Commit aa3ee896 authored by Ross Lagerwall's avatar Ross Lagerwall Committed by Zhengchao Shao
Browse files

xen/netback: Fix buffer overrun triggered by unusual packet 

stable inclusion
from stable-v5.10.189
commit f9167a2d6b943f30743de6ff8163d1981c34f9a9
category: bugfix
bugzilla: 189119
CVE: CVE-2023-34319

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f9167a2d6b943f30743de6ff8163d1981c34f9a9



--------------------------------

commit 534fc31d upstream.

It is possible that a guest can send a packet that contains a head + 18
slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots
to underflow in xenvif_get_requests() which then causes the subsequent
loop's termination condition to be wrong, causing a buffer overrun of
queue->tx_map_ops.

Rework the code to account for the extra frag_overflow slots.

This is CVE-2023-34319 / XSA-432.

Fixes: ad7f402a ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: default avatarPaul Durrant <paul@xen.org>
Reviewed-by: default avatarWei Liu <wei.liu@kernel.org>
Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
	drivers/net/xen-netback/netback.c

Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent b3ae81a3
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment