ if (unlikely(datalen > 0)) {
|
|
+ r = UIO_MAXIOV + 1;
|
|
+ goto err;
|
|
+ }
|
|
return headcount;
|
|
err:
|
|
vhost_discard_vq_desc(vq, headcount);
|
|
@@ -583,6 +589,14 @@ static void handle_rx(struct vhost_net *
|
|
/* On error, stop handling until the next kick. */
|
|
if (unlikely(headcount < 0))
|
|
break;
|
|
+ /* On overrun, truncate and discard */
|
|
+ if (unlikely(headcount > UIO_MAXIOV)) {
|
|
+ msg.msg_iovlen = 1;
|
|
+ err = sock->ops->recvmsg(NULL, sock, &msg,
|
|
+ 1, MSG_DONTWAIT | MSG_TRUNC);
|
|
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
|
|
+ continue;
|
|
+ }
|
|
/* OK, now we need to know about added descriptors. */
|
|
if (!headcount) {
|
|
if (unlikely(vhost_enable_notify(&net->dev, vq))) {
|