diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2012-04-19 16:03:21 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2012-04-19 16:03:21 -0500 |
commit | 1174973de19bbac7f7d9a035f7dd7aeb07f75af4 (patch) | |
tree | 94ea39c75bfeb59db83de0d8dcbbdbad95429d7d /macvtap-zerocopy-validate-vector-length.patch | |
parent | 7d3a78564ab43271375c063fe37bd9bdd0296d37 (diff) | |
download | kernel-1174973de19bbac7f7d9a035f7dd7aeb07f75af4.tar.gz kernel-1174973de19bbac7f7d9a035f7dd7aeb07f75af4.tar.xz kernel-1174973de19bbac7f7d9a035f7dd7aeb07f75af4.zip |
Linux v3.4-rc3-65-g9b7f43a
Diffstat (limited to 'macvtap-zerocopy-validate-vector-length.patch')
-rw-r--r-- | macvtap-zerocopy-validate-vector-length.patch | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/macvtap-zerocopy-validate-vector-length.patch b/macvtap-zerocopy-validate-vector-length.patch new file mode 100644 index 000000000..3ac31e4b6 --- /dev/null +++ b/macvtap-zerocopy-validate-vector-length.patch @@ -0,0 +1,25 @@ +Currently we do not validate the vector length before calling +get_user_pages_fast(), host stack would be easily overflowed by +malicious guest driver who give us a descriptor with length greater +than MAX_SKB_FRAGS. Solve this problem by checking the free entries +before trying to pin user pages. + +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + drivers/net/macvtap.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 7cb2684..d197a78 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -527,6 +527,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + } + base = (unsigned long)from->iov_base + offset1; + size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; ++ if (i + size >= MAX_SKB_FRAGS) ++ return -EFAULT; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if ((num_pages != size) || + (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags)) + |