From f5798feb9e960f2e05b49d9dceda71ae227e1a22 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 28 Jan 2016 11:19:36 +0100 Subject: virtio-net: CVE-2015-5156 Fixes a buffer overflow flaw in the Linux kernel's virtio-net subsystem. Upstream patch: http://marc.info/?l=linux-netdev&m=143868216724068&w=2 References: http://www.openwall.com/lists/oss-security/2015/08/06/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5156 Signed-off-by: Sona Sarmadi Signed-off-by: Paul Vaduva --- .../virtio-net-CVE-2015-5156.patch | 48 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq-common.inc | 1 + .../virtio-net-CVE-2015-5156.patch | 48 ++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 + 4 files changed, 98 insertions(+) create mode 100644 recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch create mode 100644 recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch diff --git a/recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch b/recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch new file mode 100644 index 0000000..f74bd9a --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq-3.12/virtio-net-CVE-2015-5156.patch @@ -0,0 +1,48 @@ +From 7c11e86ec40e52468fe65acf89c6da7a6d833a44 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 5 Aug 2015 10:34:04 +0800 +Subject: virtio-net: drop NETIF_F_FRAGLIST + +[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ] + +virtio declares support for NETIF_F_FRAGLIST, but assumes +that there are at most MAX_SKB_FRAGS + 2 fragments which isn't +always true with a fraglist. + +A longer fraglist in the skb will make the call to skb_to_sgvec overflow +the sg array, leading to memory corruption. + +Drop NETIF_F_FRAGLIST so we only get what we can handle. + +Fixes CVE-2015-5156. +Upstream-Status: Backport + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 0232156..5d08051 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1567,9 +1567,9 @@ static int virtnet_probe(struct virtio_device *vdev) + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 4b3d483..3abe78d 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc @@ -18,6 +18,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ file://security-keys-CVE-2016-0728.patch \ file://vfs-CVE-2015-2925.patch \ file://dcache-CVE-2015-2925.patch \ + file://virtio-net-CVE-2015-5156.patch \ " SRC_URI += "file://cfg/00013-localversion.cfg \ diff --git a/recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch b/recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch new file mode 100644 index 0000000..1c68842 --- /dev/null +++ b/recipes-kernel/linux/linux-yocto-3.14/virtio-net-CVE-2015-5156.patch @@ -0,0 +1,48 @@ +From 6d419a0b5bcdfe5b2cc8821d11b102dba01b28f6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 5 Aug 2015 10:34:04 +0800 +Subject: virtio-net: drop NETIF_F_FRAGLIST + +[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ] + +virtio declares support for NETIF_F_FRAGLIST, but assumes +that there are at most MAX_SKB_FRAGS + 2 fragments which isn't +always true with a fraglist. + +A longer fraglist in the skb will make the call to skb_to_sgvec overflow +the sg array, leading to memory corruption. + +Drop NETIF_F_FRAGLIST so we only get what we can handle. + +Fixes CVE-2015-5156. +Upstream-Status: Backport + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 841b608..5c150a0 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1652,9 +1652,9 @@ static int virtnet_probe(struct virtio_device *vdev) + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index fab7fc4..2f32b56 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend @@ -23,4 +23,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d file://usb-whiteheat-CVE-2015-5257.patch \ file://vfs-CVE-2015-2925.patch \ file://dcache-CVE-2015-2925.patch \ + file://virtio-net-CVE-2015-5156.patch \ " -- cgit v1.2.3-54-g00ecf