From febcbabc2e4d859a3caf7808ceda68c956da652f Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 28 Jan 2016 14:32:11 +0100 Subject: virtio-net: CVE-2015-5156 Fixes a buffer overflow flaw in the Linux kernel's virtio-net subsystem. Reference to the upstream patch: http://marc.info/?l=linux-netdev&m=143868216724068&w=2 Other external references: http://www.openwall.com/lists/oss-security/2015/08/06/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5156 Signed-off-by: Sona Sarmadi Signed-off-by: Paul Vaduva --- .../virtio-net-CVE-2015-5156.patch | 48 ++++++++++++++++++++++ .../virtio-net-CVE-2015-5156.patch | 48 ++++++++++++++++++++++ recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 + recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 + 4 files changed, 98 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon-3.19/virtio-net-CVE-2015-5156.patch create mode 100644 recipes-kernel/linux/linux-hierofalcon-4.1/virtio-net-CVE-2015-5156.patch diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/virtio-net-CVE-2015-5156.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/virtio-net-CVE-2015-5156.patch new file mode 100644 index 0000000..2c6c7d1 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/virtio-net-CVE-2015-5156.patch @@ -0,0 +1,48 @@ +From feeb0406f75ae3488ff6573903533000125b2faf Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 5 Aug 2015 10:34:04 +0800 +Subject: virtio-net: drop NETIF_F_FRAGLIST + +[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ] + +virtio declares support for NETIF_F_FRAGLIST, but assumes +that there are at most MAX_SKB_FRAGS + 2 fragments which isn't +always true with a fraglist. + +A longer fraglist in the skb will make the call to skb_to_sgvec overflow +the sg array, leading to memory corruption. + +Drop NETIF_F_FRAGLIST so we only get what we can handle. + +Fixes CVE-2015-5156. +Upstream-Status: Backport + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Sona Sarmadi +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 484ecce..ce2a299 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1746,9 +1746,9 @@ static int virtnet_probe(struct virtio_device *vdev) + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/virtio-net-CVE-2015-5156.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/virtio-net-CVE-2015-5156.patch new file mode 100644 index 0000000..772de2e --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/virtio-net-CVE-2015-5156.patch @@ -0,0 +1,48 @@ +From 152964690b41b91049d00eb8aea1d25880cd13f0 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 5 Aug 2015 10:34:04 +0800 +Subject: virtio-net: drop NETIF_F_FRAGLIST + +[ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ] + +virtio declares support for NETIF_F_FRAGLIST, but assumes +that there are at most MAX_SKB_FRAGS + 2 fragments which isn't +always true with a fraglist. + +A longer fraglist in the skb will make the call to skb_to_sgvec overflow +the sg array, leading to memory corruption. + +Drop NETIF_F_FRAGLIST so we only get what we can handle. + +Fixes CVE-2015-5156. +Upstream-Status: Backport + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/net/virtio_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 7fbca37..237f8e5 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device *vdev) + /* Do we support "hardware" checksums? */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { + /* This opens up the world of extra features. */ +- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG; + if (csum) +- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; ++ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { + dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 7f4720a..eceb03c 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb @@ -31,6 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 file://security-keys-CVE-2016-0728.patch \ file://vfs-CVE-2015-2925.patch \ file://dcache-CVE-2015-2925.patch \ + file://virtio-net-CVE-2015-5156.patch \ " S = "${WORKDIR}/git" diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 4fafe34..c67b8a6 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb @@ -30,6 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 file://security-keys-CVE-2016-0728.patch \ file://vfs-CVE-2015-2925.patch \ file://dcache-CVE-2015-2925.patch \ + file://virtio-net-CVE-2015-5156.patch \ " S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf