On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> From: Or Cohen <orco...@paloaltonetworks.com>
>
> Using tp_reserve to calculate netoff can overflow as
> tp_reserve is unsigned int and netoff is unsigned short.
>
> This may lead to macoff receving a smaller value then
> sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
> is set, an out-of-bounds write will occur when
> calling virtio_net_hdr_from_skb.
>
> The bug is fixed by converting netoff to unsigned int
> and checking if it exceeds USHRT_MAX.
>
> This addresses CVE-2020-14386
>
> Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
> Signed-off-by: Or Cohen <orco...@paloaltonetworks.com>
> Signed-off-by: Eric Dumazet <eduma...@google.com>
>
> [ snu: backported to 4.9, changed tp_drops counting/locking ]
>
> Signed-off-by: Stefan Nuernberger <s...@amazon.com>
> CC: David Woodhouse <d...@amazon.co.uk>
> CC: Amit Shah <a...@amazon.com>
> CC: sta...@vger.kernel.org
> ---
> net/packet/af_packet.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
What is the git commit id of this patch in Linus's tree?
thanks,
greg k-h
