net/packet: fix overflow in tpacket_rcv (acf69c94) · Commits · Mirrors / git.yoctoproject.org / linux-yocto · GitLab

Commit acf69c94 authored Sep 03, 2020 by

Or Cohen Committed by Linus Torvalds Sep 04, 2020

net/packet: fix overflow in tpacket_rcv

Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.

This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.

The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.

This addresses CVE-2020-14386

Fixes: 8913336a

 ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent b25d1dc9

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 5b08356f
· Jan 27, 2021

mentioned in commit 5b08356f

mentioned in commit 5b08356f184a0314d87f9a889be2ed9fef087691

Toggle commit list
mirror @mirror
mentioned in commit 1c3886dc
· Jan 27, 2021

mentioned in commit 1c3886dc

mentioned in commit 1c3886dc302329f199cc04f8a56ba44d17a0df16

Toggle commit list
mirror @mirror
mentioned in commit f87361be
· Jan 27, 2021

mentioned in commit f87361be

mentioned in commit f87361bef9ca2efe55c7e18ce0339c7a76d1135e

Toggle commit list

Please register or to comment