diff options
| author | Dongli Zhang <dongli.zhang@oracle.com> | 2024-07-24 19:04:52 +0200 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2024-07-25 17:07:05 +0200 |
| commit | 049584807f1d797fc3078b68035450a9769eb5c3 (patch) | |
| tree | 0e2b808ca37e42419f7ef7ed1ca78e61a21fef9c /MAINTAINERS | |
| parent | tap: add missing verification for short frame (diff) | |
| download | linux-049584807f1d797fc3078b68035450a9769eb5c3.tar.xz linux-049584807f1d797fc3078b68035450a9769eb5c3.zip | |
tun: add missing verification for short frame
The cited commit missed to check against the validity of the frame length
in the tun_xdp_one() path, which could cause a corrupted skb to be sent
downstack. Even before the skb is transmitted, the
tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
can be less than ETH_HLEN. Once transmitted, this could either cause
out-of-bound access beyond the actual length, or confuse the underlayer
with incorrect or inconsistent header length in the skb metadata.
In the alternative path, tun_get_user() already prohibits short frame which
has the length less than Ethernet header size from being transmitted for
IFF_TAP.
This is to drop any frame shorter than the Ethernet header size just like
how tun_get_user() does.
CVE: CVE-2024-41091
Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
Cc: stable@vger.kernel.org
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'MAINTAINERS')
0 files changed, 0 insertions, 0 deletions