From patchwork Wed Jul 24 17:04:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongli Zhang X-Patchwork-Id: 13741198 X-Patchwork-Delegate: kuba@kernel.org Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16563282FA; Wed, 24 Jul 2024 17:05:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721840754; cv=fail; b=iZdWwI4H+KkaaVvhSWSBDBuBHTNj0eL/o3e3EXqrK+7JctSMgxI+Y11MunTNUqulfiKhk0H5bItUsOP7dZOlF43kObCNms9hM4k7kUV/HJ5WPNQGsrf+BW4/BGv2iJKPIyXTY39RvcXMcjilUTwQogRXMwOZ3dz2XqOpVJDSnx8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721840754; c=relaxed/simple; bh=RNIRqxVK+7XC77/VkimeLHt0DUZ/fWvs6sq2xE6tkfI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: Content-Type:MIME-Version; b=CBQWQOO4BTmnRyLo4tX6awsjPq2IaqBwMrE3LNgnLm+qdd9ED66eCDziTtB2MQNI9y6YOzfKisEQ96S4cYJ21jfiZ2WUIC22XBdFAcvjnwFg+KOTM1z93cArqwhuSk1D2VmhizCo5XSicgaUAl7Gt813G0Ow1gstSsjn1olqI8w= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=AuK3G70j; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=KgL7eedO; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="AuK3G70j"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="KgL7eedO" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46OFXV1A027342; Wed, 24 Jul 2024 17:05:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :content-transfer-encoding:content-type:mime-version; s= corp-2023-11-20; bh=/GbdMVor8kMD5pX5I6KHIoNIsTIGZAAYkMsKachs3MQ=; b= AuK3G70jEteElht2P5lNknQQdmkMEc/FVWTnn2C0D86t1heTjimhSMtQYz4ImhtP /sgl+qL74lJoARSbqma65spPRHvjWfi1NZdZHCfnYKYOUdjwnNldJERJQFMZc0Hi D6yqCme4fDCGUgJyodYtalfFhORkE37w8qu3/6rmFi7bER+zBQTthyrIs7ZkodcY lFHvm+DpnRcI2WlQDuHxHcfH1BsZqoZ5aTb/X5/H/ks3HTLnvMonwShz2+ATAFNg U1tT6/ksUAxGs13z5Y8l8CowBYlBdI7rw/QsRTUUVtFvgeMs5O6tF8yUC/pW/hoU u5hMThubJEMiv5NmolTmqw== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40hgkr1bg2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 24 Jul 2024 17:05:32 +0000 (GMT) Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 46OH2v9M034367; Wed, 24 Jul 2024 17:05:31 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 40h27pc3vp-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 24 Jul 2024 17:05:31 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=lm0/zZ6ICAD/6EXIL5CPFT3USE2hrkVytPavHEloA4UGfkYwBYGi2yV4Pu58Bc2NdwxoeStMvlH9RSavMxxgfGeNh5gm+8ZyoxucDxD8c1c6zlPyt7WE0KqfH0meWZGnNy4uxW6F/4onuBbH8+WwZebDRdVmhvCBZfE2TuJbCAjNeFE2zSqNUxlk3+x3WpuoYOfxFHWpOzFaOrPTH3+sK3giwLEGQtiYfamn4QpNXCrpTVV66QtQt4kdPThn8hbvIFjT6+lXPKqotl3ge6x+msGDEbwebzX5R4lZpQSL7J0plW2S5WHsrg0FKvVhlH1cKc1Q7UNog4AGk9Uxy48mgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/GbdMVor8kMD5pX5I6KHIoNIsTIGZAAYkMsKachs3MQ=; b=IUbku6iePqFyiqje2qQa6WMnk7ITQv8czC28wdYiGpBTdiXkPSij+1qFWMynv7+leRnpY6BYRTohU8G/tWAk5TlVMatNnKf+KkCMi5Lr9foDQdaUqbmDmABRpYM0jrTIANlXQUqiQUHSwt3mxTcjbauIGr3Af1mIh8nhLSMegBh97lAs2AvaxIWBu700uO3UTUEate+wLfThNzceI07HLui1PIFkpLNLvBifXoDu+Ok+FVd67T4xS+f0DiO6pGOPUgVhPsIMbXPkB2Ong8z5s/62qN2W+PS0xnPKipfOivtyz1dSJNmT/kZP9p4SD8PqRVjvGSsG82TA42nAu2uh+A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/GbdMVor8kMD5pX5I6KHIoNIsTIGZAAYkMsKachs3MQ=; b=KgL7eedOQbDf+5812y+Qg3FCwfvmI97r4/3U/CYyc5NrokGdw0r/SpyREwMNtGER+OBWputm0amO89ZfNyzcoue8vlNOlTP7CeEt0DZQmajJWM21P5mj0hLQRlJhNajvni0GZVjeY/RhcDQtkhJrXgiy4/OM73vjogx49hz3uso= Received: from SA0PR10MB6425.namprd10.prod.outlook.com (2603:10b6:806:2c0::8) by IA1PR10MB7237.namprd10.prod.outlook.com (2603:10b6:208:3f7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.20; Wed, 24 Jul 2024 17:05:29 +0000 Received: from SA0PR10MB6425.namprd10.prod.outlook.com ([fe80::447b:4d38:1f8b:28f1]) by SA0PR10MB6425.namprd10.prod.outlook.com ([fe80::447b:4d38:1f8b:28f1%3]) with mapi id 15.20.7784.017; Wed, 24 Jul 2024 17:05:29 +0000 From: Dongli Zhang To: netdev@vger.kernel.org Cc: willemdebruijn.kernel@gmail.com, jasowang@redhat.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, si-wei.liu@oracle.com Subject: [PATCH net 1/2] tap: add missing verification for short frame Date: Wed, 24 Jul 2024 10:04:51 -0700 Message-Id: <20240724170452.16837-2-dongli.zhang@oracle.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240724170452.16837-1-dongli.zhang@oracle.com> References: <20240724170452.16837-1-dongli.zhang@oracle.com> X-ClientProxiedBy: SJ0PR03CA0128.namprd03.prod.outlook.com (2603:10b6:a03:33c::13) To SA0PR10MB6425.namprd10.prod.outlook.com (2603:10b6:806:2c0::8) Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SA0PR10MB6425:EE_|IA1PR10MB7237:EE_ X-MS-Office365-Filtering-Correlation-Id: 71eca7c0-98c2-4331-7722-08dcac02d1bf X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|7416014|1800799024|366016; X-Microsoft-Antispam-Message-Info: +4Hum15SQ7PSuQNRd6QhP9vtcRPBv0qj9KLhey7r9rUaEhq3YjE2hkKzRlatyySJtjjOSxrTupz+XDROw3rUVOyO7QgbRRm/qum0JwcHw68xBB4KDtTRSJquZLjr82QzYsIShhoUWrRCb+iGQTtYJqEa1x/muKSXJ+3cBzZBwZenVdhpCsd/2E0nJCIGeArHFQXkXBt6X46uEfKHJ564iNuqQcEhmsxchMLM2toT4CZr+bjK3BUBZL5TuSdGYLtuUjGy3U54U+TfFhMkWZfFZL2kXIBSURaA+FHMKpGaBqotdSuiG9wiPgnUbfFzO1puswLhnKvwv97bDdVqmAlKO8LMg5YGlb9lxCQ4D2B9nus7/+PlqM8mwSQXkt+6Ysr7ZLaZ8uV+a6hYG7LobKFbpE/UK0iqbVb+61CNCli6SeC88bPeD3xw//xr7Om2ekWeQBqoDiqILlVNOq1xhEgeNvj0Z/u3Ds1OBv9VjmFZmdQrZLSbFFRYut9ilTKYGpHOLTCZiysxDRFFGVna+xo3LfdeFJHoTeNQkwBO9Xh5g9x3iWhEdyH3RFNimAYjfsSfTKweWOlc/4lFQkZlcwlxEdxGMXY3tvyTu2RvS0E4Ke87Zgsv3m/vvKj4iY3lNECNaxibIkgUhDim2x8UkTEQOKce8FwiAFMkDz53TMrzoCH+2uGVWOAlhf0DJIcZGTgsgzr4bokrDQq1jSl+X8YCHRPcDePZgP6wzZgQFMV5LCukBqsIFqEc7SnGzfmMwW3tPx0cMUzWUuP9SJH7xFfBW78auxN+SY2lNrStmYB5WDI25reVaUg8Wq+YDgpnW7sZ3Gkvp4g99UgoZ8sO3UCTclBaFTtuICoc9xHyx+0gAkUYo7GJybxg7BiaxD2F1ySs6Ri0zNywbUybcfln37lOiXgGOF7HOo+sFTLhiIw+l5K5P0Jk47g4gpbeLAb93ikMvTfHRZ/1XS7j1bmPNBO2YYqiBpFyoItVuojoqPGCfIgX4miVZoaAWbE8tuqGchNN8HxRb6kX19vxWY1+ho5+FjPtfkr9i4yEHUIVo3Js46RCZuogADBMEfrM7K2y4Qaa8scMGmOcWKGXPxL2lDxVDPf1FvTf3Ds52lmbmKuOYbaLd+JnSTUAim+dcHbTcyu8Sxj2MV8ZFgx7bzFrSu/PX8XCqxREZmh4Its8lgTp/cPHLdZodE8GJ+CH7WFsCJy8bQ1oOygLJomO01CijvncqUfhnXAtUEpBR6yeNpG8+9kgswJ1jMOCtgmLsWgH++eIYSwlnEm5GrbJ/PhLvP8z+pItcFF57HL4gfnh7CQ/s9A= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA0PR10MB6425.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(1800799024)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: FPBAHflCdBSI+ewA5/f0g3Emq3pqWP1X0q9IsrsdBSeuUMIG8aHdoB/woiR7Hej5f89JVwfhod5esAv8XjuC4h2eeVxox+JiVsDqTz5FMOU9s7S+3/iCQiniycotbXgp8K+t1hcRoevNf4cjcLbl+HHOJPhslssbA39+3EdDTaBVQihc2cEHjt4uDieU1nCuL+Z9Knxm7EbqoUwprjKqjqDy2w9zA95rX9G69AdrA6xLdg1Hqv3T2Cd7LTPbGLLNIxC52vFqE4oQgFEtcaO4zmpLHD/C8Q44Sgi66ELFdIRk8KCxIB9jHEesMZiRh5MfSt574ByC24EtYgcqzhVeujMqixByvsZipLU6KBgZOwUHdAPnA9cNChtoVsXXNZIQ0I+2LgVfZDgTBndpYZd9jw+BXz4A2CPDUgXDRvIX4Dkk2Xdc0Pm2t4ljhUH8gpXq9+tT6UpAh2ovv+xkGCdmL/J5DjFGl4zaCaYshhO10rxsttdbvTUkRYlfXGEYe+Imaadtbr8tTVpvTi/y6425GtLZhbZb2kZZG/tQJTmT1RN6jxT9R1S6Vrheya13dyzdx2NkVFuqat3PjtUJkOMD4kN8o1/m4e7ufEurWmVOklhWyawV7WQbKYz+kcyD0hhoD8KZmgUK//T1jf0bdFTEgtWm2J2QnDkbc1lavvqbdg/oEsO8h9OTpYICk8zgyAOUoQVg3Y5JLga4BKE4PTei19RK8jzUABGcRtyS9epW9R7S7VwCViTL8I3kDUwA3IboelaFI3ayDMVmfmtvCH+VtcZSCKgTKoI8AKbpNFv3avFWsTQfbxA7S/Hvy5b8ygM//r8bO3xwFaO8Sr1/R4mT5QElNYiuyCkL0whGByMIqjxaQMFDctw5UAPBUdCleJMF11drP+NSIxMn0FtRC2YT1i6gp5/o3+O6VzRh9bKQ4vT95CpizDeuepEP4xKnKi1FRV7bFTotcOXnCp4gkwon4QRYI/2SN8HpwdVdMHdCj4yX2X76mveTb+yknEigN+d3hMOxFlTCaQ+4m1tzQOyAoqK8ah3YbFMLiodtOjjhPe2k8XTgno/b6agp3ckNsTlSVYzc2Glitq8qO9bXEj6BvYsJ6gXXTphJBzwCrdcdPpGv/n0h2xoIGQ+4XfKM+JgABvwhVNNzS0AIceufocMPcs5Wvhn9qSXnJWMj8E9rPKYdPxLUOEVNe1kxjsdBM+OGZg5sp+VdJjcdO6OX9FnnvUAVPlZskjjfHe55/Jy51RxP342rkr3KWI677prNzkV4N3ITrcLy6q2Sy5mWlaG+r9/pV4XRVbHczRI8ZLfAtNnRSKagAVEgC0aKqSaEtQqXA0BYhReKh8OBDg8o/BBCIPKsUx+Jk1849LqyfAhNS7FOfvN/4JiEsE88wfLzmLVWkN8pgyCBGIv5eGVjs1JMOekZx1L1qYNcqDwSZ4cEwMKNJjKWCO65icwAmb6NnPsEYSNeS5xUxW+HHFysdKWb5HIzgfPbmEi2PiLVB9/RETellmwNFaS3wli3U2YzQUnIuFVP4O1kOk6ostK4lV26tDuhDzTMfT9mXfvRKeUv4dLzW9CdsLEAp9TLXX+Etc/uwBUBCOkjA5tKFIPEG6nzVA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: gQNwrbXUspWQw1p4a2w/aoAkxQZyXWqVWF55dyR6LW1Biv3AYKR1C3pmIFFFYq0i/+0pcsgsvONdj++ttXa7lsHBEua/rp9IfCVMVDlOgUM9b2vu1UTM+eyOOu4c5rw9JLqmGEW725Q73g61wRQAfBLhj9LlMvEkK93KaaeUU+sQIkMAzCkwl9OvtMco+/sj8b5JYiSJ7UKsSWigToSNkY44cFBM1Q0qZy1WdYnOOYTwwtV4y1AdKtUujImgaJZBS0Mbx8777IDU3saZUsH7FEoUl1cPIsIvf+ekqiWwqEWf1jjYAEX+hIb45sA+xufJRuJK+yx74ON7agX7ie9g9fpiG2ryxM8MX1mZnlo+x+etJJh6fksilhvxbwAqNLbp421mGtp+RoWrqz99bpAHrLuStwfuHHTF+c7FlQbsX3cYnBWhw642Um7qYL0JWMoTn2gsQajm4GrDJZuM9rx/fkWNncX4KxLSsrdEWX9ZVrO+nUKXeMz1Fvd3ByiGOecIrnoGf/PAOzu7QSejor9j7+mPiuO5FKEIVM0iwduIbHfHDOCO+WFiNs3PAK32E5F++w1jdRJ7QssboheMTMsbeawOm7CcvSkxzsnhnmoSbCk= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 71eca7c0-98c2-4331-7722-08dcac02d1bf X-MS-Exchange-CrossTenant-AuthSource: SA0PR10MB6425.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2024 17:05:28.9874 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: tr4neazZBf90EXvz98vnvFK98ZzVH1D6yyTVIqzCDdZCma6Fgyl9HY9XLIlQcKtFlarMVFulNnS4Wtw2EAUYpQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR10MB7237 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-24_18,2024-07-24_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 phishscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000 definitions=main-2407240123 X-Proofpoint-ORIG-GUID: Eg2grRmKENnhHFGB-f9w6oZjpeQu7XjR X-Proofpoint-GUID: Eg2grRmKENnhHFGB-f9w6oZjpeQu7XjR X-Patchwork-Delegate: kuba@kernel.org From: Si-Wei Liu The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Si-Wei Liu Signed-off-by: Dongli Zhang Reviewed-by: Willem de Bruijn Reviewed-by: Paolo Abeni Reviewed-by: Jason Wang --- drivers/net/tap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index bfdd3875fe86..77574f7a3bd4 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) struct sk_buff *skb; int err, depth; + if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { + err = -EINVAL; + goto err; + } + if (q->flags & IFF_VNET_HDR) vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); From patchwork Wed Jul 24 17:04:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongli Zhang X-Patchwork-Id: 13741200 X-Patchwork-Delegate: kuba@kernel.org Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A9791607AB; Wed, 24 Jul 2024 17:06:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721840763; cv=fail; b=ACv2Y8Y8ydh7gRaS8tdqRPEscSnugTsIuPhh9p/5CW2Jy8ugSaFsYgqR442fUlZrShhjRSaBYjH7PcJhBnJYl794aPbVo7o26yVVHOS0K4dTlOoL0QW3E7uHh1XlJrJIFyVLDKQojsdJowfmgfQgS69duxi1blt+KPEOb7db+5U= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721840763; c=relaxed/simple; bh=36tf0Aod5/IVAFhlX1B0uvn8z9k5jMHExaaYY5Jr8kA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: Content-Type:MIME-Version; b=BRtyFMK5DIw5zKsbZYDlYh1fQ+JRmT/yLaokIFZhMiALCvQ/Y6tabEAuGV53wBou/vScn0tKqzLGEdk495myEui2qRLYbYlcrwUQevediyflBD5rKEongKXhmsSA4tmXWpgRpcwjC9U6QEA8pinBve+j+IdgH7UyFoOiRwKZITc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=D5YvkR4v; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=TrqL8Im1; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="D5YvkR4v"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="TrqL8Im1" Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46OFXpVT029449; Wed, 24 Jul 2024 17:05:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :content-transfer-encoding:content-type:mime-version; s= corp-2023-11-20; bh=4T5vjNkydZ+swpxBebzgijNbLUdXmfKunxmKljioqSA=; b= D5YvkR4vsDmZfifP0rOx8tVmi/ojL0BHO4Mc+VBcZX5Z6ZzOYA4537itU2iATOsf gYuTeMhvnjCZAx1feqMCrhCeVcAxMqCRx2/wPHfwoyq1X+olmh14Mmw2AYm/uJtu RxbI4BwwK6YaKtz/aLWvPqFc0UNItT8qGwtxYzwFGd7ww7UVw4Gncupyl9DYquFK mR7pplu4BM91emELkzW6jPb/m0Id6tunkxP8F0FKdQeR77wRKj2ILOlqb0PJ34Vb ifXYn1NFUWmK6lJi5VowJDWhouiVRCuKynjYhkv6J3vbHIVyHOMu1z0YFL4uBf0m bPBX1jmDd+AUeqeOR3bBig== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40hgkt9gh2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 24 Jul 2024 17:05:35 +0000 (GMT) Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 46OG55PY011094; Wed, 24 Jul 2024 17:05:33 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2100.outbound.protection.outlook.com [104.47.58.100]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 40h29swyjt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 24 Jul 2024 17:05:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gGZuYUXRutVZ/x7lsbns1UwE2/5WNIq1FzE8ABayPjAI2kyba8MlrNBGYkgnTsuvPNo6xOZ05OlASZjziHxnaIIXi34NKQaE1bl6ZHDFSi/bCO9SNnQj89cqsM566p12EdFKEBrt52C33lJZiR15lgKIDchZwXRWM64mj7UpjyNrihEZ3Bo7Wd1Kdw9trrOvYrcGrIrPFsS7fEkjYWspkRs1ojMBVfPxKuYbsgi6xQFdTiUyxOFk8ujqOICYm/0fiJpvgmfRYzqyzVdbNP1o5iyZV22rwWHz9/J8XK3G1WrWdkkpPlq7mM7whfA5C2k2dcV8n38TZjuhAfKArtwq2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4T5vjNkydZ+swpxBebzgijNbLUdXmfKunxmKljioqSA=; b=fm5rqxjsm2Uj5f7SbChq55KVgOX9HgBjs2kuqislx6yMlG6tqKOwr/AbHC4cdMZAuskP5AfzWL1k147+ZV0ILsY5DbJZVKJN9xT2+dnzCYVBkfSx5/mQqE+NeVeoG0jWVRude8FjFzd/vqVtXQqRlg+I/Z/t7Eh5BDNgx04g5VCuURLNREF6edJiD7I8n+KlPI88KnObB7O8CF1mUspgu6rfFXTUet78aihYBlZ0KVqxH5pC4FQcUqS6k3Vw4ymLKo/tkAC3MlXfGI4MoB+jCbT1z1N4gUrp1yg9g4/jQ+gcG3WKWcOWQkBsvfyx9j9Z3l3IOsYSZOOhYcRGxnlbxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4T5vjNkydZ+swpxBebzgijNbLUdXmfKunxmKljioqSA=; b=TrqL8Im1+opKA2EAfk4ujkxJEq1nqRKPWHxEWIR1b7wsvSUNNAhgHBsMZAJKRxb4OLrVz6W2fnzctLl95PHZ7LYfDkUw/IsJF5nPrY2WG2nxWOrWB980L8m6K1clFh+FFyaau+mHn+eo4zv2i1/W+MmFG+ktA1NxdVLkr0odx1Q= Received: from SA0PR10MB6425.namprd10.prod.outlook.com (2603:10b6:806:2c0::8) by CO6PR10MB5603.namprd10.prod.outlook.com (2603:10b6:303:14a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.19; Wed, 24 Jul 2024 17:05:30 +0000 Received: from SA0PR10MB6425.namprd10.prod.outlook.com ([fe80::447b:4d38:1f8b:28f1]) by SA0PR10MB6425.namprd10.prod.outlook.com ([fe80::447b:4d38:1f8b:28f1%3]) with mapi id 15.20.7784.017; Wed, 24 Jul 2024 17:05:30 +0000 From: Dongli Zhang To: netdev@vger.kernel.org Cc: willemdebruijn.kernel@gmail.com, jasowang@redhat.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, si-wei.liu@oracle.com Subject: [PATCH net 2/2] tun: add missing verification for short frame Date: Wed, 24 Jul 2024 10:04:52 -0700 Message-Id: <20240724170452.16837-3-dongli.zhang@oracle.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240724170452.16837-1-dongli.zhang@oracle.com> References: <20240724170452.16837-1-dongli.zhang@oracle.com> X-ClientProxiedBy: BY3PR10CA0024.namprd10.prod.outlook.com (2603:10b6:a03:255::29) To SA0PR10MB6425.namprd10.prod.outlook.com (2603:10b6:806:2c0::8) Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SA0PR10MB6425:EE_|CO6PR10MB5603:EE_ X-MS-Office365-Filtering-Correlation-Id: 8c439eca-c0af-4e71-0f09-08dcac02d2be X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|7416014|376014; X-Microsoft-Antispam-Message-Info: uiD9cFAGv2IFfo1A4GCEN9ztR0UiZ13kHN1s7nL+Gh8gThtIOHRoSeGx2Llleznk4pCxizvUu9cZXIKObiJNiM6AfcUqltUijuqoYhXUUEWtkNu0syr47uZPqNlFcaIR7HsU3nJMNo0E7xTTJdb++zV3KzHVbuEAJQ527RhWTc2nazmpbSrC4G3oFsjlnN0CwmCnc0VaC/hCpN9/n+D/5thgezwlAj01vle6eC2aAM2t1+dYjINksjgYm3bOs+gybSHQ+kRluceflZ6iGQsIP9gPw6qGoGHzYK/SEbbEQW04TjE4rfnQvjxVa0Nujm6ONmmJkQGAG/JPyFKhKccnfGfr1Y4WFR8yc9matczg11Oo9ybmSDFX9Bt6M27MLMGe0nBKeDZ4WIZCwTZJZYvGcCpg1AwxCwCXHr3L1G/dGI/BQV57jaRdRzpo1KKNQhj2M9FKD7aGAbJPcKGDP0cyVlxeCmFPm9g17bxRIRm1AzzTL1qFhjVYHC73F6TRxX+pqaxzYm+63EhNX+0Zd4BdaEezPxoCqPNYz7vqZAc2rUcUg+1RYt7iuqqVm9MdcK5LIbgNZ7aEf0yJGNrnigwxy/dh07qPjuxexY5qM5H1XV4YVIWOuPPZXxokURbpqR9Fc/p1z+aYZPCIaBTH4kN8CxhIaysyfaxuccBDkcNwfGy3aUXxS+XlSFExbtk/J/15Ot4q6krUC4nYPnwRXddddTP1ELdGWBbJPMt2s/qfsQu1wwtslvxPqvWd/O5IwE6vsIBB5eZKa+hDS7vFmuegcAJpPfeOMj5BdT9aqLD04Dx+Kb5FUZA0kSYpCar8XSjXbdKOb2kchnPPaP34ikBILnenIE4xH/Gv+mpXynUtKN7joq7ufn1NnjnYat4leSx9PL5EiAXlZw271WmrzgCuKvlyp2BeoBSfjsm2VnyO5fBd5j/BnjzCU6OuAILaRewYZKUvOY0YvXOgMjp5rxt25UeQUXbQhHQxmAUH7O893YQBwP1roT6YUy6Bo0r8D+Fpl43DEB7O/Qw1BkY1CDS/CJaiM5F4cRLozqsfSWnQ+W8+U7MBAsTSmvsNr7Ck23hF3jyK8vkeph+pUpzF6G+smJC+HNV0nh7aZyUcOlvwotD2yBeLRwz9NUu2zHl4O2wCKvAN3IUozax7qh6O9A3IVpCnuZ9k/HYxu6SthtVqaolq8K2Jctvndnpm5Q/Mf45maXPw1atDuCPRQYqLF5PpfHmgVPCNrz1xAP5oHVhkxEiNN+goJTiCJsrpPQAQruJ+KqyNQZge3zT4Aj1MsmSzMfCF5XW8nwXFdDuqiAUvFEI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA0PR10MB6425.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(7416014)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: vhnnP0fCxF6lRfDV2XEhjFl00YflpvOunTaZNF6e3vKWn9BBEqOUPdZPaiS6Q6vMmcrdU73/fzk4F4HQwmALJYjAdR2JSs57tBHy+aRBm6Y8hTHe/YlKqzw2tPZJKLUc99KO4+McNjd9sJUJnxYNEwBZE7VyxwblzjSDcscDZFWeP57b8npfWhgwX+TJvD8Sj+08GMV4XWZgi4frjBjTJIr4ydgVrNz+f3fUhiRrnLOqKQ2Rb4+2Q3qJYp3/FydkVRwuu6J4h4k4ItlDM0k8xzMY2Kojmil7WKGSdLRPWGe7YrBDGALUcT19PTd61eGd4ff1u9yOl8z5q3fp4UHx/MwHY/zqWQwiqbp7kRZGWb4IMgr959CWyKtIjtnAyPAuDhYyfV3nCOM6F8z5l3QoqABt325SAAZvQgDl1XpLlGVq+4bZtyyYFpfm2snB3b0418fAJJFuJVwJsG9OSWxwT46uQ3n/CWAiz2ik82XgJ0+YN+i2XD9cytTi0RYj1Ax0qQvNAczykGY20D7bDAmlHSd1+goVADWHL1CBkNiiEKGJKyTcRbt7IviaZau+II92Kgh4nynDVZSLQqJpn8F/0Yh6slkOdfwJ7CFMzKahPioy9ruMI+tRLLnhbEIrWPovmBWvR5IlVpcYslxTbUiq6+TPeL/ql1hmycy381QAxFI+8SDt31Q+ZaFuRWq7+Yhn39QR6WW/r8bQbJ2pogOQrPRsUb2GWaphx7wcKMSvCo9wVx+mhiwD+WhpD4l4OnvoTPVYK9MjM55fMp9Pe0prOlz5BSl+pKvDurq8h3syt3kW02FgwSinS5+ZyHcw+ejAl/OAz6yJHHz0SOHX8mEr0mCOlouXWrSrl9hSZgjPYd4dVIwwrkzZvcXRIvThANdSwboQyaaOztCYgCPxWhjqftOk3yBxZznVCzUGNB0/qH5acbgVDnCtzwmhp3KPX2AWJ0QiUiEOdcJC2Jov6/3zDZwDpX1PBb8rh8dXoySUudebym7PAgx6edclQbMioVUW8Omq1lCRrYY8rA/y8gSgaMPb2B97RSq6w0XHV0Nx6q8oicv/OxKhVFlRPxVHDVgUvf+IqfVcETRKo+f4WzwbcvZ9ucnsgF9IHiIcZWht6jcjSLsrJCTLTLknL4WHY0PCNwr03M3IIFSx+aOEfoaSrrxDW++zMuRRVMe4kDnrFDNoKv6CcrKJ0JoAwWwrZgu19jip39Pbf/vbJE96jdQX3eUz7LM5wguw/UqB9WKlvNmAIxJXwqzHfogk9TCLKa7Xjc14fPN2vAKidxPkpn8ZL0L4zBZmBkzLOKPTdu5KBNnafssGkTPhvNEdJDDppCULWyqoXVzzJ1seBUOjS7de8F5R/KpICRSCzEiUjj/ePLyh1OdAyeAHfkXsAV74rgc9LdsroVj431HnZmR1xmnNVNMsVLv6HM4mmL67FZt3bbbq05z94GT112T2K1etQLaA4YWhm4cXQiZ8HSxWiyMnnzxm6Nva5cHeW1TiFc//TEpX4JDBqwk9eXc+T79e1TmVuYt8N91G5bsepnDkCImwJ6RuR3SXDP48lPcxQgaiSlCc/CjBEcYZtaqmGyE/uBNB1gw3ZmV0UrAJZlNZJ1W3Vg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: fn4hbuxD3ohu/GrzwTjGz8J5NTxo+0z+RtVBFbAzubAOHJtyNYqpDS4AjdJg106IlAyZYZycw5Rw/keCq4vCm+6jmLzh8UuPIxwfjcDI0ob8BrQ2jdZnXEzFkl6SNpDhi38EwZzUBJNoF85j697Z1OkZeSQoC6u2i2pTejTGzNvYYnuQRxUC8rCW2HfpJCBW/KPAcYxGv3xDehyXbUkvNKq26ezArZZK61MyTv1cUHWTaq8BVkBnqWrCKkjqXwYYxGsfSKBCLAl81AzrNYR0RxuaPSdtCLbbM3HaIOvC0hnJXn7Qu6ezdH/cDCH3Sy1eVHbB8SQ/KoDWknIKXwEm8ANr7cJH95lLnQ62hLFeDuntSssOoSZUc5YAOa8ddnYZslRgr9UBINKbeXBjxltC0IrL9DxDssHl4b5qDNN2VTZ1RXFQ6vFKIZjWwxV8LFFhwqPTAuPEXuaf/q53ZCFIOSnCadw06feAh1hU6qOEoJlpxF8rEgsfiPBKra5EBCe718TrZ3tymkBpi1K9I1Q0ej1S6PHM/Bvh8/xpG/b8x6cxq4OwSv56Lbm+NETRv1EjEX6dV4TAhNZMkao484pZQe1JWv1NlktdRXHUsgCn3jg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8c439eca-c0af-4e71-0f09-08dcac02d2be X-MS-Exchange-CrossTenant-AuthSource: SA0PR10MB6425.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2024 17:05:30.6557 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ptyYtEuKA0Swf20u5aNYuwmIbJetlvUgI34QOnHLOTtmandpyOw6R2jYeSWZ+Q+KtT5jz3GFhH28JfH7/0Npmw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR10MB5603 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-24_18,2024-07-24_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000 definitions=main-2407240123 X-Proofpoint-GUID: d4nYZdFStlWSAIGRFC-bxcTiPVqRxbt5 X-Proofpoint-ORIG-GUID: d4nYZdFStlWSAIGRFC-bxcTiPVqRxbt5 X-Patchwork-Delegate: kuba@kernel.org The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091 Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") Cc: Si-Wei Liu Cc: stable@vger.kernel.org Signed-off-by: Dongli Zhang Reviewed-by: Si-Wei Liu Reviewed-by: Willem de Bruijn Reviewed-by: Paolo Abeni Reviewed-by: Jason Wang --- drivers/net/tun.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 9b24861464bc..1d06c560c5e6 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -2455,6 +2455,9 @@ static int tun_xdp_one(struct tun_struct *tun, bool skb_xdp = false; struct page *page; + if (unlikely(datasize < ETH_HLEN)) + return -EINVAL; + xdp_prog = rcu_dereference(tun->xdp_prog); if (xdp_prog) { if (gso->gso_type) {