From: Si-Wei Liu si-wei.liu@oracle.com
stable inclusion from stable-v5.10.223 commit 7431144b406ae82807eb87d8c98e518475b0450f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8ZG CVE: CVE-2024-41090
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
---------------------------
commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream.
The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata.
In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted.
This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does.
CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@... Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Si-Wei Liu si-wei.liu@oracle.com Signed-off-by: Dongli Zhang dongli.zhang@oracle.com Reviewed-by: Willem de Bruijn willemb@google.com Reviewed-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Jason Wang jasowang@redhat.com Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Liu Jian liujian56@huawei.com --- drivers/net/tap.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 41ee56015a45..16fa0e3e752a 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1141,6 +1141,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) struct sk_buff *skb; int err, depth;
+ if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { + err = -EINVAL; + goto err; + } + if (q->flags & IFF_VNET_HDR) vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
From: Dongli Zhang dongli.zhang@oracle.com
stable inclusion from stable-v5.10.223 commit 6100e0237204890269e3f934acfc50d35fd6f319 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8V2 CVE: CVE-2024-41091
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
---------------------------
commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream.
The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata.
In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP.
This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does.
CVE: CVE-2024-41091 Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@... Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Dongli Zhang dongli.zhang@oracle.com Reviewed-by: Si-Wei Liu si-wei.liu@oracle.com Reviewed-by: Willem de Bruijn willemb@google.com Reviewed-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Jason Wang jasowang@redhat.com Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Liu Jian liujian56@huawei.com --- drivers/net/tun.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index d4a22983be19..de9da902ecc0 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -2471,6 +2471,9 @@ static int tun_xdp_one(struct tun_struct *tun, bool skb_xdp = false; struct page *page;
+ if (unlikely(datasize < ETH_HLEN)) + return -EINVAL; + xdp_prog = rcu_dereference(tun->xdp_prog); if (xdp_prog) { if (gso->gso_type) {
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10540 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/W...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10540 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/W...
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10541 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10541 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y...