Description
In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.
Product status
1d036d25e5609ba73fee6a88db01c306b140d512 (git) before 74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121
1d036d25e5609ba73fee6a88db01c306b140d512 (git) before 3a1bf9116ea31470b89692585c3910dfe830dcdd
1d036d25e5609ba73fee6a88db01c306b140d512 (git) before 28324a3b62d9ce7f9bdd65a8ce63f382041d1b27
1d036d25e5609ba73fee6a88db01c306b140d512 (git) before 48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b
1d036d25e5609ba73fee6a88db01c306b140d512 (git) before 2c054e17d9d41f1020376806c7f750834ced4dc5
4.6
Any version before 4.6
6.6.136 (semver)
6.12.84 (semver)
6.18.25 (semver)
7.0.2 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121
git.kernel.org/...c/3a1bf9116ea31470b89692585c3910dfe830dcdd
git.kernel.org/...c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27
git.kernel.org/...c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b
git.kernel.org/...c/2c054e17d9d41f1020376806c7f750834ced4dc5