Hi,
On Wed, Jul 24, 2024 at 05:23:47PM +0000, John Haxby wrote:
> Hello,
>
> We recently have discovered a Denial-of-Service (DoS) attack issue that
> a KVM guest VM using virtio-net can crash the Linux host by sending a
> short packet (i.e. size < ETH_HLEN). The packet may traverse through
> vhost-net, macvtap and vlan without any validation/drop. When this
> packet is presented to mlx5 driver on the host side, the host panic
> happens, since mlx5_core assumes the frame size is always >= ETH_HLEN.
>
> Patches have been posted to netdev with the following cover letter.
> I'll post the commit IDs when I have them.
>
> jch
>
> ~~~
>
> Message-Id: <20240724170452.16837-1-dongli.zh...@oracle.com>
> Date: Wed, 24 Jul 2024 10:04:50 -0700
> From: Dongli Zhang <dongli.zh...@oracle.com>
> To: <net...@vger.kernel.org>
> Subject: [PATCH net 0/2] tap/tun: harden by dropping short frame
>
> This is to harden all of tap/tun to avoid any short frame smaller than the
> Ethernet header (ETH_HLEN).
>
> While the xen-netback already rejects short frame smaller than ETH_HLEN ...
>
> 914 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
> 915 int budget,
> 916 unsigned *copy_ops,
> 917 unsigned *map_ops)
> 918 {
> ... ...
> 1007 if (unlikely(txreq.size < ETH_HLEN)) {
> 1008 netdev_dbg(queue->vif->dev,
> 1009 "Bad packet size: %d\n", txreq.size);
> 1010 xenvif_tx_err(queue, &txreq, extra_count, idx);
> 1011 break;
> 1012 }
>
> ... the short frame may not be dropped by vhost-net/tap/tun.
>
> This fixes CVE-2024-41090 and CVE-2024-41091.
The respective upstream commits are:
CVE-2024-41090:
https://git.kernel.org/linus/ed7f2afdd0e043a397677e597ced0830b83ba0b3
CVE-2024-41091:
https://git.kernel.org/linus/049584807f1d797fc3078b68035450a9769eb5c3
FWIW, they were as well backported to current stable series: 6.10.2,
6.9.12, 6.6.43, 6.1.102, 5.15.164, 5.10.223 and 5.4.281.
Regards,
Salvatore
