CVE request -- kernel: macvtap: zerocopy: vector length is not validated before pinning user pages

[Petr Matousek <pmatouse () redhat com>]

Currently we do not validate the vector length before calling
get_user_pages_fast(), host stack could be easily overflowed by
malicious guest driver who gives us a descriptors with length greater
than MAX_SKB_FRAGS.

A privileged guest user could use this flaw to induce stack overflow on
the host with attacker non-controlled data (some bits can be guessed, as
it will be pointers to kernel memory) but with attacker controlled
length.

Proposed fix thread:
http://marc.info/?l=linux-netdev&m=133455718001608&w=2

References:
https://bugzilla.redhat.com/show_bug.cgi?id=814278

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team