From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36142)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dmitry@daynix.com>) id 1a4O9P-0000BU-DS
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 02:18:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dmitry@daynix.com>) id 1a4O9M-000745-7M
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 02:17:59 -0500
Received: from mail-wm0-x236.google.com ([2a00:1450:400c:c09::236]:33225)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dmitry@daynix.com>) id 1a4O9L-00073z-U8
	for qemu-devel@nongnu.org; Thu, 03 Dec 2015 02:17:56 -0500
Received: by wmec201 with SMTP id c201so12679990wme.0
	for <qemu-devel@nongnu.org>; Wed, 02 Dec 2015 23:17:55 -0800 (PST)
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_B04746F8-F859-4E1A-ABDB-7DB85BDE9D45"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Dmitry Fleytman <dmitry@daynix.com>
In-Reply-To: <alpine.LFD.2.20.1512021731340.15831@wniryva>
Date: Thu, 3 Dec 2015 09:17:52 +0200
Message-Id: <66A887B2-7CFF-45F9-AD7F-1381F8B1F318@daynix.com>
References: <alpine.LFD.2.20.1512021731340.15831@wniryva>
Subject: Re: [Qemu-devel] net: vmxnet3: memory leakage issue
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, Jason Wang <jasowang@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>, qemu-devel@nongnu.org


--Apple-Mail=_B04746F8-F859-4E1A-ABDB-7DB85BDE9D45
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hello Prasad,

The patch is good.
Jason, would you apply is from attachment or should it be resent by "git =
send-email=E2=80=9D?

Acked-by: Dmitry Fleytman <dmitry@daynix.com <mailto:dmitry@daynix.com>>

~Dmitry

> On 2 Dec 2015, at 14:17 PM, P J P <ppandit@redhat.com> wrote:
>=20
>  Hello Dmitry, all
>=20
> A memory leakage issue was reported by Mr Qinghao Tang, CC'd here.
>=20
> In that, the Qemu VMXNET3 paravirtual device emulator does not check =
if the device is already active, before activating it. This leads to =
host memory leakage via calls to vmxnet_tx_pkt_init(), which calls =
g_malloc0().
>=20
> =3D=3D=3D
> static void vmxnet3_activate_device(VMXNET3State *s)
> {
>   ...
>   /* Preallocate TX packet wrapper */
>   VMW_CFPRN("Max TX fragments is %u", s->max_tx_frags);
>   vmxnet_tx_pkt_init(&s->tx_pkt, s->max_tx_frags, s->peer_has_vhdr);
>   ...
> }
> =3D=3D=3D
>=20
> A malicious guest driver could use this flaw to leak excessive memory =
on the host, eventually killing the Qemu process.
>=20
> Please see attached herein is a proposed (tested)patch which fixes =
this issue. Please let me know if it's okay or requires any changes.
>=20
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B =
041F<0001-net-vmxnet3-avoid-multiple-activations-of-device.patch>


--Apple-Mail=_B04746F8-F859-4E1A-ABDB-7DB85BDE9D45
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Hello Prasad,<div class=3D""><br class=3D""></div><div =
class=3D"">The patch is good.</div><div class=3D"">Jason, would you =
apply is from attachment or should it be resent by "git =
send-email=E2=80=9D?</div><div class=3D""><br class=3D""></div><div =
class=3D"">Acked-by: Dmitry Fleytman &lt;<a =
href=3D"mailto:dmitry@daynix.com" =
class=3D"">dmitry@daynix.com</a>&gt;</div><div class=3D""><br =
class=3D""></div><div class=3D"">~Dmitry</div><div class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
2 Dec 2015, at 14:17 PM, P J P &lt;<a href=3D"mailto:ppandit@redhat.com" =
class=3D"">ppandit@redhat.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D""> =
&nbsp;Hello Dmitry, all<br class=3D""><br class=3D"">A memory leakage =
issue was reported by Mr Qinghao Tang, CC'd here.<br class=3D""><br =
class=3D"">In that, the Qemu VMXNET3 paravirtual device emulator does =
not check if the device is already active, before activating it. This =
leads to host memory leakage via calls to vmxnet_tx_pkt_init(), which =
calls g_malloc0().<br class=3D""><br class=3D"">=3D=3D=3D<br =
class=3D"">static void vmxnet3_activate_device(VMXNET3State *s)<br =
class=3D"">{<br class=3D""> &nbsp;&nbsp;...<br class=3D""> =
&nbsp;&nbsp;/* Preallocate TX packet wrapper */<br class=3D""> =
&nbsp;&nbsp;VMW_CFPRN("Max TX fragments is %u", s-&gt;max_tx_frags);<br =
class=3D""> &nbsp;&nbsp;vmxnet_tx_pkt_init(&amp;s-&gt;tx_pkt, =
s-&gt;max_tx_frags, s-&gt;peer_has_vhdr);<br class=3D""> =
&nbsp;&nbsp;...<br class=3D"">}<br class=3D"">=3D=3D=3D<br class=3D""><br =
class=3D"">A malicious guest driver could use this flaw to leak =
excessive memory on the host, eventually killing the Qemu process.<br =
class=3D""><br class=3D"">Please see attached herein is a proposed =
(tested)patch which fixes this issue. Please let me know if it's okay or =
requires any changes.<br class=3D""><br class=3D"">Thank you.<br =
class=3D"">--<br class=3D"">Prasad J Pandit / Red Hat Product Security =
Team<br class=3D"">47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B =
041F<span =
id=3D"cid:alpine.LFD.2.20.1512021742050.15831@wniryva">&lt;0001-net-vmxnet=
3-avoid-multiple-activations-of-device.patch&gt;</span></div></div></block=
quote></div><br class=3D""></div></body></html>=

--Apple-Mail=_B04746F8-F859-4E1A-ABDB-7DB85BDE9D45--