vsock/virtio: Validate length in packet header before skb_put()

jira VULN-136554
cve CVE-2025-39718
commit-author Will Deacon <[email protected]>
commit 0dab924

When receiving a vsock packet in the guest, only the virtqueue buffer
size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
virtio_vsock_skb_rx_put() uses the length from the packet header as the
length argument to skb_put(), potentially resulting in SKB overflow if
the host has gone wonky.

Validate the length as advertised by the packet header before calling
virtio_vsock_skb_rx_put().

	Cc: <[email protected]>
Fixes: 71dc9ec ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
	Signed-off-by: Will Deacon <[email protected]>
Message-Id: <[email protected]>
	Signed-off-by: Michael S. Tsirkin <[email protected]>
	Reviewed-by: Stefano Garzarella <[email protected]>
(cherry picked from commit 0dab924)
	Signed-off-by: Shreeya Patel <[email protected]>

Author: shreeya-patel98

net/vmw_vsock/virtio_transport.c

@@ -581,8 +581,9 @@ static void virtio_transport_rx_work(struct work_struct *work)
 	do {
 		virtqueue_disable_cb(vq);
 		for (;;) {
+			unsigned int len, payload_len;
+			struct virtio_vsock_hdr *hdr;
 			struct sk_buff *skb;
-			unsigned int len;
 
 			if (!virtio_transport_more_replies(vsock)) {
 				/* Stop rx until the device processes already
@@ -599,12 +600,19 @@ static void virtio_transport_rx_work(struct work_struct *work)
 			vsock->rx_buf_nr--;
 
 			/* Drop short/long packets */
-			if (unlikely(len < sizeof(struct virtio_vsock_hdr) ||
+			if (unlikely(len < sizeof(*hdr) ||
 				     len > virtio_vsock_skb_len(skb))) {
 				kfree_skb(skb);
 				continue;
 			}
 
+			hdr = virtio_vsock_hdr(skb);
+			payload_len = le32_to_cpu(hdr->len);
+			if (unlikely(payload_len > len - sizeof(*hdr))) {
+				kfree_skb(skb);
+				continue;
+			}
+
 			virtio_vsock_skb_rx_put(skb);
 			virtio_transport_deliver_tap_pkt(skb);
 			virtio_transport_recv_pkt(&virtio_transport, skb);