Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply patch for CVE-2020-14386 #1108

Merged
merged 2 commits into from
Sep 3, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Release.toml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version = "1.0.0"
version = "1.0.1"

[migrations]
"(0.3.1, 0.3.2)" = ["migrate_v0.3.2_admin-container-v0-5-0.lz4"]
Expand All @@ -8,3 +8,4 @@ version = "1.0.0"
"(0.4.0, 0.4.1)" = ["migrate_v0.4.1_add-version-lock-ignore-waves.lz4", "migrate_v0.4.1_pivot-repo-2020-07-07.lz4"]
"(0.4.1, 0.5.0)" = ["migrate_v0.5.0_add-cluster-domain.lz4", "migrate_v0.5.0_admin-container-v0-5-2.lz4", "migrate_v0.5.0_control-container-v0-4-1.lz4"]
"(0.5.0, 1.0.0)" = ["migrate_v1.0.0_ecr-helper-admin.lz4", "migrate_v1.0.0_ecr-helper-control.lz4"]
"(1.0.0, 1.0.1)" = []
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From b85e7195a25319afb421a6a3ee2065fc8d225a8b Mon Sep 17 00:00:00 2001
From a5f6b26082e0022d3c3e70e0718e4787939778d8 Mon Sep 17 00:00:00 2001
From: iliana destroyer of worlds <[email protected]>
Date: Tue, 30 Jul 2019 12:59:09 -0700
Subject: [PATCH] lustrefsx: Disable -Werror=stringop-overflow=
Subject: [PATCH 1/2] lustrefsx: Disable -Werror=stringop-overflow=

Signed-off-by: iliana destroyer of worlds <[email protected]>
---
Expand Down
47 changes: 47 additions & 0 deletions packages/kernel/0002-net-packet-fix-overflow-in-tpacket_rcv.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From eea7a6a08ef3acf437c6ce8a28694c3659542569 Mon Sep 17 00:00:00 2001
From: Or Cohen <[email protected]>
Date: Sun, 30 Aug 2020 20:04:51 +0300
Subject: [PATCH 2/2] net/packet: fix overflow in tpacket_rcv

Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.

This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.

The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.

Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <[email protected]>
---
net/packet/af_packet.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 1d63ab3a878a..56084a16d0f9 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2167,7 +2167,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
int skb_len = skb->len;
unsigned int snaplen, res;
unsigned long status = TP_STATUS_USER;
- unsigned short macoff, netoff, hdrlen;
+ unsigned short macoff, hdrlen;
+ unsigned int netoff;
struct sk_buff *copy_skb = NULL;
struct timespec ts;
__u32 ts_status;
@@ -2236,6 +2237,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
}
macoff = netoff - maclen;
}
+ if (netoff > USHRT_MAX) {
+ atomic_inc(&po->tp_drops);
+ goto drop_n_restore;
+ }
if (po->tp_version <= TPACKET_V2) {
if (macoff + snaplen > po->rx_ring.frame_size) {
if (po->copy_thresh &&
1 change: 1 addition & 0 deletions packages/kernel/kernel.spec
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ URL: https://www.kernel.org/
Source0: https://cdn.amazonlinux.com/blobstore/9e3beaecef0b030d83fb215be7ca67c01009cfec52fe9b12eb4b24fdb46eebce/kernel-5.4.50-25.83.amzn2.src.rpm
Source100: config-bottlerocket
Patch0001: 0001-lustrefsx-Disable-Werror-stringop-overflow.patch
Patch0002: 0002-net-packet-fix-overflow-in-tpacket_rcv.patch
BuildRequires: bc
BuildRequires: elfutils-devel
BuildRequires: hostname
Expand Down