From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59240)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1a4g18-0007q1-QE
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 21:22:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1a4g15-0008RT-LY
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 21:22:38 -0500
Received: from mx1.redhat.com ([209.132.183.28]:50200)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1a4g15-0008Pa-G0
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 21:22:35 -0500
References: <alpine.LFD.2.20.1512021731340.15831@wniryva>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <5660F8E2.5030100@redhat.com>
Date: Fri, 4 Dec 2015 10:22:26 +0800
MIME-Version: 1.0
In-Reply-To: <alpine.LFD.2.20.1512021731340.15831@wniryva>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] net: vmxnet3: memory leakage issue
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, qemu-devel@nongnu.org
Cc: Dmitry Fleytman <dmitry@daynix.com>, Qinghao Tang <luodalongde@gmail.com>



On 12/02/2015 08:17 PM, P J P wrote:
>   Hello Dmitry, all
>
> A memory leakage issue was reported by Mr Qinghao Tang, CC'd here.
>
> In that, the Qemu VMXNET3 paravirtual device emulator does not check
> if the device is already active, before activating it. This leads to
> host memory leakage via calls to vmxnet_tx_pkt_init(), which calls
> g_malloc0().
>
> ===
> static void vmxnet3_activate_device(VMXNET3State *s)
> {
>    ...
>    /* Preallocate TX packet wrapper */
>    VMW_CFPRN("Max TX fragments is %u", s->max_tx_frags);
>    vmxnet_tx_pkt_init(&s->tx_pkt, s->max_tx_frags, s->peer_has_vhdr);
>    ...
> }
> ===
>
> A malicious guest driver could use this flaw to leak excessive memory
> on the host, eventually killing the Qemu process.
>
> Please see attached herein is a proposed (tested)patch which fixes
> this issue. Please let me know if it's okay or requires any changes.
>
> Thank you.
> -- 
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

What if, guest de-active the device before re-active it?

Looks like it could be done through methods:

1) VMXNET3_CMD_QUIESCE_DEV
2) VMXNET3_REG_DSAL

So looks like need to free both tx_pkt and rx_pkt during deactivating?