| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20140328.160940.1707102420095481862.davem@davemloft.net> Date: Fri, 28 Mar 2014 16:09:40 -0400 (EDT) From: David Miller <davem@...emloft.net> To: mst@...hat.com Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org, virtio-dev@...ts.oasis-open.org, virtualization@...ts.linux-foundation.org, netdev@...r.kernel.org, jasowang@...hat.com Subject: Re: [PATCHv2 net] vhost: fix total length when packets are too short From: "Michael S. Tsirkin" <mst@...hat.com> Date: Thu, 27 Mar 2014 12:00:26 +0200 > When mergeable buffers are disabled, and the > incoming packet is too large for the rx buffer, > get_rx_bufs returns success. > > This was intentional in order for make recvmsg > truncate the packet and then handle_rx would > detect err != sock_len and drop it. > > Unfortunately we pass the original sock_len to > recvmsg - which means we use parts of iov not fully > validated. > > Fix this up by detecting this overrun and doing packet drop > immediately. > > CVE-2014-0077 > > Signed-off-by: Michael S. Tsirkin <mst@...hat.com> > --- > > Changes from v1: > Fix CVE# in the commit log. > Patch is unchanged. > > Note: this is needed for -stable. Applied and queued up for -stable. > I wonder if this can still make the release. I will try but no promises. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists