Hello, We recently have discovered a Denial-of-Service (DoS) attack issue that a KVM guest VM using virtio-net can crash the Linux host by sending a short packet (i.e. size < ETH_HLEN). The packet may traverse through vhost-net, macvtap and vlan without any validation/drop. When this packet is presented to mlx5 driver on the host side, the host panic happens, since mlx5_core assumes the frame size is always >= ETH_HLEN.
Patches have been posted to netdev with the following cover letter. I'll post the commit IDs when I have them. jch ~~~ Message-Id: <20240724170452.16837-1-dongli.zh...@oracle.com> Date: Wed, 24 Jul 2024 10:04:50 -0700 From: Dongli Zhang <dongli.zh...@oracle.com> To: <net...@vger.kernel.org> Subject: [PATCH net 0/2] tap/tun: harden by dropping short frame This is to harden all of tap/tun to avoid any short frame smaller than the Ethernet header (ETH_HLEN). While the xen-netback already rejects short frame smaller than ETH_HLEN ... 914 static void xenvif_tx_build_gops(struct xenvif_queue *queue, 915 int budget, 916 unsigned *copy_ops, 917 unsigned *map_ops) 918 { ... ... 1007 if (unlikely(txreq.size < ETH_HLEN)) { 1008 netdev_dbg(queue->vif->dev, 1009 "Bad packet size: %d\n", txreq.size); 1010 xenvif_tx_err(queue, &txreq, extra_count, idx); 1011 break; 1012 } ... the short frame may not be dropped by vhost-net/tap/tun. This fixes CVE-2024-41090 and CVE-2024-41091. Thank you very much! Dongli Zhang
signature.asc
Description: Message signed with OpenPGP