Hello,

We recently have discovered a Denial-of-Service (DoS) attack issue that 
a KVM guest VM using virtio-net can crash the Linux host by sending a 
short packet (i.e.  size < ETH_HLEN). The packet may traverse through 
vhost-net, macvtap and vlan without any validation/drop. When this 
packet is presented to mlx5 driver on the host side, the host panic 
happens, since mlx5_core assumes the frame size is always >= ETH_HLEN.

Patches have been posted to netdev with the following cover letter.
I'll post the commit IDs when I have them.

jch

~~~

Message-Id: <20240724170452.16837-1-dongli.zh...@oracle.com>
Date: Wed, 24 Jul 2024 10:04:50 -0700
From: Dongli Zhang <dongli.zh...@oracle.com>
To: <net...@vger.kernel.org>
Subject: [PATCH net 0/2] tap/tun: harden by dropping short frame

This is to harden all of tap/tun to avoid any short frame smaller than the
Ethernet header (ETH_HLEN).

While the xen-netback already rejects short frame smaller than ETH_HLEN ...

 914 static void xenvif_tx_build_gops(struct xenvif_queue *queue,
 915                                      int budget,
 916                                      unsigned *copy_ops,
 917                                      unsigned *map_ops)
 918 {
... ...
1007                 if (unlikely(txreq.size < ETH_HLEN)) {
1008                         netdev_dbg(queue->vif->dev,
1009                                    "Bad packet size: %d\n", txreq.size);
1010                         xenvif_tx_err(queue, &txreq, extra_count, idx);
1011                         break;
1012                 }

... the short frame may not be dropped by vhost-net/tap/tun.

This fixes CVE-2024-41090 and CVE-2024-41091.

Thank you very much!

Dongli Zhang



Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to