6.9-stable patches

added patches:
	tap-add-missing-verification-for-short-frame.patch
	tun-add-missing-verification-for-short-frame.patch

diff --git a/queue-6.9/series b/queue-6.9/series
index c5443e499b3dab35ea13ae141977c2331a80d341..692e2f5ee9fa9e059650f36fb1032696acd66ddc 100644 (file)
--- a/queue-6.9/series
+++ b/queue-6.9/series
@@ -27,3 +27,5 @@ arm64-dts-qcom-sm6115-disable-ss-instance-in-parkmode-for-usb.patch
 alsa-pcm_dmaengine-don-t-synchronize-dma-channel-when-dma-is-paused.patch
 alsa-seq-ump-skip-useless-ports-for-static-blocks.patch
 filelock-fix-fcntl-close-race-recovery-compat-path.patch
+tun-add-missing-verification-for-short-frame.patch
+tap-add-missing-verification-for-short-frame.patch

diff --git a/queue-6.9/tap-add-missing-verification-for-short-frame.patch b/queue-6.9/tap-add-missing-verification-for-short-frame.patch
new file mode 100644 (file)
index 0000000..feadcc8
--- /dev/null
+++ b/queue-6.9/tap-add-missing-verification-for-short-frame.patch
@@ -0,0 +1,53 @@
+From ed7f2afdd0e043a397677e597ced0830b83ba0b3 Mon Sep 17 00:00:00 2001
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+Date: Wed, 24 Jul 2024 10:04:51 -0700
+Subject: tap: add missing verification for short frame
+
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+
+commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream.
+
+The cited commit missed to check against the validity of the frame length
+in the tap_get_user_xdp() path, which could cause a corrupted skb to be
+sent downstack. Even before the skb is transmitted, the
+tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
+than ETH_HLEN. Once transmitted, this could either cause out-of-bound
+access beyond the actual length, or confuse the underlayer with incorrect
+or inconsistent header length in the skb metadata.
+
+In the alternative path, tap_get_user() already prohibits short frame which
+has the length less than Ethernet header size from being transmitted.
+
+This is to drop any frame shorter than the Ethernet header size just like
+how tap_get_user() does.
+
+CVE: CVE-2024-41090
+Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
+Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tap.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_q
+       struct sk_buff *skb;
+       int err, depth;
+ 
++      if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
++              err = -EINVAL;
++              goto err;
++      }
++
+       if (q->flags & IFF_VNET_HDR)
+               vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
+ 

diff --git a/queue-6.9/tun-add-missing-verification-for-short-frame.patch b/queue-6.9/tun-add-missing-verification-for-short-frame.patch
new file mode 100644 (file)
index 0000000..342cd50
--- /dev/null
+++ b/queue-6.9/tun-add-missing-verification-for-short-frame.patch
@@ -0,0 +1,52 @@
+From 049584807f1d797fc3078b68035450a9769eb5c3 Mon Sep 17 00:00:00 2001
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Wed, 24 Jul 2024 10:04:52 -0700
+Subject: tun: add missing verification for short frame
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream.
+
+The cited commit missed to check against the validity of the frame length
+in the tun_xdp_one() path, which could cause a corrupted skb to be sent
+downstack. Even before the skb is transmitted, the
+tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
+can be less than ETH_HLEN. Once transmitted, this could either cause
+out-of-bound access beyond the actual length, or confuse the underlayer
+with incorrect or inconsistent header length in the skb metadata.
+
+In the alternative path, tun_get_user() already prohibits short frame which
+has the length less than Ethernet header size from being transmitted for
+IFF_TAP.
+
+This is to drop any frame shorter than the Ethernet header size just like
+how tun_get_user() does.
+
+CVE: CVE-2024-41091
+Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
+Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -2451,6 +2451,9 @@ static int tun_xdp_one(struct tun_struct
+       bool skb_xdp = false;
+       struct page *page;
+ 
++      if (unlikely(datasize < ETH_HLEN))
++              return -EINVAL;
++
+       xdp_prog = rcu_dereference(tun->xdp_prog);
+       if (xdp_prog) {
+               if (gso->gso_type) {