* [PULL 0/3] Net patches
@ 2021-11-19 4:03 Jason Wang
2021-11-19 4:03 ` [PULL 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203) Jason Wang
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Jason Wang @ 2021-11-19 4:03 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Jason Wang
The following changes since commit 44a3aa0608f01274418487b655d42467c1d8334e:
Merge tag 'sev-hashes-pull-request' of https://gitlab.com/berrange/qemu into staging (2021-11-18 15:06:05 +0100)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to 0656fbc7ddccdade1709742a9b56ae07dd3c280a:
net/colo-compare.c: Fix incorrect return when input wrong size (2021-11-19 11:44:22 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Prasad J Pandit (1):
net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
Zhang Chen (2):
net/colo-compare.c: Fix ACK track reverse issue
net/colo-compare.c: Fix incorrect return when input wrong size
hw/net/vmxnet3.c | 13 +++++++++++++
net/colo-compare.c | 8 +++++---
2 files changed, 18 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PULL 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
2021-11-19 4:03 [PULL 0/3] Net patches Jason Wang
@ 2021-11-19 4:03 ` Jason Wang
2021-11-19 4:03 ` [PULL 2/3] net/colo-compare.c: Fix ACK track reverse issue Jason Wang
` (2 subsequent siblings)
3 siblings, 0 replies; 11+ messages in thread
From: Jason Wang @ 2021-11-19 4:03 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Jason Wang, Gaoning Pan, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
While activating device in vmxnet3_acticate_device(), it does not
validate guest supplied configuration values against predefined
minimum - maximum limits. This may lead to integer overflow or
OOB access issues. Add checks to avoid it.
Fixes: CVE-2021-20203
Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/vmxnet3.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 41f796a..f65af4e 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1441,6 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
vmxnet3_setup_rx_filtering(s);
/* Cache fields from shared memory */
s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
VMW_CFPRN("MTU is %u", s->mtu);
s->max_rx_frags =
@@ -1486,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* Read rings memory locations for TX queues */
pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
+ size = VMXNET3_TX_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
sizeof(struct Vmxnet3_TxDesc), false);
@@ -1496,6 +1500,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* TXC ring */
pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
+ size = VMXNET3_TC_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
sizeof(struct Vmxnet3_TxCompDesc), true);
VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
@@ -1537,6 +1544,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* RX rings */
pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
+ size = VMXNET3_RX_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
sizeof(struct Vmxnet3_RxDesc), false);
VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
@@ -1546,6 +1556,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* RXC ring */
pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
+ size = VMXNET3_RC_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
sizeof(struct Vmxnet3_RxCompDesc), true);
VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PULL 2/3] net/colo-compare.c: Fix ACK track reverse issue
2021-11-19 4:03 [PULL 0/3] Net patches Jason Wang
2021-11-19 4:03 ` [PULL 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203) Jason Wang
@ 2021-11-19 4:03 ` Jason Wang
2021-11-19 4:03 ` [PULL 3/3] net/colo-compare.c: Fix incorrect return when input wrong size Jason Wang
2021-11-19 10:01 ` [PULL 0/3] Net patches Richard Henderson
3 siblings, 0 replies; 11+ messages in thread
From: Jason Wang @ 2021-11-19 4:03 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Zhang Chen, Jason Wang
From: Zhang Chen <chen.zhang@intel.com>
The TCP protocol ACK maybe bigger than uint32_t MAX.
At this time, the ACK will reverse to 0. This patch
fix the max_ack and min_ack track issue.
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
net/colo-compare.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/colo-compare.c b/net/colo-compare.c
index b8876d7..1225f40 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -209,7 +209,8 @@ static void fill_pkt_tcp_info(void *data, uint32_t *max_ack)
pkt->tcp_seq = ntohl(tcphd->th_seq);
pkt->tcp_ack = ntohl(tcphd->th_ack);
- *max_ack = *max_ack > pkt->tcp_ack ? *max_ack : pkt->tcp_ack;
+ /* Need to consider ACK will bigger than uint32_t MAX */
+ *max_ack = pkt->tcp_ack - *max_ack > 0 ? pkt->tcp_ack : *max_ack;
pkt->header_size = pkt->transport_header - (uint8_t *)pkt->data
+ (tcphd->th_off << 2);
pkt->payload_size = pkt->size - pkt->header_size;
@@ -413,7 +414,8 @@ static void colo_compare_tcp(CompareState *s, Connection *conn)
* can ensure that the packet's payload is acknowledged by
* primary and secondary.
*/
- uint32_t min_ack = conn->pack > conn->sack ? conn->sack : conn->pack;
+ uint32_t min_ack = conn->pack - conn->sack > 0 ?
+ conn->sack : conn->pack;
pri:
if (g_queue_is_empty(&conn->primary_list)) {
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PULL 3/3] net/colo-compare.c: Fix incorrect return when input wrong size
2021-11-19 4:03 [PULL 0/3] Net patches Jason Wang
2021-11-19 4:03 ` [PULL 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203) Jason Wang
2021-11-19 4:03 ` [PULL 2/3] net/colo-compare.c: Fix ACK track reverse issue Jason Wang
@ 2021-11-19 4:03 ` Jason Wang
2021-11-19 10:01 ` [PULL 0/3] Net patches Richard Henderson
3 siblings, 0 replies; 11+ messages in thread
From: Jason Wang @ 2021-11-19 4:03 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Zhang Chen, Jason Wang
From: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
net/colo-compare.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/colo-compare.c b/net/colo-compare.c
index 1225f40..b966e7e 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -807,7 +807,7 @@ static int compare_chr_send(CompareState *s,
}
if (!size) {
- return 0;
+ return -1;
}
entry = g_slice_new(SendEntry);
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PULL 0/3] Net patches
2021-11-19 4:03 [PULL 0/3] Net patches Jason Wang
` (2 preceding siblings ...)
2021-11-19 4:03 ` [PULL 3/3] net/colo-compare.c: Fix incorrect return when input wrong size Jason Wang
@ 2021-11-19 10:01 ` Richard Henderson
3 siblings, 0 replies; 11+ messages in thread
From: Richard Henderson @ 2021-11-19 10:01 UTC (permalink / raw)
To: Jason Wang, qemu-devel, peter.maydell
On 11/19/21 5:03 AM, Jason Wang wrote:
> The following changes since commit 44a3aa0608f01274418487b655d42467c1d8334e:
>
> Merge tag 'sev-hashes-pull-request' of https://gitlab.com/berrange/qemu into staging (2021-11-18 15:06:05 +0100)
>
> are available in the git repository at:
>
> https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to 0656fbc7ddccdade1709742a9b56ae07dd3c280a:
>
> net/colo-compare.c: Fix incorrect return when input wrong size (2021-11-19 11:44:22 +0800)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
> Prasad J Pandit (1):
> net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
>
> Zhang Chen (2):
> net/colo-compare.c: Fix ACK track reverse issue
> net/colo-compare.c: Fix incorrect return when input wrong size
>
> hw/net/vmxnet3.c | 13 +++++++++++++
> net/colo-compare.c | 8 +++++---
> 2 files changed, 18 insertions(+), 3 deletions(-)
Applied, thanks.
r~
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PULL 0/3] Net patches
2023-11-21 9:57 Jason Wang
@ 2023-11-21 15:12 ` Stefan Hajnoczi
0 siblings, 0 replies; 11+ messages in thread
From: Stefan Hajnoczi @ 2023-11-21 15:12 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 115 bytes --]
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/8.2 for any user-visible changes.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PULL 0/3] Net patches
@ 2023-11-21 9:57 Jason Wang
2023-11-21 15:12 ` Stefan Hajnoczi
0 siblings, 1 reply; 11+ messages in thread
From: Jason Wang @ 2023-11-21 9:57 UTC (permalink / raw)
To: qemu-devel
The following changes since commit af9264da80073435fd78944bc5a46e695897d7e5:
Merge tag '20231119-xtensa-1' of https://github.com/OSLL/qemu-xtensa into staging (2023-11-20 05:25:19 -0500)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to 84f85eb95f14add02efd5e69f2ff7783d79b24f7:
net: do not delete nics in net_cleanup() (2023-11-21 15:42:34 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Akihiko Odaki (2):
net: Provide MemReentrancyGuard * to qemu_new_nic()
net: Update MemReentrancyGuard for NIC
David Woodhouse (1):
net: do not delete nics in net_cleanup()
hw/net/allwinner-sun8i-emac.c | 3 ++-
hw/net/allwinner_emac.c | 3 ++-
hw/net/cadence_gem.c | 3 ++-
hw/net/dp8393x.c | 3 ++-
hw/net/e1000.c | 3 ++-
hw/net/e1000e.c | 2 +-
hw/net/eepro100.c | 4 +++-
hw/net/etraxfs_eth.c | 3 ++-
hw/net/fsl_etsec/etsec.c | 3 ++-
hw/net/ftgmac100.c | 3 ++-
hw/net/i82596.c | 2 +-
hw/net/igb.c | 2 +-
hw/net/imx_fec.c | 2 +-
hw/net/lan9118.c | 3 ++-
hw/net/mcf_fec.c | 3 ++-
hw/net/mipsnet.c | 3 ++-
hw/net/msf2-emac.c | 3 ++-
hw/net/mv88w8618_eth.c | 3 ++-
hw/net/ne2000-isa.c | 3 ++-
hw/net/ne2000-pci.c | 3 ++-
hw/net/npcm7xx_emc.c | 3 ++-
hw/net/opencores_eth.c | 3 ++-
hw/net/pcnet.c | 3 ++-
hw/net/rocker/rocker_fp.c | 4 ++--
hw/net/rtl8139.c | 3 ++-
hw/net/smc91c111.c | 3 ++-
hw/net/spapr_llan.c | 3 ++-
hw/net/stellaris_enet.c | 3 ++-
hw/net/sungem.c | 2 +-
hw/net/sunhme.c | 3 ++-
hw/net/tulip.c | 3 ++-
hw/net/virtio-net.c | 6 ++++--
hw/net/vmxnet3.c | 2 +-
hw/net/xen_nic.c | 3 ++-
hw/net/xgmac.c | 3 ++-
hw/net/xilinx_axienet.c | 3 ++-
hw/net/xilinx_ethlite.c | 3 ++-
hw/usb/dev-network.c | 3 ++-
include/net/net.h | 2 ++
net/net.c | 43 +++++++++++++++++++++++++++++++++++++------
40 files changed, 112 insertions(+), 46 deletions(-)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PULL 0/3] Net patches
2022-07-26 8:50 Jason Wang
@ 2022-07-26 12:28 ` Peter Maydell
0 siblings, 0 replies; 11+ messages in thread
From: Peter Maydell @ 2022-07-26 12:28 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel
On Tue, 26 Jul 2022 at 09:51, Jason Wang <jasowang@redhat.com> wrote:
>
> The following changes since commit 5288bee45fbd33203b61f8c76e41b15bb5913e6e:
>
> Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2022-07-21 11:13:01 +0100)
>
> are available in the git repository at:
>
> https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to 75a8ce64f6e37513698857fb4284170da163ed06:
>
> vdpa: Fix memory listener deletions of iova tree (2022-07-26 16:24:19 +0800)
>
> ----------------------------------------------------------------
>
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/7.1
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PULL 0/3] Net patches
@ 2022-07-26 8:50 Jason Wang
2022-07-26 12:28 ` Peter Maydell
0 siblings, 1 reply; 11+ messages in thread
From: Jason Wang @ 2022-07-26 8:50 UTC (permalink / raw)
To: qemu-devel, peter.maydell
The following changes since commit 5288bee45fbd33203b61f8c76e41b15bb5913e6e:
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2022-07-21 11:13:01 +0100)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to 75a8ce64f6e37513698857fb4284170da163ed06:
vdpa: Fix memory listener deletions of iova tree (2022-07-26 16:24:19 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Ake Koomsin (1):
e1000e: Fix possible interrupt loss when using MSI
Eugenio Pérez (2):
vhost: Get vring base from vq, not svq
vdpa: Fix memory listener deletions of iova tree
hw/net/e1000e_core.c | 2 ++
hw/virtio/vhost-vdpa.c | 26 +++++++++++++-------------
2 files changed, 15 insertions(+), 13 deletions(-)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PULL 0/3] Net patches
2021-05-26 8:24 Jason Wang
@ 2021-05-26 9:09 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-05-26 9:09 UTC (permalink / raw)
To: peter.maydell; +Cc: Jason Wang, qemu-devel
On 5/26/21 10:24 AM, Jason Wang wrote:
> The following changes since commit d90f154867ec0ec22fd719164b88716e8fd48672:
>
> Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210504' into staging (2021-05-05 20:29:14 +0100)
>
> are available in the git repository at:
>
> https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to 7ec0d72cd519e569b6d1ef11be770beb67dd0824:
>
> tap-bsd: Remove special casing for older OpenBSD releases (2021-05-26 16:20:27 +0800)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
> Brad Smith (1):
> tap-bsd: Remove special casing for older OpenBSD releases
>
> Guenter Roeck (1):
> hw/net/imx_fec: return 0xffff when accessing non-existing PHY
>
> Laurent Vivier (1):
> virtio-net: failover: add missing remove_migration_state_change_notifier()
>
> hw/net/imx_fec.c | 8 +++-----
> hw/net/trace-events | 2 ++
> hw/net/virtio-net.c | 1 +
> net/tap-bsd.c | 8 --------
> 4 files changed, 6 insertions(+), 13 deletions(-)
UTF-8 mojibake in patch 1.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PULL 0/3] Net patches
@ 2021-05-26 8:24 Jason Wang
2021-05-26 9:09 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 11+ messages in thread
From: Jason Wang @ 2021-05-26 8:24 UTC (permalink / raw)
To: peter.maydell; +Cc: Jason Wang, qemu-devel
The following changes since commit d90f154867ec0ec22fd719164b88716e8fd48672:
Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210504' into staging (2021-05-05 20:29:14 +0100)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to 7ec0d72cd519e569b6d1ef11be770beb67dd0824:
tap-bsd: Remove special casing for older OpenBSD releases (2021-05-26 16:20:27 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Brad Smith (1):
tap-bsd: Remove special casing for older OpenBSD releases
Guenter Roeck (1):
hw/net/imx_fec: return 0xffff when accessing non-existing PHY
Laurent Vivier (1):
virtio-net: failover: add missing remove_migration_state_change_notifier()
hw/net/imx_fec.c | 8 +++-----
hw/net/trace-events | 2 ++
hw/net/virtio-net.c | 1 +
net/tap-bsd.c | 8 --------
4 files changed, 6 insertions(+), 13 deletions(-)
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-11-21 15:14 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-19 4:03 [PULL 0/3] Net patches Jason Wang
2021-11-19 4:03 ` [PULL 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203) Jason Wang
2021-11-19 4:03 ` [PULL 2/3] net/colo-compare.c: Fix ACK track reverse issue Jason Wang
2021-11-19 4:03 ` [PULL 3/3] net/colo-compare.c: Fix incorrect return when input wrong size Jason Wang
2021-11-19 10:01 ` [PULL 0/3] Net patches Richard Henderson
-- strict thread matches above, loose matches on Subject: below --
2023-11-21 9:57 Jason Wang
2023-11-21 15:12 ` Stefan Hajnoczi
2022-07-26 8:50 Jason Wang
2022-07-26 12:28 ` Peter Maydell
2021-05-26 8:24 Jason Wang
2021-05-26 9:09 ` Philippe Mathieu-Daudé
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.