Hi, On Wed, Jul 24, 2024 at 05:23:47PM +0000, John Haxby wrote: > Hello, > > We recently have discovered a Denial-of-Service (DoS) attack issue that > a KVM guest VM using virtio-net can crash the Linux host by sending a > short packet (i.e. size < ETH_HLEN). The packet may traverse through > vhost-net, macvtap and vlan without any validation/drop. When this > packet is presented to mlx5 driver on the host side, the host panic > happens, since mlx5_core assumes the frame size is always >= ETH_HLEN. > > Patches have been posted to netdev with the following cover letter. > I'll post the commit IDs when I have them. > > jch > > ~~~ > > Message-Id: <[email protected]> > Date: Wed, 24 Jul 2024 10:04:50 -0700 > From: Dongli Zhang <[email protected]> > To: <[email protected]> > Subject: [PATCH net 0/2] tap/tun: harden by dropping short frame > > This is to harden all of tap/tun to avoid any short frame smaller than the > Ethernet header (ETH_HLEN). > > While the xen-netback already rejects short frame smaller than ETH_HLEN ... > > 914 static void xenvif_tx_build_gops(struct xenvif_queue *queue, > 915 int budget, > 916 unsigned *copy_ops, > 917 unsigned *map_ops) > 918 { > ... ... > 1007 if (unlikely(txreq.size < ETH_HLEN)) { > 1008 netdev_dbg(queue->vif->dev, > 1009 "Bad packet size: %d\n", txreq.size); > 1010 xenvif_tx_err(queue, &txreq, extra_count, idx); > 1011 break; > 1012 } > > ... the short frame may not be dropped by vhost-net/tap/tun. > > This fixes CVE-2024-41090 and CVE-2024-41091.
The respective upstream commits are: CVE-2024-41090: https://git.kernel.org/linus/ed7f2afdd0e043a397677e597ced0830b83ba0b3 CVE-2024-41091: https://git.kernel.org/linus/049584807f1d797fc3078b68035450a9769eb5c3 FWIW, they were as well backported to current stable series: 6.10.2, 6.9.12, 6.6.43, 6.1.102, 5.15.164, 5.10.223 and 5.4.281. Regards, Salvatore
