OpenCloudOS-Kernel/drivers/net/xen-netback
Ross Lagerwall 534fc31d09 xen/netback: Fix buffer overrun triggered by unusual packet
It is possible that a guest can send a packet that contains a head + 18
slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots
to underflow in xenvif_get_requests() which then causes the subsequent
loop's termination condition to be wrong, causing a buffer overrun of
queue->tx_map_ops.

Rework the code to account for the extra frag_overflow slots.

This is CVE-2023-34319 / XSA-432.

Fixes: ad7f402ae4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
2023-08-03 09:04:08 +02:00
..
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
common.h xen/netback: don't do grant copy across page boundary 2023-03-28 14:16:40 +02:00
hash.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
interface.c xen/netback: don't call kfree_skb() with interrupts disabled 2022-12-06 16:00:33 +01:00
netback.c xen/netback: Fix buffer overrun triggered by unusual packet 2023-08-03 09:04:08 +02:00
rx.c xen/netback: don't call kfree_skb() with interrupts disabled 2022-12-06 16:00:33 +01:00
xenbus.c driver core: make struct bus_type.uevent() take a const * 2023-01-27 13:45:52 +01:00