lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 4 Sep 2020 16:16:17 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Stefan Nuernberger <snu@...zon.com>
Cc:     orcohen@...oaltonetworks.com, netdev@...r.kernel.org,
        Eric Dumazet <edumazet@...gle.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Amit Shah <aams@...zon.com>, stable@...r.kernel.org
Subject: Re: [PATCH] net/packet: fix overflow in tpacket_rcv

On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> From: Or Cohen <orcohen@...oaltonetworks.com>
> 
> Using tp_reserve to calculate netoff can overflow as
> tp_reserve is unsigned int and netoff is unsigned short.
> 
> This may lead to macoff receving a smaller value then
> sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> is set, an out-of-bounds write will occur when
> calling virtio_net_hdr_from_skb.
> 
> The bug is fixed by converting netoff to unsigned int
> and checking if it exceeds USHRT_MAX.
> 
> This addresses CVE-2020-14386
> 
> Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> Signed-off-by: Or Cohen <orcohen@...oaltonetworks.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> 
> [ snu: backported to 4.9, changed tp_drops counting/locking ]
> 
> Signed-off-by: Stefan Nuernberger <snu@...zon.com>
> CC: David Woodhouse <dwmw@...zon.co.uk>
> CC: Amit Shah <aams@...zon.com>
> CC: stable@...r.kernel.org
> ---
>  net/packet/af_packet.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)

What is the git commit id of this patch in Linus's tree?

thanks,

greg k-h

Powered by blists - more mailing lists