git.baikalelectronics.ru Git - kernel.git/commit

author	Or Cohen <orcohen@paloaltonetworks.com>
	Fri, 4 Sep 2020 04:05:28 +0000 (21:05 -0700)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Fri, 4 Sep 2020 18:56:02 +0000 (11:56 -0700)
commit	3804b87e84a50ae989af98ed0dbf509d62dcf906
tree	45b5adb90a74f16effbdeb788c763e87c47bb84b	tree \| snapshot
parent	8cab0034762397fc7e0e9ce9436688b09e30f53a	commit \| diff

net/packet: fix overflow in tpacket_rcv

Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.

This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.

The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.

This addresses CVE-2020-14386

Fixes: 81e9289b6da4 ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>