From ade017397c83e99dd222e95c7bf44266a7ea474f Mon Sep 17 00:00:00 2001 From: Fiona Ebner Date: Fri, 26 Jul 2024 13:10:44 +0200 Subject: [PATCH] backport fixes for missing verification for short frames in network tap/tun devices MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A malicious guest with virtio-net device could apparently crash the host [0]. Fixes CVE-2024-41090 and CVE-2024-41091. Reported in the community forum [1]. [0]: https://seclists.org/oss-sec/2024/q3/110 [1]: https://forum.proxmox.com/threads/151813/ Signed-off-by: Fiona Ebner (cherry picked from commit a791b86e0a851967b699eaec132b977284cf55a8) FG: renumbered patches Signed-off-by: Fabian Grünbichler --- ...missing-verification-for-short-frame.patch | 52 +++++++++++++++++++ ...missing-verification-for-short-frame.patch | 51 ++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 patches/kernel/0025-tap-add-missing-verification-for-short-frame.patch create mode 100644 patches/kernel/0026-tun-add-missing-verification-for-short-frame.patch diff --git a/patches/kernel/0025-tap-add-missing-verification-for-short-frame.patch b/patches/kernel/0025-tap-add-missing-verification-for-short-frame.patch new file mode 100644 index 0000000..7607163 --- /dev/null +++ b/patches/kernel/0025-tap-add-missing-verification-for-short-frame.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Si-Wei Liu +Date: Wed, 24 Jul 2024 10:04:51 -0700 +Subject: [PATCH] tap: add missing verification for short frame + +The cited commit missed to check against the validity of the frame length +in the tap_get_user_xdp() path, which could cause a corrupted skb to be +sent downstack. Even before the skb is transmitted, the +tap_get_user_xdp()-->skb_set_network_header() may assume the size is more +than ETH_HLEN. Once transmitted, this could either cause out-of-bound +access beyond the actual length, or confuse the underlayer with incorrect +or inconsistent header length in the skb metadata. + +In the alternative path, tap_get_user() already prohibits short frame which +has the length less than Ethernet header size from being transmitted. + +This is to drop any frame shorter than the Ethernet header size just like +how tap_get_user() does. + +CVE: CVE-2024-41090 +Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ +Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") +Cc: stable@vger.kernel.org +Signed-off-by: Si-Wei Liu +Signed-off-by: Dongli Zhang +Reviewed-by: Willem de Bruijn +Reviewed-by: Paolo Abeni +Reviewed-by: Jason Wang +Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com +Signed-off-by: Jakub Kicinski +(cherry picked from commit ed7f2afdd0e043a397677e597ced0830b83ba0b3) +Signed-off-by: Fiona Ebner +--- + drivers/net/tap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index 9f0495e8df4d..feeeac715c18 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) + struct sk_buff *skb; + int err, depth; + ++ if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { ++ err = -EINVAL; ++ goto err; ++ } ++ + if (q->flags & IFF_VNET_HDR) + vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); + diff --git a/patches/kernel/0026-tun-add-missing-verification-for-short-frame.patch b/patches/kernel/0026-tun-add-missing-verification-for-short-frame.patch new file mode 100644 index 0000000..4b07b09 --- /dev/null +++ b/patches/kernel/0026-tun-add-missing-verification-for-short-frame.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dongli Zhang +Date: Wed, 24 Jul 2024 10:04:52 -0700 +Subject: [PATCH] tun: add missing verification for short frame + +The cited commit missed to check against the validity of the frame length +in the tun_xdp_one() path, which could cause a corrupted skb to be sent +downstack. Even before the skb is transmitted, the +tun_xdp_one-->eth_type_trans() may access the Ethernet header although it +can be less than ETH_HLEN. Once transmitted, this could either cause +out-of-bound access beyond the actual length, or confuse the underlayer +with incorrect or inconsistent header length in the skb metadata. + +In the alternative path, tun_get_user() already prohibits short frame which +has the length less than Ethernet header size from being transmitted for +IFF_TAP. + +This is to drop any frame shorter than the Ethernet header size just like +how tun_get_user() does. + +CVE: CVE-2024-41091 +Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ +Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") +Cc: stable@vger.kernel.org +Signed-off-by: Dongli Zhang +Reviewed-by: Si-Wei Liu +Reviewed-by: Willem de Bruijn +Reviewed-by: Paolo Abeni +Reviewed-by: Jason Wang +Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com +Signed-off-by: Jakub Kicinski +(cherry picked from commit 049584807f1d797fc3078b68035450a9769eb5c3) +Signed-off-by: Fiona Ebner +--- + drivers/net/tun.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 86515f0c2b6c..e9cd3b810e2c 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2459,6 +2459,9 @@ static int tun_xdp_one(struct tun_struct *tun, + bool skb_xdp = false; + struct page *page; + ++ if (unlikely(datasize < ETH_HLEN)) ++ return -EINVAL; ++ + xdp_prog = rcu_dereference(tun->xdp_prog); + if (xdp_prog) { + if (gso->gso_type) {