lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20230104200642.4071622-1-bobby.eshleman@bytedance.com>
Date:   Wed,  4 Jan 2023 20:06:41 +0000
From:   Bobby Eshleman <bobby.eshleman@...edance.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     Bobby Eshleman <bobbyeshleman@...il.com>,
        Bobby Eshleman <bobby.eshleman@...edance.com>,
        Cong Wang <cong.wang@...edance.com>,
        Jiang Wang <jiang.wang@...edance.com>,
        Krasnov Arseniy <oxffffaa@...il.com>,
        syzbot+30b72abaa17c07fe39dd@...kaller.appspotmail.com,
        Stefan Hajnoczi <stefanha@...hat.com>,
        Stefano Garzarella <sgarzare@...hat.com>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        Jason Wang <jasowang@...hat.com>,
        Paolo Abeni <pabeni@...hat.com>, kvm@...r.kernel.org,
        virtualization@...ts.linux-foundation.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] vhost/vsock: check length in rx header

Check that the rx packet length indicated by the header does not exceed
the iov length.

Fixes: b68396fad17f ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Reported-by: syzbot+30b72abaa17c07fe39dd@...kaller.appspotmail.com
Signed-off-by: Bobby Eshleman <bobby.eshleman@...edance.com>
---
 drivers/vhost/vsock.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 982ca479c659..84dec9ac62c1 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -365,8 +365,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
 	if (!payload_len)
 		return skb;
 
-	/* The pkt is too big */
-	if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE) {
+	/* The pkt is too big or the length in the header is invalid */
+	if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
+	    payload_len > len) {
 		kfree_skb(skb);
 		return NULL;
 	}
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ