diff options
| author | Andrea Parri (Microsoft) <parri.andrea@gmail.com> | 2021-02-03 14:35:12 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2021-02-05 07:37:04 +0300 |
| commit | 0102eeedb71757d6589144cf019424f69b3ab289 (patch) | |
| tree | e23732006cef5b76202b670aaf5887b0b9a29e71 /tools/perf/scripts/python/stackcollapse.py | |
| parent | 6b4950d9501e80ad09060e9e5afb3ca3d12ba65e (diff) | |
| download | linux-0102eeedb71757d6589144cf019424f69b3ab289.tar.xz | |
hv_netvsc: Allocate the recv_buf buffers after NVSP_MSG1_TYPE_SEND_RECV_BUF
The recv_buf buffers are allocated in netvsc_device_add(). Later in
netvsc_init_buf() the response to NVSP_MSG1_TYPE_SEND_RECV_BUF allows
the host to set up a recv_section_size that could be bigger than the
(default) value used for that allocation. The host-controlled value
could be used by a malicious host to bypass the check on the packet's
length in netvsc_receive() and hence to overflow the recv_buf buffer.
Move the allocation of the recv_buf buffers into netvsc_init_but().
Reported-by: Juan Vazquez <juvazq@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'tools/perf/scripts/python/stackcollapse.py')
0 files changed, 0 insertions, 0 deletions