From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41931)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1a4gro-0001Wh-8e
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 22:17:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1a4grj-0000If-76
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 22:17:04 -0500
Received: from mx1.redhat.com ([209.132.183.28]:52148)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1a4grj-0000I7-1Z
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 22:16:59 -0500
References: <alpine.LFD.2.20.1512021731340.15831@wniryva>
	<66A887B2-7CFF-45F9-AD7F-1381F8B1F318@daynix.com>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <566105A2.6040508@redhat.com>
Date: Fri, 4 Dec 2015 11:16:50 +0800
MIME-Version: 1.0
In-Reply-To: <66A887B2-7CFF-45F9-AD7F-1381F8B1F318@daynix.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] net: vmxnet3: memory leakage issue
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Dmitry Fleytman <dmitry@daynix.com>, P J P <ppandit@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>, qemu-devel@nongnu.org



On 12/03/2015 03:17 PM, Dmitry Fleytman wrote:
> Hello Prasad,
>
> The patch is good.
> Jason, would you apply is from attachment or should it be resent by
> "git send-email=E2=80=9D?

Better with "git send-email". And I've a question for this patch which
needs to be answered before merging this.

What if guest deactivate the device before re-activate the device?

Thanks

>
> Acked-by: Dmitry Fleytman <dmitry@daynix.com <mailto:dmitry@daynix.com>=
>
>
> ~Dmitry
>
>> On 2 Dec 2015, at 14:17 PM, P J P <ppandit@redhat.com
>> <mailto:ppandit@redhat.com>> wrote:
>>
>>  Hello Dmitry, all
>>
>> A memory leakage issue was reported by Mr Qinghao Tang, CC'd here.
>>
>> In that, the Qemu VMXNET3 paravirtual device emulator does not check
>> if the device is already active, before activating it. This leads to
>> host memory leakage via calls to vmxnet_tx_pkt_init(), which calls
>> g_malloc0().
>>
>> =3D=3D=3D
>> static void vmxnet3_activate_device(VMXNET3State *s)
>> {
>>   ...
>>   /* Preallocate TX packet wrapper */
>>   VMW_CFPRN("Max TX fragments is %u", s->max_tx_frags);
>>   vmxnet_tx_pkt_init(&s->tx_pkt, s->max_tx_frags, s->peer_has_vhdr);
>>   ...
>> }
>> =3D=3D=3D
>>
>> A malicious guest driver could use this flaw to leak excessive memory
>> on the host, eventually killing the Qemu process.
>>
>> Please see attached herein is a proposed (tested)patch which fixes
>> this issue. Please let me know if it's okay or requires any changes.
>>
>> Thank you.
>> --
>> Prasad J Pandit / Red Hat Product Security Team
>> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B
>> 041F<0001-net-vmxnet3-avoid-multiple-activations-of-device.patch>
>