Commits
Cong Wang authored and Konstantin Khorenko committed 4e12e25348e
ms/tun: call dev_get_valid_name() before register_netdevice() ML commit: 0ad646c81b2182f7fa67ec0c8c825e0ee165696d register_netdevice() could fail early when we have an invalid dev name, in which case ->ndo_uninit() is not called. For tun device, this is a problem because a timer etc. are already initialized and it expects ->ndo_uninit() to clean them up. We could move these initializations into a ->ndo_init() so that register_netdevice() knows better, however this is still complicated due to the logic in tun_detach(). Therefore, I choose to just call dev_get_valid_name() before register_netdevice(), which is quicker and much easier to audit. And for this specific case, it is already enough. Fixes: 96442e42429e ("tuntap: choose the txq based on rxq") Reported-by: Dmitry Alexeev <avekceeb@gmail.com> Cc: Jason Wang <jasowang@redhat.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> CVE-2018-7191 https://jira.sw.ru/browse/PSBM-96332 The patch was re-diffed for vzkernel 3.10.0-957.21.3.vz7.106.x (context change only). Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com> ===================== Patchset description: Fixes for CVE-2018-7191 Although it is unclear if CVE-2018-7191 can do any harm to VZ7 or VIP, I think, it is better to add the fix anyway. CVE-2018-7191 https://jira.sw.ru/browse/PSBM-96332 The problem is that if a user passes an invalid name to ioctl(TUNSETIFF) called for /dev/net/tun, the implementation of that ioctl would still call register_netdevice(). The latter would fail but tun_struct::flow_gc_timer would not be destroyed in that case. If the timer could be armed at that moment (not sure if that is possible), it would crash the kernel. The patch set makes sure the name passed to ioctl(TUNSETIFF) is checked earlier, to avoid the issue. [PATCH RH7 1/2] tun: call dev_get_valid_name() before register_netdevice() [PATCH RH7 2/2] tun: allow positive return values on dev_get_valid_name() call