xen/netback: Fix buffer overrun triggered by unusual packet - kernel

diff options

author	Ross Lagerwall <[email protected]>	2023-08-03 06:41:22 +0000
committer	Juergen Gross <[email protected]>	2023-08-03 07:04:08 +0000
commit	534fc31d09b706a16d83533e16b5dc855caf7576 (patch)
tree	78f0abcc04ca238f4b6598737ed79bf476d4832b /tools/perf/util/c++/clang.cpp
parent	Merge tag 'soc-fixes-6.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/... (diff)
download	kernel-534fc31d09b706a16d83533e16b5dc855caf7576.tar.gz kernel-534fc31d09b706a16d83533e16b5dc855caf7576.zip

xen/netback: Fix buffer overrun triggered by unusual packet

It is possible that a guest can send a packet that contains a head + 18 slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots to underflow in xenvif_get_requests() which then causes the subsequent loop's termination condition to be wrong, causing a buffer overrun of queue->tx_map_ops. Rework the code to account for the extra frag_overflow slots. This is CVE-2023-34319 / XSA-432. Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") Signed-off-by: Ross Lagerwall <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Reviewed-by: Wei Liu <[email protected]> Signed-off-by: Juergen Gross <[email protected]>

Diffstat (limited to 'tools/perf/util/c++/clang.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: