* [PULL 0/2] Net patches
@ 2021-09-17 8:24 Jason Wang
2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jason Wang @ 2021-09-17 8:24 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Jason Wang
The following changes since commit d1fe59377bbbf91dfded1f08ffe3c636e9db8dc0:
Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.2-pull-request' into staging (2021-09-16 16:02:31 +0100)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to bedd7e93d01961fcb16a97ae45d93acf357e11f6:
virtio-net: fix use after unmap/free for sg (2021-09-17 16:07:52 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Jason Wang (1):
virtio-net: fix use after unmap/free for sg
Paolo Bonzini (1):
ebpf: only include in system emulators
ebpf/meson.build | 2 +-
hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
2 files changed, 33 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PULL 1/2] ebpf: only include in system emulators
2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang
@ 2021-09-17 8:24 ` Jason Wang
2021-09-17 8:24 ` [PULL 2/2] virtio-net: fix use after unmap/free for sg Jason Wang
2021-09-20 17:30 ` [PULL 0/2] Net patches Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2021-09-17 8:24 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Paolo Bonzini, Jason Wang
From: Paolo Bonzini <pbonzini@redhat.com>
eBPF files are being included in user emulators, which is useless and
also breaks compilation because ebpf/trace-events is only processed
if a system emulator is included in the build.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/566
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
ebpf/meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ebpf/meson.build b/ebpf/meson.build
index 9cd0635..2dd0fd8 100644
--- a/ebpf/meson.build
+++ b/ebpf/meson.build
@@ -1 +1 @@
-common_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
+softmmu_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PULL 2/2] virtio-net: fix use after unmap/free for sg
2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang
2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang
@ 2021-09-17 8:24 ` Jason Wang
2021-09-20 17:30 ` [PULL 0/2] Net patches Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2021-09-17 8:24 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Alexander Bulekov, Jason Wang, qemu-stable
When mergeable buffer is enabled, we try to set the num_buffers after
the virtqueue elem has been unmapped. This will lead several issues,
E.g a use after free when the descriptor has an address which belongs
to the non direct access region. In this case we use bounce buffer
that is allocated during address_space_map() and freed during
address_space_unmap().
Fixing this by storing the elems temporarily in an array and delay the
unmap after we set the the num_buffers.
This addresses CVE-2021-3748.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: fbe78f4f55c6 ("virtio-net support")
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
1 file changed, 32 insertions(+), 7 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 16d20cd..f205331 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
VirtIONet *n = qemu_get_nic_opaque(nc);
VirtIONetQueue *q = virtio_net_get_subqueue(nc);
VirtIODevice *vdev = VIRTIO_DEVICE(n);
+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
+ size_t lens[VIRTQUEUE_MAX_SIZE];
struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
struct virtio_net_hdr_mrg_rxbuf mhdr;
unsigned mhdr_cnt = 0;
- size_t offset, i, guest_offset;
+ size_t offset, i, guest_offset, j;
+ ssize_t err;
if (!virtio_net_can_receive(nc)) {
return -1;
@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
total = 0;
+ if (i == VIRTQUEUE_MAX_SIZE) {
+ virtio_error(vdev, "virtio-net unexpected long buffer chain");
+ err = size;
+ goto err;
+ }
+
elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
if (!elem) {
if (i) {
@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
n->guest_hdr_len, n->host_hdr_len,
vdev->guest_features);
}
- return -1;
+ err = -1;
+ goto err;
}
if (elem->in_num < 1) {
@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
"virtio-net receive queue contains no in buffers");
virtqueue_detach_element(q->rx_vq, elem, 0);
g_free(elem);
- return -1;
+ err = -1;
+ goto err;
}
sg = elem->in_sg;
@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
if (!n->mergeable_rx_bufs && offset < size) {
virtqueue_unpop(q->rx_vq, elem, total);
g_free(elem);
- return size;
+ err = size;
+ goto err;
}
- /* signal other side */
- virtqueue_fill(q->rx_vq, elem, total, i++);
- g_free(elem);
+ elems[i] = elem;
+ lens[i] = total;
+ i++;
}
if (mhdr_cnt) {
@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
&mhdr.num_buffers, sizeof mhdr.num_buffers);
}
+ for (j = 0; j < i; j++) {
+ /* signal other side */
+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
+ g_free(elems[j]);
+ }
+
virtqueue_flush(q->rx_vq, i);
virtio_notify(vdev, q->rx_vq);
return size;
+
+err:
+ for (j = 0; j < i; j++) {
+ g_free(elems[j]);
+ }
+
+ return err;
}
static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PULL 0/2] Net patches
2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang
2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang
2021-09-17 8:24 ` [PULL 2/2] virtio-net: fix use after unmap/free for sg Jason Wang
@ 2021-09-20 17:30 ` Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2021-09-20 17:30 UTC (permalink / raw)
To: Jason Wang; +Cc: QEMU Developers
On Fri, 17 Sept 2021 at 09:24, Jason Wang <jasowang@redhat.com> wrote:
>
> The following changes since commit d1fe59377bbbf91dfded1f08ffe3c636e9db8dc0:
>
> Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.2-pull-request' into staging (2021-09-16 16:02:31 +0100)
>
> are available in the git repository at:
>
> https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to bedd7e93d01961fcb16a97ae45d93acf357e11f6:
>
> virtio-net: fix use after unmap/free for sg (2021-09-17 16:07:52 +0800)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/6.2
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-20 17:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang
2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang
2021-09-17 8:24 ` [PULL 2/2] virtio-net: fix use after unmap/free for sg Jason Wang
2021-09-20 17:30 ` [PULL 0/2] Net patches Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.