backport fixes for missing verification for short frames in network tap/tun devices

A malicious guest with virtio-net device could apparently crash the host [0]. Fixes CVE-2024-41090 and CVE-2024-41091. Reported in the community forum [1]. [0]: https://seclists.org/oss-sec/2024/q3/110 [1]: https://forum.proxmox.com/threads/151813/ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> (cherry picked from commit a791b86e0a) FG: renumbered patches Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-04-29 12:24:16 +00:00 · 2024-07-26 13:10:44 +02:00 · 2024-07-26 13:10:44 +02:00 · ade017397c
commit ade017397c
parent 3d4f3c6a24
2 changed files with 103 additions and 0 deletions
--- a/patches/kernel/0025-tap-add-missing-verification-for-short-frame.patch
+++ b/patches/kernel/0025-tap-add-missing-verification-for-short-frame.patch
@ -0,0 +1,52 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Si-Wei Liu <si-wei.liu@oracle.com>
 Date: Wed, 24 Jul 2024 10:04:51 -0700
 Subject: [PATCH] tap: add missing verification for short frame
 The cited commit missed to check against the validity of the frame length
 in the tap_get_user_xdp() path, which could cause a corrupted skb to be
 sent downstack. Even before the skb is transmitted, the
 tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
 than ETH_HLEN. Once transmitted, this could either cause out-of-bound
 access beyond the actual length, or confuse the underlayer with incorrect
 or inconsistent header length in the skb metadata.
 In the alternative path, tap_get_user() already prohibits short frame which
 has the length less than Ethernet header size from being transmitted.
 This is to drop any frame shorter than the Ethernet header size just like
 how tap_get_user() does.
 CVE: CVE-2024-41090
 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
 Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
 Cc: stable@vger.kernel.org
 Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
 Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
 Reviewed-by: Willem de Bruijn <willemb@google.com>
 Reviewed-by: Paolo Abeni <pabeni@redhat.com>
 Reviewed-by: Jason Wang <jasowang@redhat.com>
 Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 (cherry picked from commit ed7f2afdd0e043a397677e597ced0830b83ba0b3)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 drivers/net/tap.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/drivers/net/tap.c b/drivers/net/tap.c
 index 9f0495e8df4d..feeeac715c18 100644
 --- a/drivers/net/tap.c
 +++ b/drivers/net/tap.c
@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
 	struct sk_buff *skb;
 	int err, depth;
 +	if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
 +		err = -EINVAL;
 +		goto err;
 +	}
 +
 	if (q->flags & IFF_VNET_HDR)
 		vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
--- a/patches/kernel/0026-tun-add-missing-verification-for-short-frame.patch
+++ b/patches/kernel/0026-tun-add-missing-verification-for-short-frame.patch
@ -0,0 +1,51 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Dongli Zhang <dongli.zhang@oracle.com>
 Date: Wed, 24 Jul 2024 10:04:52 -0700
 Subject: [PATCH] tun: add missing verification for short frame
 The cited commit missed to check against the validity of the frame length
 in the tun_xdp_one() path, which could cause a corrupted skb to be sent
 downstack. Even before the skb is transmitted, the
 tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
 can be less than ETH_HLEN. Once transmitted, this could either cause
 out-of-bound access beyond the actual length, or confuse the underlayer
 with incorrect or inconsistent header length in the skb metadata.
 In the alternative path, tun_get_user() already prohibits short frame which
 has the length less than Ethernet header size from being transmitted for
 IFF_TAP.
 This is to drop any frame shorter than the Ethernet header size just like
 how tun_get_user() does.
 CVE: CVE-2024-41091
 Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
 Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
 Cc: stable@vger.kernel.org
 Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
 Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
 Reviewed-by: Willem de Bruijn <willemb@google.com>
 Reviewed-by: Paolo Abeni <pabeni@redhat.com>
 Reviewed-by: Jason Wang <jasowang@redhat.com>
 Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 (cherry picked from commit 049584807f1d797fc3078b68035450a9769eb5c3)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 drivers/net/tun.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
 index 86515f0c2b6c..e9cd3b810e2c 100644
 --- a/drivers/net/tun.c
 +++ b/drivers/net/tun.c
@@ -2459,6 +2459,9 @@ static int tun_xdp_one(struct tun_struct *tun,
 	bool skb_xdp = false;
 	struct page *page;
 +	if (unlikely(datasize < ETH_HLEN))
 +		return -EINVAL;
 +
 	xdp_prog = rcu_dereference(tun->xdp_prog);
 	if (xdp_prog) {
 		if (gso->gso_type) {