Commits
Julien Gomes authored and Konstantin Khorenko committed d6e63886029
ms/tun: allow positive return values on dev_get_valid_name() call ML commit: 5c25f65fd1e42685f7ccd80e0621829c105785d9 If the name argument of dev_get_valid_name() contains "%d", it will try to assign it a unit number in __dev__alloc_name() and return either the unit number (>= 0) or an error code (< 0). Considering positive values as error values prevent tun device creations relying this mechanism, therefor we should only consider negative values as errors here. Signed-off-by: Julien Gomes <julien@arista.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> CVE-2018-7191 https://jira.sw.ru/browse/PSBM-96332 Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com> ===================== Patchset description: Fixes for CVE-2018-7191 Although it is unclear if CVE-2018-7191 can do any harm to VZ7 or VIP, I think, it is better to add the fix anyway. CVE-2018-7191 https://jira.sw.ru/browse/PSBM-96332 The problem is that if a user passes an invalid name to ioctl(TUNSETIFF) called for /dev/net/tun, the implementation of that ioctl would still call register_netdevice(). The latter would fail but tun_struct::flow_gc_timer would not be destroyed in that case. If the timer could be armed at that moment (not sure if that is possible), it would crash the kernel. The patch set makes sure the name passed to ioctl(TUNSETIFF) is checked earlier, to avoid the issue. [PATCH RH7 1/2] tun: call dev_get_valid_name() before register_netdevice() [PATCH RH7 2/2] tun: allow positive return values on dev_get_valid_name() call