Merge branch 'tap-tun-harden-by-dropping-short-frame'

Dongli Zhang says:

====================
tap/tun: harden by dropping short frame

This is to harden all of tap/tun to avoid any short frame smaller than the
Ethernet header (ETH_HLEN).

While the xen-netback already rejects short frame smaller than ETH_HLEN ...

 914 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
 915                                      int budget,
 916                                      unsigned *copy_ops,
 917                                      unsigned *map_ops)
 918 {
... ...
1007                 if (unlikely(txreq.size < ETH_HLEN)) {
1008                         netdev_dbg(queue->vif->dev,
1009                                    "Bad packet size: %d\n", txreq.size);
1010                         xenvif_tx_err(queue, &txreq, extra_count, idx);
1011                         break;
1012                 }

... the short frame may not be dropped by vhost-net/tap/tun.

This fixes CVE-2024-41090 and CVE-2024-41091.
====================

Link: https://patch.msgid.link/20240724170452.16837-1-dongli.zhang@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2024-07-25 08:07:06 -07:00
commit af65ea42bd
2 changed files with 8 additions and 0 deletions

View File

@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
struct sk_buff *skb; struct sk_buff *skb;
int err, depth; int err, depth;
if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
err = -EINVAL;
goto err;
}
if (q->flags & IFF_VNET_HDR) if (q->flags & IFF_VNET_HDR)
vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);

View File

@ -2455,6 +2455,9 @@ static int tun_xdp_one(struct tun_struct *tun,
bool skb_xdp = false; bool skb_xdp = false;
struct page *page; struct page *page;
if (unlikely(datasize < ETH_HLEN))
return -EINVAL;
xdp_prog = rcu_dereference(tun->xdp_prog); xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) { if (xdp_prog) {
if (gso->gso_type) { if (gso->gso_type) {