virtio-net: CVE-2015-5156

Fixes a buffer overflow flaw in the Linux kernel's virtio-net subsystem.

Upstream patch:
http://marc.info/?l=linux-netdev&m=143868216724068&w=2

References:
http://www.openwall.com/lists/oss-security/2015/08/06/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5156

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>

4 files changed, 98 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch b/recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch
new file mode 100644
index 0000000..f74bd9a
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch
@@ -0,0 +1,48 @@
+From 7c11e86ec40e52468fe65acf89c6da7a6d833a44 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 5 Aug 2015 10:34:04 +0800
+Subject: virtio-net: drop NETIF_F_FRAGLIST
+
+[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ]
+
+virtio declares support for NETIF_F_FRAGLIST, but assumes
+that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
+always true with a fraglist.
+
+A longer fraglist in the skb will make the call to skb_to_sgvec overflow
+the sg array, leading to memory corruption.
+
+Drop NETIF_F_FRAGLIST so we only get what we can handle.
+
+Fixes CVE-2015-5156.
+Upstream-Status: Backport
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/virtio_net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 0232156..5d08051 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1567,9 +1567,9 @@ static int virtnet_probe(struct virtio_device *vdev)
+        /* Do we support "hardware" checksums? */
+        if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) {
+                /* This opens up the world of extra features. */
+-               dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
++               dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+                if (csum)
+-                       dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
++                       dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+ 
+                if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
+                        dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 4b3d483..3abe78d 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -18,6 +18,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
     file://security-keys-CVE-2016-0728.patch \
     file://vfs-CVE-2015-2925.patch \
     file://dcache-CVE-2015-2925.patch \
+    file://virtio-net-CVE-2015-5156.patch \
     "
 
 SRC_URI += "file://cfg/00013-localversion.cfg \
diff --git a/recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch b/recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch
new file mode 100644
index 0000000..1c68842
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch
@@ -0,0 +1,48 @@
+From 6d419a0b5bcdfe5b2cc8821d11b102dba01b28f6 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 5 Aug 2015 10:34:04 +0800
+Subject: virtio-net: drop NETIF_F_FRAGLIST
+
+[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ]
+
+virtio declares support for NETIF_F_FRAGLIST, but assumes
+that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
+always true with a fraglist.
+
+A longer fraglist in the skb will make the call to skb_to_sgvec overflow
+the sg array, leading to memory corruption.
+
+Drop NETIF_F_FRAGLIST so we only get what we can handle.
+
+Fixes CVE-2015-5156.
+Upstream-Status: Backport
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/net/virtio_net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 841b608..5c150a0 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1652,9 +1652,9 @@ static int virtnet_probe(struct virtio_device *vdev)
+        /* Do we support "hardware" checksums? */
+        if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) {
+                /* This opens up the world of extra features. */
+-               dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
++               dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+                if (csum)
+-                       dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
++                       dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+ 
+                if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
+                        dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
+-- 
+cgit v0.12
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index fab7fc4..2f32b56 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -23,4 +23,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://usb-whiteheat-CVE-2015-5257.patch \
             file://vfs-CVE-2015-2925.patch \
             file://dcache-CVE-2015-2925.patch \
+            file://virtio-net-CVE-2015-5156.patch \
            "