--- /dev/null
+From 42d84c8490f9f0931786f1623191fcab397c3d64 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Eugenio=20P=C3=A9rez?= <eperezma@redhat.com>
+Date: Fri, 21 Feb 2020 12:06:56 +0100
+Subject: vhost: Check docket sk_family instead of call getname
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+commit 42d84c8490f9f0931786f1623191fcab397c3d64 upstream.
+
+Doing so, we save one call to get data we already have in the struct.
+
+Also, since there is no guarantee that getname use sockaddr_ll
+parameter beyond its size, we add a little bit of security here.
+It should do not do beyond MAX_ADDR_LEN, but syzbot found that
+ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,
+versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).
+
+Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
+Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/net.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -1187,10 +1187,6 @@ static int vhost_net_release(struct inod
+
+ static struct socket *get_raw_socket(int fd)
+ {
+- struct {
+- struct sockaddr_ll sa;
+- char buf[MAX_ADDR_LEN];
+- } uaddr;
+ int r;
+ struct socket *sock = sockfd_lookup(fd, &r);
+
+@@ -1203,11 +1199,7 @@ static struct socket *get_raw_socket(int
+ goto err;
+ }
+
+- r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa, 0);
+- if (r < 0)
+- goto err;
+-
+- if (uaddr.sa.sll_family != AF_PACKET) {
++ if (sock->sk->sk_family != AF_PACKET) {
+ r = -EPFNOSUPPORT;
+ goto err;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
