* [PULL 0/2] Net patches
@ 2021-09-17 8:24 Jason Wang
2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jason Wang @ 2021-09-17 8:24 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Jason Wang
The following changes since commit d1fe59377bbbf91dfded1f08ffe3c636e9db8dc0:
Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.2-pull-request' into staging (2021-09-16 16:02:31 +0100)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to bedd7e93d01961fcb16a97ae45d93acf357e11f6:
virtio-net: fix use after unmap/free for sg (2021-09-17 16:07:52 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Jason Wang (1):
virtio-net: fix use after unmap/free for sg
Paolo Bonzini (1):
ebpf: only include in system emulators
ebpf/meson.build | 2 +-
hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
2 files changed, 33 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread* [PULL 1/2] ebpf: only include in system emulators 2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang @ 2021-09-17 8:24 ` Jason Wang 2021-09-17 8:24 ` [PULL 2/2] virtio-net: fix use after unmap/free for sg Jason Wang 2021-09-20 17:30 ` [PULL 0/2] Net patches Peter Maydell 2 siblings, 0 replies; 4+ messages in thread From: Jason Wang @ 2021-09-17 8:24 UTC (permalink / raw) To: qemu-devel, peter.maydell; +Cc: Paolo Bonzini, Jason Wang From: Paolo Bonzini <pbonzini@redhat.com> eBPF files are being included in user emulators, which is useless and also breaks compilation because ebpf/trace-events is only processed if a system emulator is included in the build. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/566 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> --- ebpf/meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ebpf/meson.build b/ebpf/meson.build index 9cd0635..2dd0fd8 100644 --- a/ebpf/meson.build +++ b/ebpf/meson.build @@ -1 +1 @@ -common_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c')) +softmmu_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c')) -- 2.7.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PULL 2/2] virtio-net: fix use after unmap/free for sg 2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang 2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang @ 2021-09-17 8:24 ` Jason Wang 2021-09-20 17:30 ` [PULL 0/2] Net patches Peter Maydell 2 siblings, 0 replies; 4+ messages in thread From: Jason Wang @ 2021-09-17 8:24 UTC (permalink / raw) To: qemu-devel, peter.maydell; +Cc: Alexander Bulekov, Jason Wang, qemu-stable When mergeable buffer is enabled, we try to set the num_buffers after the virtqueue elem has been unmapped. This will lead several issues, E.g a use after free when the descriptor has an address which belongs to the non direct access region. In this case we use bounce buffer that is allocated during address_space_map() and freed during address_space_unmap(). Fixing this by storing the elems temporarily in an array and delay the unmap after we set the the num_buffers. This addresses CVE-2021-3748. Reported-by: Alexander Bulekov <alxndr@bu.edu> Fixes: fbe78f4f55c6 ("virtio-net support") Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> --- hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 16d20cd..f205331 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, VirtIONet *n = qemu_get_nic_opaque(nc); VirtIONetQueue *q = virtio_net_get_subqueue(nc); VirtIODevice *vdev = VIRTIO_DEVICE(n); + VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; + size_t lens[VIRTQUEUE_MAX_SIZE]; struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; struct virtio_net_hdr_mrg_rxbuf mhdr; unsigned mhdr_cnt = 0; - size_t offset, i, guest_offset; + size_t offset, i, guest_offset, j; + ssize_t err; if (!virtio_net_can_receive(nc)) { return -1; @@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, total = 0; + if (i == VIRTQUEUE_MAX_SIZE) { + virtio_error(vdev, "virtio-net unexpected long buffer chain"); + err = size; + goto err; + } + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) { @@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, n->guest_hdr_len, n->host_hdr_len, vdev->guest_features); } - return -1; + err = -1; + goto err; } if (elem->in_num < 1) { @@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, "virtio-net receive queue contains no in buffers"); virtqueue_detach_element(q->rx_vq, elem, 0); g_free(elem); - return -1; + err = -1; + goto err; } sg = elem->in_sg; @@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, if (!n->mergeable_rx_bufs && offset < size) { virtqueue_unpop(q->rx_vq, elem, total); g_free(elem); - return size; + err = size; + goto err; } - /* signal other side */ - virtqueue_fill(q->rx_vq, elem, total, i++); - g_free(elem); + elems[i] = elem; + lens[i] = total; + i++; } if (mhdr_cnt) { @@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, &mhdr.num_buffers, sizeof mhdr.num_buffers); } + for (j = 0; j < i; j++) { + /* signal other side */ + virtqueue_fill(q->rx_vq, elems[j], lens[j], j); + g_free(elems[j]); + } + virtqueue_flush(q->rx_vq, i); virtio_notify(vdev, q->rx_vq); return size; + +err: + for (j = 0; j < i; j++) { + g_free(elems[j]); + } + + return err; } static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, -- 2.7.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PULL 0/2] Net patches 2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang 2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang 2021-09-17 8:24 ` [PULL 2/2] virtio-net: fix use after unmap/free for sg Jason Wang @ 2021-09-20 17:30 ` Peter Maydell 2 siblings, 0 replies; 4+ messages in thread From: Peter Maydell @ 2021-09-20 17:30 UTC (permalink / raw) To: Jason Wang; +Cc: QEMU Developers On Fri, 17 Sept 2021 at 09:24, Jason Wang <jasowang@redhat.com> wrote: > > The following changes since commit d1fe59377bbbf91dfded1f08ffe3c636e9db8dc0: > > Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.2-pull-request' into staging (2021-09-16 16:02:31 +0100) > > are available in the git repository at: > > https://github.com/jasowang/qemu.git tags/net-pull-request > > for you to fetch changes up to bedd7e93d01961fcb16a97ae45d93acf357e11f6: > > virtio-net: fix use after unmap/free for sg (2021-09-17 16:07:52 +0800) > > ---------------------------------------------------------------- > > ---------------------------------------------------------------- Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/6.2 for any user-visible changes. -- PMM ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-20 17:33 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-09-17 8:24 [PULL 0/2] Net patches Jason Wang 2021-09-17 8:24 ` [PULL 1/2] ebpf: only include in system emulators Jason Wang 2021-09-17 8:24 ` [PULL 2/2] virtio-net: fix use after unmap/free for sg Jason Wang 2021-09-20 17:30 ` [PULL 0/2] Net patches Peter Maydell
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.