hv_netvsc: Add (more) validation for untrusted Hyper-V values

For additional robustness in the face of Hyper-V errors or malicious behavior, validate all values that originate from packets that Hyper-V has sent to the guest. Ensure that invalid values cannot cause indexing off the end of an array, or subvert an existing validation via integer overflow. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Reported-by: Juan Vazquez <juvazq@microsoft.com> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Link: https://lore.kernel.org/r/20210114202628.119541-1-parri.andrea@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Andrea Parri (Microsoft) <parri.andrea@gmail.com> 2021-01-14 21:26:28 +0100
committer: Jakub Kicinski <kuba@kernel.org> 2021-01-18 19:47:47 -0800
commit: 505e3f00c3f3648cb6260deb35e87fae1f64f5d8 (patch)
tree: 7dd0f2939b234775da7bc5973fc633ba6a6ae757 /drivers/net/hyperv/netvsc_bpf.c
parent: a98c0c47420412ef94d6f45f9ae607258929aa10 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/hyperv/netvsc_bpf.c b/drivers/net/hyperv/netvsc_bpf.c
index d60dcf6c9829e..aa877da113f8e 100644
--- a/drivers/net/hyperv/netvsc_bpf.c
+++ b/drivers/net/hyperv/netvsc_bpf.c
@@ -37,6 +37,12 @@ u32 netvsc_run_xdp(struct net_device *ndev, struct netvsc_channel *nvchan,
 	if (!prog)
 		goto out;
 
+	/* Ensure that the below memcpy() won't overflow the page buffer. */
+	if (len > ndev->mtu + ETH_HLEN) {
+		act = XDP_DROP;
+		goto out;
+	}
+
 	/* allocate page buffer for data */
 	page = alloc_page(GFP_ATOMIC);
 	if (!page) {
author	Andrea Parri (Microsoft) <parri.andrea@gmail.com>	2021-01-14 21:26:28 +0100
committer	Jakub Kicinski <kuba@kernel.org>	2021-01-18 19:47:47 -0800
commit	505e3f00c3f3648cb6260deb35e87fae1f64f5d8 (patch)
tree	7dd0f2939b234775da7bc5973fc633ba6a6ae757 /drivers/net/hyperv/netvsc_bpf.c
parent	a98c0c47420412ef94d6f45f9ae607258929aa10 (diff)