Patch "macvtap: zerocopy: validate vectors before building skb" has been added to the 3.0-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    macvtap: zerocopy: validate vectors before building skb

to the 3.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     macvtap-zerocopy-validate-vectors-before-building-skb.patch
and it can be found in the queue-3.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From jslaby@xxxxxxx  Mon Apr  1 16:37:28 2013
From: Jiri Slaby <jslaby@xxxxxxx>
Date: Tue, 19 Mar 2013 12:36:56 +0100
Subject: macvtap: zerocopy: validate vectors before building skb
To: gregkh@xxxxxxxxxxxxxxxxxxx
Cc: jirislaby@xxxxxxxxx, stable@xxxxxxxxxxxxxxx, Jason Wang <jasowang@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, Benjamin Poirier <bpoirier@xxxxxxx>, Jiri Slaby <jslaby@xxxxxxx>
Message-ID: <1363693019-14812-11-git-send-email-jslaby@xxxxxxx>


From: Jason Wang <jasowang@xxxxxxxxxx>

commit b92946e2919134ebe2a4083e4302236295ea2a73 upstream.

There're several reasons that the vectors need to be validated:

- Return error when caller provides vectors whose num is greater than UIO_MAXIOV.
- Linearize part of skb when userspace provides vectors grater than MAX_SKB_FRAGS.
- Return error when userspace provides vectors whose total length may exceed
- MAX_SKB_FRAGS * PAGE_SIZE.

Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
Signed-off-by: Benjamin Poirier <bpoirier@xxxxxxx> [patch reduced to
					the 3rd reason only for 3.0]
Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/macvtap.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -552,6 +552,10 @@ static ssize_t macvtap_get_user(struct m
 	if (unlikely(len < ETH_HLEN))
 		goto err;
 
+	err = -EMSGSIZE;
+	if (unlikely(count > UIO_MAXIOV))
+		goto err;
+
 	skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, len, vnet_hdr.hdr_len,
 				noblock, &err);
 	if (!skb)


Patches currently in stable-queue which might be from jslaby@xxxxxxx are

queue-3.0/kvm-x86-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
queue-3.0/kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch
queue-3.0/mm-hotplug-correctly-add-new-zone-to-all-other-nodes-zone-lists.patch
queue-3.0/macvtap-zerocopy-validate-vectors-before-building-skb.patch
queue-3.0/x25-validate-incoming-call-user-data-lengths.patch
queue-3.0/batman-adv-bat_socket_read-missing-checks.patch
queue-3.0/kvm-fix-buffer-overflow-in-kvm_set_irq.patch
queue-3.0/x25-handle-undersized-fragmented-skbs.patch
queue-3.0/nfsv4-include-bitmap-in-nfsv4-get-acl-data.patch
queue-3.0/nfs-nfs_getaclargs.acl_len-is-a-size_t.patch
queue-3.0/nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch
queue-3.0/kvm-clean-up-error-handling-during-vcpu-creation.patch
queue-3.0/kvm-ensure-all-vcpus-are-consistent-with-in-kernel-irqchip-settings.patch
queue-3.0/batman-adv-only-write-requested-number-of-byte-to-user-buffer.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]