]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
virtio-net: fix len check in receive_big()
authorXiang Mei <xmei5@asu.edu>
Tue, 16 Jun 2026 04:28:37 +0000 (21:28 -0700)
committerJakub Kicinski <kuba@kernel.org>
Fri, 19 Jun 2026 00:41:34 +0000 (17:41 -0700)
receive_big() bounds the device-announced length by
(big_packets_num_skbfrags + 1) * PAGE_SIZE.  That is still too loose:
add_recvbuf_big() sets sg[1] to start at offset
sizeof(struct padded_vnet_hdr) into the first page, so the chain
actually carries hdr_len + (PAGE_SIZE - sizeof(padded_vnet_hdr)) +
big_packets_num_skbfrags * PAGE_SIZE bytes -- 20 bytes less than the
check allows for the common hdr_len == 12 case.

A malicious virtio backend can announce a len in that gap.  page_to_skb()
then walks one frag past the page chain, storing a NULL page->private
into skb_shinfo()->frags[MAX_SKB_FRAGS], which is both an out-of-bounds
write past the static frag array and a NULL frag handed up the rx path.

Bound len by the size add_recvbuf_big() actually advertised.

Fixes: 0c716703965f ("virtio-net: fix received length check in big packets")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Bui Quang Minh <minhquangbui99@gmail.com>
Link: https://patch.msgid.link/20260616042837.2249468-1-xmei5@asu.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/virtio_net.c

index 7d2eeb9b12266735d5e4cbdb25540506add6ac21..26afa6341d16118885b2364fb66638e7ea88f3ed 100644 (file)
@@ -1999,15 +1999,18 @@ static struct sk_buff *receive_big(struct net_device *dev,
                                   struct virtnet_rq_stats *stats)
 {
        struct page *page = buf;
+       unsigned long max_len;
        struct sk_buff *skb;
 
+       max_len = (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE -
+                 sizeof(struct padded_vnet_hdr) + vi->hdr_len;
+
        /* Make sure that len does not exceed the size allocated in
         * add_recvbuf_big.
         */
-       if (unlikely(len > (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE)) {
+       if (unlikely(len > max_len)) {
                pr_debug("%s: rx error: len %u exceeds allocated size %lu\n",
-                        dev->name, len,
-                        (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE);
+                        dev->name, len, max_len);
                goto err;
        }