Patch "net/packet: fix overflow in tpacket_rcv" has been added to the 5.8-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 06 Sep 2020 23:05:22 -0400

This is a note to let you know that I've just added the patch titled

    net/packet: fix overflow in tpacket_rcv

to the 5.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-packet-fix-overflow-in-tpacket_rcv.patch
and it can be found in the queue-5.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 00c393ea14d12a4ef490a6aedf0fa6bfc2bfe8c3
Author: Or Cohen <orcohen@xxxxxxxxxxxxxxxxxxxx>
Date:   Thu Sep 3 21:05:28 2020 -0700

    net/packet: fix overflow in tpacket_rcv
    
    [ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ]
    
    Using tp_reserve to calculate netoff can overflow as
    tp_reserve is unsigned int and netoff is unsigned short.
    
    This may lead to macoff receving a smaller value then
    sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
    is set, an out-of-bounds write will occur when
    calling virtio_net_hdr_from_skb.
    
    The bug is fixed by converting netoff to unsigned int
    and checking if it exceeds USHRT_MAX.
    
    This addresses CVE-2020-14386
    
    Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
    Signed-off-by: Or Cohen <orcohen@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 301f41d4929bd..82f7802983797 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
 	int skb_len = skb->len;
 	unsigned int snaplen, res;
 	unsigned long status = TP_STATUS_USER;
-	unsigned short macoff, netoff, hdrlen;
+	unsigned short macoff, hdrlen;
+	unsigned int netoff;
 	struct sk_buff *copy_skb = NULL;
 	struct timespec64 ts;
 	__u32 ts_status;
@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
 		}
 		macoff = netoff - maclen;
 	}
+	if (netoff > USHRT_MAX) {
+		atomic_inc(&po->tp_drops);
+		goto drop_n_restore;
+	}
 	if (po->tp_version <= TPACKET_V2) {
 		if (macoff + snaplen > po->rx_ring.frame_size) {
 			if (po->copy_thresh &&






