From: Alexander Bulekov <alxndr@bu.edu>
To: Li Qiang <liq3ea@gmail.com>
Cc: Jason Wang <jasowang@redhat.com>,
Dmitry Fleytman <dmitry.fleytman@gmail.com>,
QEMU Developers <qemu-devel@nongnu.org>,
P J P <ppandit@redhat.com>
Subject: Re: [PATCH] net: check payload length limit for all frames
Date: Mon, 20 Jul 2020 10:02:57 -0400 [thread overview]
Message-ID: <20200720140257.okfgo3k5y5xfi57e@mozz.bu.edu> (raw)
In-Reply-To: <CAKXe6SKV8=B2rb6EY72W17r6-oz5nx9VQndH9gSyafubOU4rJg@mail.gmail.com>
On 200720 1946, Li Qiang wrote:
>
> This seems is the same issue as LP#1886362 .
> Look at the free path.
> Here the 'e1000e_write_to_rx_buffers' trigger DMA and then go to
> address space dispatch. So the DMA is not RAM but a MMIO range.
> Then we go to another send path, and in that we frees the 'iov'.
>
> Alex do you tried my patch to solve LP#1886362 ?
> I have tried it and it seems no this UAF triggered.
Hi Li,
I think the bugs are triggered in a similar way, and they stem from the
same underlying issue (the code wasn't designed to read/write to its own
MMIO range), but the actual UAFs are different.
I agree that your patch should fix all of these types of bugs in the
e1000e.
Thanks
-Alex
> Thanks,
> Li Qiang
>
>
> > previously allocated by thread T0 here:
> > #0 0x561dd231130d in malloc (/home/alxndr/Development/qemu/build-asan/i386-softmmu/qemu-system-i386+0x2bb630d)
> > #1 0x7f58c023d500 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
> > #2 0x561dd43d0666 in net_rx_pkt_pull_data /home/alxndr/Development/qemu/hw/net/net_rx_pkt.c:103:9
> > #3 0x561dd43d2cf6 in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu/hw/net/net_rx_pkt.c:158:5
> > #4 0x561dd440360f in e1000e_receive_iov /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1695:5
> > #5 0x561dd43fd91a in e1000e_nc_receive_iov /home/alxndr/Development/qemu/hw/net/e1000e.c:213:12
> > #6 0x561dd43c82e7 in net_tx_pkt_sendv /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:553:9
> > #7 0x561dd43c65e6 in net_tx_pkt_send /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:629:9
> > #8 0x561dd43c9c78 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:642:11
> > #9 0x561dd4472cf6 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/hw/net/e1000e_core.c:664:16
> > #10 0x561dd446f296 in e1000e_process_tx_desc /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743:17
> > #11 0x561dd446ce68 in e1000e_start_xmit /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
> > #12 0x561dd445635d in e1000e_set_tdt /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
> > #13 0x561dd440f19e in e1000e_core_write /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3265:9
> > #14 0x561dd43f77b7 in e1000e_mmio_write /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
> > #15 0x561dd2ff62a3 in memory_region_write_accessor /home/alxndr/Development/qemu/softmmu/memory.c:483:5
> > #16 0x561dd2ff5747 in access_with_adjusted_size /home/alxndr/Development/qemu/softmmu/memory.c:544:18
> > #17 0x561dd2ff3366 in memory_region_dispatch_write /home/alxndr/Development/qemu/softmmu/memory.c:1465:16
> > #18 0x561dd23a5476 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3176:23
> > #19 0x561dd238de86 in flatview_write /home/alxndr/Development/qemu/exec.c:3216:14
> > #20 0x561dd238d9a7 in address_space_write /home/alxndr/Development/qemu/exec.c:3307:18
> > #21 0x561dd30a43b1 in qtest_process_command /home/alxndr/Development/qemu/softmmu/qtest.c:567:9
> > #22 0x561dd3094b38 in qtest_process_inbuf /home/alxndr/Development/qemu/softmmu/qtest.c:710:9
> > #23 0x561dd30937c5 in qtest_read /home/alxndr/Development/qemu/softmmu/qtest.c:722:5
> > #24 0x561dd5f33993 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:188:9
> > #25 0x561dd5f33b17 in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:200:9
> > #26 0x561dd5f47e03 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
> > #27 0x561dd609c1c4 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
> > #28 0x7f58c0237897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
> >
> > Let me know if I can help with anything else!
> > -Alex
> >
> > > Thank you.
> > > --
> > > Prasad J Pandit / Red Hat Product Security Team
> > > 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
> >
prev parent reply other threads:[~2020-07-20 14:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-16 19:23 [PATCH] net: check payload length limit for all frames P J P
2020-07-17 0:53 ` Li Qiang
2020-07-17 1:21 ` Alexander Bulekov
2020-07-17 3:13 ` Jason Wang
2020-07-17 5:06 ` P J P
2020-07-17 5:51 ` Jason Wang
2020-07-17 9:08 ` P J P
2020-07-17 10:02 ` Li Qiang
2020-07-20 2:24 ` P J P
2020-07-20 3:33 ` Alexander Bulekov
2020-07-20 11:46 ` Li Qiang
2020-07-20 12:57 ` P J P
2020-07-20 13:20 ` Li Qiang
2020-07-20 14:02 ` Alexander Bulekov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720140257.okfgo3k5y5xfi57e@mozz.bu.edu \
--to=alxndr@bu.edu \
--cc=dmitry.fleytman@gmail.com \
--cc=jasowang@redhat.com \
--cc=liq3ea@gmail.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.