diff --git a/kernel.spec b/kernel.spec index b9b5232..16f2d3b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -648,6 +648,10 @@ Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-err #CVE-2014-0055 rhbz 1062577 1081503 Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch +#CVE-2014-0077 rhbz 1064440 1081504 +Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch + + # END OF PATCH DEFINITIONS %endif @@ -1301,6 +1305,9 @@ ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-erro #CVE-2014-0055 rhbz 1062577 1081503 ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch +#CVE-2014-0077 rhbz 1064440 1081504 +ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch + # END OF PATCH APPLICATIONS %endif @@ -2081,6 +2088,7 @@ fi # || || %changelog * Fri Mar 28 2014 Josh Boyer +- CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504) - CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503) - CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013) diff --git a/net-vhost-fix-total-length-when-packets-are-too-short.patch b/net-vhost-fix-total-length-when-packets-are-too-short.patch new file mode 100644 index 0000000..a867794 --- /dev/null +++ b/net-vhost-fix-total-length-when-packets-are-too-short.patch @@ -0,0 +1,80 @@ +Bugzilla: 1081504 +Upstream-status: Sent to netdev list + +From patchwork Thu Mar 27 10:00:26 2014 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [PATCHv2,net] vhost: fix total length when packets are too short +From: "Michael S. Tsirkin" +X-Patchwork-Id: 334283 +Message-Id: <20140327100026.GA30715@redhat.com> +To: linux-kernel@vger.kernel.org +Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org, + virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, + Jason Wang , David Miller +Date: Thu, 27 Mar 2014 12:00:26 +0200 + +When mergeable buffers are disabled, and the +incoming packet is too large for the rx buffer, +get_rx_bufs returns success. + +This was intentional in order for make recvmsg +truncate the packet and then handle_rx would +detect err != sock_len and drop it. + +Unfortunately we pass the original sock_len to +recvmsg - which means we use parts of iov not fully +validated. + +Fix this up by detecting this overrun and doing packet drop +immediately. + +CVE-2014-0077 + +Signed-off-by: Michael S. Tsirkin + +--- +Changes from v1: + Fix CVE# in the commit log. + Patch is unchanged. + +Note: this is needed for -stable. + +I wonder if this can still make the release. + + drivers/vhost/net.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index a0fa5de..026be58 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq, + *iovcount = seg; + if (unlikely(log)) + *log_num = nlogs; ++ ++ /* Detect overrun */ ++ if (unlikely(datalen > 0)) { ++ r = UIO_MAXIOV + 1; ++ goto err; ++ } + return headcount; + err: + vhost_discard_vq_desc(vq, headcount); +@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net) + /* On error, stop handling until the next kick. */ + if (unlikely(headcount < 0)) + break; ++ /* On overrun, truncate and discard */ ++ if (unlikely(headcount > UIO_MAXIOV)) { ++ msg.msg_iovlen = 1; ++ err = sock->ops->recvmsg(NULL, sock, &msg, ++ 1, MSG_DONTWAIT | MSG_TRUNC); ++ pr_debug("Discarded rx packet: len %zd\n", sock_len); ++ continue; ++ } + /* OK, now we need to know about added descriptors. */ + if (!headcount) { + if (unlikely(vhost_enable_notify(&net->dev, vq))) {