From: Greg Kroah-Hartman Date: Fri, 26 Jul 2024 06:35:51 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v4.19.319~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=85947020a2969389bdd27e2b18c133ac009db2b7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: tap-add-missing-verification-for-short-frame.patch tun-add-missing-verification-for-short-frame.patch --- diff --git a/queue-6.10/series b/queue-6.10/series index c5443e499b3..692e2f5ee9f 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -27,3 +27,5 @@ arm64-dts-qcom-sm6115-disable-ss-instance-in-parkmode-for-usb.patch alsa-pcm_dmaengine-don-t-synchronize-dma-channel-when-dma-is-paused.patch alsa-seq-ump-skip-useless-ports-for-static-blocks.patch filelock-fix-fcntl-close-race-recovery-compat-path.patch +tun-add-missing-verification-for-short-frame.patch +tap-add-missing-verification-for-short-frame.patch diff --git a/queue-6.10/tap-add-missing-verification-for-short-frame.patch b/queue-6.10/tap-add-missing-verification-for-short-frame.patch new file mode 100644 index 00000000000..feadcc8ea9a --- /dev/null +++ b/queue-6.10/tap-add-missing-verification-for-short-frame.patch @@ -0,0 +1,53 @@ +From ed7f2afdd0e043a397677e597ced0830b83ba0b3 Mon Sep 17 00:00:00 2001 +From: Si-Wei Liu +Date: Wed, 24 Jul 2024 10:04:51 -0700 +Subject: tap: add missing verification for short frame + +From: Si-Wei Liu + +commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream. + +The cited commit missed to check against the validity of the frame length +in the tap_get_user_xdp() path, which could cause a corrupted skb to be +sent downstack. Even before the skb is transmitted, the +tap_get_user_xdp()-->skb_set_network_header() may assume the size is more +than ETH_HLEN. Once transmitted, this could either cause out-of-bound +access beyond the actual length, or confuse the underlayer with incorrect +or inconsistent header length in the skb metadata. + +In the alternative path, tap_get_user() already prohibits short frame which +has the length less than Ethernet header size from being transmitted. + +This is to drop any frame shorter than the Ethernet header size just like +how tap_get_user() does. + +CVE: CVE-2024-41090 +Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ +Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") +Cc: stable@vger.kernel.org +Signed-off-by: Si-Wei Liu +Signed-off-by: Dongli Zhang +Reviewed-by: Willem de Bruijn +Reviewed-by: Paolo Abeni +Reviewed-by: Jason Wang +Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_q + struct sk_buff *skb; + int err, depth; + ++ if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { ++ err = -EINVAL; ++ goto err; ++ } ++ + if (q->flags & IFF_VNET_HDR) + vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); + diff --git a/queue-6.10/tun-add-missing-verification-for-short-frame.patch b/queue-6.10/tun-add-missing-verification-for-short-frame.patch new file mode 100644 index 00000000000..342cd508fc2 --- /dev/null +++ b/queue-6.10/tun-add-missing-verification-for-short-frame.patch @@ -0,0 +1,52 @@ +From 049584807f1d797fc3078b68035450a9769eb5c3 Mon Sep 17 00:00:00 2001 +From: Dongli Zhang +Date: Wed, 24 Jul 2024 10:04:52 -0700 +Subject: tun: add missing verification for short frame + +From: Dongli Zhang + +commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream. + +The cited commit missed to check against the validity of the frame length +in the tun_xdp_one() path, which could cause a corrupted skb to be sent +downstack. Even before the skb is transmitted, the +tun_xdp_one-->eth_type_trans() may access the Ethernet header although it +can be less than ETH_HLEN. Once transmitted, this could either cause +out-of-bound access beyond the actual length, or confuse the underlayer +with incorrect or inconsistent header length in the skb metadata. + +In the alternative path, tun_get_user() already prohibits short frame which +has the length less than Ethernet header size from being transmitted for +IFF_TAP. + +This is to drop any frame shorter than the Ethernet header size just like +how tun_get_user() does. + +CVE: CVE-2024-41091 +Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ +Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") +Cc: stable@vger.kernel.org +Signed-off-by: Dongli Zhang +Reviewed-by: Si-Wei Liu +Reviewed-by: Willem de Bruijn +Reviewed-by: Paolo Abeni +Reviewed-by: Jason Wang +Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2451,6 +2451,9 @@ static int tun_xdp_one(struct tun_struct + bool skb_xdp = false; + struct page *page; + ++ if (unlikely(datasize < ETH_HLEN)) ++ return -EINVAL; ++ + xdp_prog = rcu_dereference(tun->xdp_prog); + if (xdp_prog) { + if (gso->gso_type) {