CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)

kernel.spec

@@ -648,6 +648,10 @@ Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-err
 #CVE-2014-0055 rhbz 1062577 1081503
 Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
 
+#CVE-2014-0077 rhbz 1064440 1081504
+Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch
+
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1301,6 +1305,9 @@ ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-erro
 #CVE-2014-0055 rhbz 1062577 1081503
 ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
 
+#CVE-2014-0077 rhbz 1064440 1081504
+ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2081,6 +2088,7 @@ fi
 #                                    ||     ||
 %changelog
 * Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504)
 - CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
 - CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
 

net-vhost-fix-total-length-when-packets-are-too-short.patch

@@ -0,0 +1,80 @@
+Bugzilla: 1081504
+Upstream-status: Sent to netdev list
+
+From patchwork Thu Mar 27 10:00:26 2014
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [PATCHv2,net] vhost: fix total length when packets are too short
+From: "Michael S. Tsirkin" <mst@redhat.com>
+X-Patchwork-Id: 334283
+Message-Id: <20140327100026.GA30715@redhat.com>
+To: linux-kernel@vger.kernel.org
+Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org,
+ virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
+ Jason Wang <jasowang@redhat.com>, David Miller <davem@davemloft.net>
+Date: Thu, 27 Mar 2014 12:00:26 +0200
+
+When mergeable buffers are disabled, and the
+incoming packet is too large for the rx buffer,
+get_rx_bufs returns success.
+
+This was intentional in order for make recvmsg
+truncate the packet and then handle_rx would
+detect err != sock_len and drop it.
+
+Unfortunately we pass the original sock_len to
+recvmsg - which means we use parts of iov not fully
+validated.
+
+Fix this up by detecting this overrun and doing packet drop
+immediately.
+
+CVE-2014-0077
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+---
+Changes from v1:
+	Fix CVE# in the commit log.
+	Patch is unchanged.
+
+Note: this is needed for -stable.
+
+I wonder if this can still make the release.
+
+ drivers/vhost/net.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index a0fa5de..026be58 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -532,6 +532,12 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
+ 	*iovcount = seg;
+ 	if (unlikely(log))
+ 		*log_num = nlogs;
++
++	/* Detect overrun */
++	if (unlikely(datalen > 0)) {
++		r = UIO_MAXIOV + 1;
++		goto err;
++	}
+ 	return headcount;
+ err:
+ 	vhost_discard_vq_desc(vq, headcount);
+@@ -587,6 +593,14 @@ static void handle_rx(struct vhost_net *net)
+ 		/* On error, stop handling until the next kick. */
+ 		if (unlikely(headcount < 0))
+ 			break;
++		/* On overrun, truncate and discard */
++		if (unlikely(headcount > UIO_MAXIOV)) {
++			msg.msg_iovlen = 1;
++			err = sock->ops->recvmsg(NULL, sock, &msg,
++						 1, MSG_DONTWAIT | MSG_TRUNC);
++			pr_debug("Discarded rx packet: len %zd\n", sock_len);
++			continue;
++		}
+ 		/* OK, now we need to know about added descriptors. */
+ 		if (!headcount) {
+ 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {