From: "Michael S. Tsirkin" <mst@xxxxxxxxxx> Date: Thu, 27 Mar 2014 12:00:26 +0200 > When mergeable buffers are disabled, and the > incoming packet is too large for the rx buffer, > get_rx_bufs returns success. > > This was intentional in order for make recvmsg > truncate the packet and then handle_rx would > detect err != sock_len and drop it. > > Unfortunately we pass the original sock_len to > recvmsg - which means we use parts of iov not fully > validated. > > Fix this up by detecting this overrun and doing packet drop > immediately. > > CVE-2014-0077 > > Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx> > --- > > Changes from v1: > Fix CVE# in the commit log. > Patch is unchanged. > > Note: this is needed for -stable. Applied and queued up for -stable. > I wonder if this can still make the release. I will try but no promises. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
