Commit e06d5733 authored by Sean Anderson's avatar Sean Anderson Committed by Wang Liang
Browse files

net: dpaa: Pad packets to ETH_ZLEN 

stable inclusion
from stable-v6.6.52
commit 34fcac26216ce17886af3eb392355b459367af1a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9O1
CVE: CVE-2024-46854

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=34fcac26216ce17886af3eb392355b459367af1a



--------------------------------

[ Upstream commit cbd7ec083413c6a2e0c326d49e24ec7d12c7a9e0 ]

When sending packets under 60 bytes, up to three bytes of the buffer
following the data may be leaked. Avoid this by extending all packets to
ETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be
reproduced by running

	$ ping -s 11 destination

Fixes: 9ad1a374 ("dpaa_eth: add support for DPAA Ethernet")
Suggested-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarSean Anderson <sean.anderson@linux.dev>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240910143144.1439910-1-sean.anderson@linux.dev


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarWang Liang <wangliang74@huawei.com>
parent e4bfde20

drivers/net/ethernet/freescale/dpaa/dpaa_eth.c

+8 −1
Original line number Diff line number Diff line
@@ -2277,12 +2277,12 @@ static netdev_tx_t 
dpaa_start_xmit(struct sk_buff *skb, struct net_device *net_dev)

{

	const int queue_mapping = skb_get_queue_mapping(skb);

	bool nonlinear = skb_is_nonlinear(skb);

	struct rtnl_link_stats64 *percpu_stats;

	struct dpaa_percpu_priv *percpu_priv;

	struct netdev_queue *txq;

	struct dpaa_priv *priv;

	struct qm_fd fd;

	bool nonlinear;

	int offset = 0;

	int err = 0;
@@ -2292,6 +2292,13 @@ dpaa_start_xmit(struct sk_buff *skb, struct net_device *net_dev) 


	qm_fd_clear_fd(&fd);



	/* Packet data is always read as 32-bit words, so zero out any part of

	 * the skb which might be sent if we have to pad the packet

	 */

	if (__skb_put_padto(skb, ETH_ZLEN, false))

		goto enomem;



	nonlinear = skb_is_nonlinear(skb);

	if (!nonlinear) {

		/* We're going to store the skb backpointer at the beginning

		 * of the data buffer, so we need a privately owned skb