49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From 1696616a3e6e9d5eef2c39723ddaafb78a9a6eeb Mon Sep 17 00:00:00 2001
|
|
From: Will Deacon <will@kernel.org>
|
|
Date: Thu, 17 Jul 2025 10:01:08 +0100
|
|
Subject: vhost/vsock: Avoid allocating arbitrarily-sized SKBs
|
|
|
|
vhost_vsock_alloc_skb() returns NULL for packets advertising a length
|
|
larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However,
|
|
this is only checked once the SKB has been allocated and, if the length
|
|
in the packet header is zero, the SKB may not be freed immediately.
|
|
|
|
Hoist the size check before the SKB allocation so that an iovec larger
|
|
than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected
|
|
outright. The subsequent check on the length field in the header can
|
|
then simply check that the allocated SKB is indeed large enough to hold
|
|
the packet.
|
|
|
|
Cc: <stable@vger.kernel.org>
|
|
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
|
|
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
|
|
Signed-off-by: Will Deacon <will@kernel.org>
|
|
Message-Id: <20250717090116.11987-2-will@kernel.org>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
---
|
|
drivers/vhost/vsock.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
--- a/drivers/vhost/vsock.c
|
|
+++ b/drivers/vhost/vsock.c
|
|
@@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtq
|
|
|
|
len = iov_length(vq->iov, out);
|
|
|
|
+ if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
|
|
+ return NULL;
|
|
+
|
|
/* len contains both payload and hdr */
|
|
skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
|
|
if (!skb)
|
|
@@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
|
|
return skb;
|
|
|
|
/* The pkt is too big or the length in the header is invalid */
|
|
- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
|
|
- payload_len + sizeof(*hdr) > len) {
|
|
+ if (payload_len + sizeof(*hdr) > len) {
|
|
kfree_skb(skb);
|
|
return NULL;
|
|
}
|