From patchwork Mon Sep 25 22:07:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1839395 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RvcSq2zbRz1ypM for ; Tue, 26 Sep 2023 08:08:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qktkJ-0003rA-6S; Mon, 25 Sep 2023 22:08:03 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qktkB-0003qi-Ul for kernel-team@lists.ubuntu.com; Mon, 25 Sep 2023 22:07:57 +0000 Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CA98F3F128 for ; Mon, 25 Sep 2023 22:07:55 +0000 (UTC) Received: by mail-qt1-f199.google.com with SMTP id d75a77b69052e-41805d9509aso58000051cf.0 for ; Mon, 25 Sep 2023 15:07:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695679674; x=1696284474; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v/S37WKovjfNKCKBP049kIicxCBsvXdzGbv0IJcMgWA=; b=lfu3/aLrDaP0Z6qmFXGt04A0fzDBHxPH8IidfmyvVvEZuxPWujpMH9j3+mNtvh3EV/ nA/KVYlA8UAvD+2IIeVxDNbAP4/i5Y+Ipdi2UEmoSfjEnYqiIR6E0g+Lut5+i6V5mX4P hbSllTZXjdBpp6m/rBS62QDNbtgHYTuq8fxAmjBIppkGLLWB4EX5SnAksfleKcYKfGzr bxwJxayfQy+kFBkcDW4ER2UsteBv5b+9NooSL7zA4KtRVzQQK1L2bxQWa6fUc2v1Xg5w 302N3gVLGkUGvICsWMYF2FtMqCueBViM2hsZCT9AB4u7N+xpM0XB2IbOCySTFX0XbiWc YpUg== X-Gm-Message-State: AOJu0Yw/pk7gQfycAJugiprVKXC9XgyiMDUIJrLNh6I1Dny/H6I7iYuq VVc49pRsO0BYVF4SIlA3q38JCAVRwvXvWhSp+6Y9VHwuFCnlNJYlQj3XXCWv6yO2hfOvA8F2bQU N5XOJj60x9XyJ1I3qvT+OZHao2ulwFDQvhC71AVx4QmTcYVUV5Q== X-Received: by 2002:a05:622a:4c9:b0:417:b53d:a898 with SMTP id q9-20020a05622a04c900b00417b53da898mr1292606qtx.9.1695679674214; Mon, 25 Sep 2023 15:07:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHh+gOE7y8igOt6iELlAXbMZDQwK6g4jMwSlBxvgXx5wQ9PVJK+hx7/pRv2/3EiYf2SwnmLww== X-Received: by 2002:a05:622a:4c9:b0:417:b53d:a898 with SMTP id q9-20020a05622a04c900b00417b53da898mr1292579qtx.9.1695679673935; Mon, 25 Sep 2023 15:07:53 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:17b:9f19:dc1c:ac0c]) by smtp.gmail.com with ESMTPSA id fe12-20020a05622a4d4c00b004109928c607sm4123693qtb.43.2023.09.25.15.07.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Sep 2023 15:07:53 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J/L linux][PATCH 1/1] xen/netback: Fix buffer overrun triggered by unusual packet Date: Mon, 25 Sep 2023 18:07:50 -0400 Message-Id: <20230925220750.35791-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230925220750.35791-1-yuxuan.luo@canonical.com> References: <20230925220750.35791-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ross Lagerwall It is possible that a guest can send a packet that contains a head + 18 slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots to underflow in xenvif_get_requests() which then causes the subsequent loop's termination condition to be wrong, causing a buffer overrun of queue->tx_map_ops. Rework the code to account for the extra frag_overflow slots. This is CVE-2023-34319 / XSA-432. Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") Signed-off-by: Ross Lagerwall Reviewed-by: Paul Durrant Reviewed-by: Wei Liu Signed-off-by: Juergen Gross (cherry picked from commit 534fc31d09b706a16d83533e16b5dc855caf7576) CVE-2023-34319 Signed-off-by: Yuxuan Luo --- drivers/net/xen-netback/netback.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index c35c085dbc877..c3a8d78a41a7b 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -396,7 +396,7 @@ static void xenvif_get_requests(struct xenvif_queue *queue, struct gnttab_map_grant_ref *gop = queue->tx_map_ops + *map_ops; struct xen_netif_tx_request *txp = first; - nr_slots = shinfo->nr_frags + 1; + nr_slots = shinfo->nr_frags + frag_overflow + 1; copy_count(skb) = 0; XENVIF_TX_CB(skb)->split_mask = 0; @@ -462,8 +462,8 @@ static void xenvif_get_requests(struct xenvif_queue *queue, } } - for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; - shinfo->nr_frags++, gop++) { + for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS; + shinfo->nr_frags++, gop++, nr_slots--) { index = pending_index(queue->pending_cons++); pending_idx = queue->pending_ring[index]; xenvif_tx_create_map_op(queue, pending_idx, txp, @@ -476,12 +476,12 @@ static void xenvif_get_requests(struct xenvif_queue *queue, txp++; } - if (frag_overflow) { + if (nr_slots > 0) { shinfo = skb_shinfo(nskb); frags = shinfo->frags; - for (shinfo->nr_frags = 0; shinfo->nr_frags < frag_overflow; + for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; shinfo->nr_frags++, txp++, gop++) { index = pending_index(queue->pending_cons++); pending_idx = queue->pending_ring[index]; @@ -492,6 +492,11 @@ static void xenvif_get_requests(struct xenvif_queue *queue, } skb_shinfo(skb)->frag_list = nskb; + } else if (nskb) { + /* A frag_list skb was allocated but it is no longer needed + * because enough slots were converted to copy ops above. + */ + kfree_skb(nskb); } (*copy_ops) = cop - queue->tx_copy_ops;