From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 Mar 2020 19:20:14 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.19.108~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e71b202240c697ee3cbffb98bb355d0e5ededa9d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	vhost-check-docket-sk_family-instead-of-call-getname.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
index 722c2e2e28a..45b4b796d65 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -48,3 +48,4 @@ macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch
 tracing-disable-trace_printk-on-post-poned-tests.patch
 revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch
 amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch
+vhost-check-docket-sk_family-instead-of-call-getname.patch
diff --git a/queue-4.19/vhost-check-docket-sk_family-instead-of-call-getname.patch b/queue-4.19/vhost-check-docket-sk_family-instead-of-call-getname.patch
new file mode 100644
index 00000000000..5b6863b33ec
--- /dev/null
+++ b/queue-4.19/vhost-check-docket-sk_family-instead-of-call-getname.patch
@@ -0,0 +1,57 @@
+From 42d84c8490f9f0931786f1623191fcab397c3d64 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Eugenio=20P=C3=A9rez?= <eperezma@redhat.com>
+Date: Fri, 21 Feb 2020 12:06:56 +0100
+Subject: vhost: Check docket sk_family instead of call getname
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+commit 42d84c8490f9f0931786f1623191fcab397c3d64 upstream.
+
+Doing so, we save one call to get data we already have in the struct.
+
+Also, since there is no guarantee that getname use sockaddr_ll
+parameter beyond its size, we add a little bit of security here.
+It should do not do beyond MAX_ADDR_LEN, but syzbot found that
+ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,
+versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).
+
+Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
+Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/net.c |   10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -1187,10 +1187,6 @@ static int vhost_net_release(struct inod
+ 
+ static struct socket *get_raw_socket(int fd)
+ {
+-	struct {
+-		struct sockaddr_ll sa;
+-		char  buf[MAX_ADDR_LEN];
+-	} uaddr;
+ 	int r;
+ 	struct socket *sock = sockfd_lookup(fd, &r);
+ 
+@@ -1203,11 +1199,7 @@ static struct socket *get_raw_socket(int
+ 		goto err;
+ 	}
+ 
+-	r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa, 0);
+-	if (r < 0)
+-		goto err;
+-
+-	if (uaddr.sa.sll_family != AF_PACKET) {
++	if (sock->sk->sk_family != AF_PACKET) {
+ 		r = -EPFNOSUPPORT;
+ 		goto err;
+ 	}