From: Sasha Levin Date: Fri, 6 Mar 2020 14:20:54 +0000 (-0500) Subject: fixes for 4.9 X-Git-Tag: v4.4.216~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e5185e60fd1ce5c6003b2603ef6e05e38ccb7edc;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/series b/queue-4.9/series index 135292d2def..d7910d89131 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -47,3 +47,4 @@ drivers-net-xgene-fix-the-order-of-the-arguments-of-alloc_etherdev_mqs.patch perf-hists-browser-restore-esc-as-zoom-out-of-dso-thread-etc.patch mm-huge_memory.c-use-head-to-check-huge-zero-page.patch audit-always-check-the-netlink-payload-length-in-aud.patch +vhost-check-docket-sk_family-instead-of-call-getname.patch diff --git a/queue-4.9/vhost-check-docket-sk_family-instead-of-call-getname.patch b/queue-4.9/vhost-check-docket-sk_family-instead-of-call-getname.patch new file mode 100644 index 00000000000..f07c10aa66a --- /dev/null +++ b/queue-4.9/vhost-check-docket-sk_family-instead-of-call-getname.patch @@ -0,0 +1,64 @@ +From 9c5b0a9949748179c6f6e2d3b1c13cadfa2f64ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2020 17:30:05 +0100 +Subject: vhost: Check docket sk_family instead of call getname +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eugenio Pérez + +[ Upstream commit 42d84c8490f9f0931786f1623191fcab397c3d64 ] + +Doing so, we save one call to get data we already have in the struct. + +Also, since there is no guarantee that getname use sockaddr_ll +parameter beyond its size, we add a little bit of security here. +It should do not do beyond MAX_ADDR_LEN, but syzbot found that +ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, +versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro). + +Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") +Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com +Signed-off-by: Eugenio Pérez +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index dd8798bf88e7c..861f43f8f9cea 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -914,11 +914,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) + + static struct socket *get_raw_socket(int fd) + { +- struct { +- struct sockaddr_ll sa; +- char buf[MAX_ADDR_LEN]; +- } uaddr; +- int uaddr_len = sizeof uaddr, r; ++ int r; + struct socket *sock = sockfd_lookup(fd, &r); + + if (!sock) +@@ -930,12 +926,7 @@ static struct socket *get_raw_socket(int fd) + goto err; + } + +- r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa, +- &uaddr_len, 0); +- if (r) +- goto err; +- +- if (uaddr.sa.sll_family != AF_PACKET) { ++ if (sock->sk->sk_family != AF_PACKET) { + r = -EPFNOSUPPORT; + goto err; + } +-- +2.20.1 +