From: Si-Wei Liu si-wei.liu@oracle.com
stable inclusion from stable-v6.6.43 commit aa6a5704cab861c9b2ae9f475076e1881e87f5aa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8ZG CVE: CVE-2024-41090
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
---------------------------
commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream.
The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata.
In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted.
This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does.
CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@... Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Si-Wei Liu si-wei.liu@oracle.com Signed-off-by: Dongli Zhang dongli.zhang@oracle.com Reviewed-by: Willem de Bruijn willemb@google.com Reviewed-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Jason Wang jasowang@redhat.com Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Liu Jian liujian56@huawei.com --- drivers/net/tap.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 5c01cc7b9949..e7212a64a591 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) struct sk_buff *skb; int err, depth;
+ if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { + err = -EINVAL; + goto err; + } + if (q->flags & IFF_VNET_HDR) vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
From: Dongli Zhang dongli.zhang@oracle.com
stable inclusion from stable-v6.6.43 commit d5ad89b7d01ed4e66fd04734fc63d6e78536692a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8V2 CVE: CVE-2024-41091
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
---------------------------
commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream.
The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata.
In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP.
This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does.
CVE: CVE-2024-41091 Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@... Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Dongli Zhang dongli.zhang@oracle.com Reviewed-by: Si-Wei Liu si-wei.liu@oracle.com Reviewed-by: Willem de Bruijn willemb@google.com Reviewed-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Jason Wang jasowang@redhat.com Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Liu Jian liujian56@huawei.com --- drivers/net/tun.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 86515f0c2b6c..e9cd3b810e2c 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -2459,6 +2459,9 @@ static int tun_xdp_one(struct tun_struct *tun, bool skb_xdp = false; struct page *page;
+ if (unlikely(datasize < ETH_HLEN)) + return -EINVAL; + xdp_prog = rcu_dereference(tun->xdp_prog); if (xdp_prog) { if (gso->gso_type) {
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10539 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/H...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10539 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/H...
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10538 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10538 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...