diff options
| author | Ross Lagerwall <ross.lagerwall@citrix.com> | 2023-08-03 08:41:22 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-08-08 19:49:19 +0200 |
| commit | 11e6919ae028b5de1fc48007354ea07069561b31 (patch) | |
| tree | f95441bb2bbd762e55131636d3a854ac4094a43f /arch/x86/kernel/cpu/common.c | |
| parent | b8d22bdfef99923c3727950ae4158ee07ecc8740 (diff) | |
xen/netback: Fix buffer overrun triggered by unusual packet
commit 534fc31d09b706a16d83533e16b5dc855caf7576 upstream.
It is possible that a guest can send a packet that contains a head + 18
slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots
to underflow in xenvif_get_requests() which then causes the subsequent
loop's termination condition to be wrong, causing a buffer overrun of
queue->tx_map_ops.
Rework the code to account for the extra frag_overflow slots.
This is CVE-2023-34319 / XSA-432.
Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch/x86/kernel/cpu/common.c')
0 files changed, 0 insertions, 0 deletions