oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: linux kernel: virtio-net host dos

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 27 Jul 2024 21:59:38 +0200
Hi,

On Wed, Jul 24, 2024 at 05:23:47PM +0000, John Haxby wrote:

Hello,

We recently have discovered a Denial-of-Service (DoS) attack issue that 
a KVM guest VM using virtio-net can crash the Linux host by sending a 
short packet (i.e.  size < ETH_HLEN). The packet may traverse through 
vhost-net, macvtap and vlan without any validation/drop. When this 
packet is presented to mlx5 driver on the host side, the host panic 
happens, since mlx5_core assumes the frame size is always >= ETH_HLEN.

Patches have been posted to netdev with the following cover letter.
I'll post the commit IDs when I have them.

jch

~~~

Message-Id: <20240724170452.16837-1-dongli.zhang () oracle com>
Date: Wed, 24 Jul 2024 10:04:50 -0700
From: Dongli Zhang <dongli.zhang () oracle com>
To: <netdev () vger kernel org>
Subject: [PATCH net 0/2] tap/tun: harden by dropping short frame

This is to harden all of tap/tun to avoid any short frame smaller than the
Ethernet header (ETH_HLEN).

While the xen-netback already rejects short frame smaller than ETH_HLEN ...

 914 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
 915                                      int budget,
 916                                      unsigned *copy_ops,
 917                                      unsigned *map_ops)
 918 {
... ...
1007                 if (unlikely(txreq.size < ETH_HLEN)) {
1008                         netdev_dbg(queue->vif->dev,
1009                                    "Bad packet size: %d\n", txreq.size);
1010                         xenvif_tx_err(queue, &txreq, extra_count, idx);
1011                         break;
1012                 }

... the short frame may not be dropped by vhost-net/tap/tun.

This fixes CVE-2024-41090 and CVE-2024-41091.


The respective upstream commits are:

CVE-2024-41090:
https://git.kernel.org/linus/ed7f2afdd0e043a397677e597ced0830b83ba0b3

CVE-2024-41091:
https://git.kernel.org/linus/049584807f1d797fc3078b68035450a9769eb5c3

FWIW, they were as well backported to current stable series: 6.10.2,
6.9.12, 6.6.43, 6.1.102, 5.15.164, 5.10.223 and 5.4.281.

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: