* [PATCH V4 00/10] Detect reentrant RX casued by loopback
@ 2021-03-05 6:26 Jason Wang
2021-03-05 6:26 ` [PATCH V4 01/10] net: introduce qemu_receive_packet() Jason Wang
` (12 more replies)
0 siblings, 13 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
Hi All:
Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
still need to fix the issues casued by loopback mode where the NIC
usually it via calling nc->info->receive() directly.
The fix is to introduce new network helper and check the
queue->delivering.
This series addresses CVE-2021-3416.
Thanks
Changes since V3:
- clarify CVE number in the commit log
- ident fix
Changes since V2:
- add more fixes from Alexander
Changes since V1:
- Fix dp8393x compiling
- Add rtl8139 fix
- Tweak the commit log
- Silent patchew warning
Alexander Bulekov (4):
rtl8139: switch to use qemu_receive_packet() for loopback
pcnet: switch to use qemu_receive_packet() for loopback
cadence_gem: switch to use qemu_receive_packet() for loopback
lan9118: switch to use qemu_receive_packet() for loopback
Jason Wang (6):
net: introduce qemu_receive_packet()
e1000: switch to use qemu_receive_packet() for loopback
dp8393x: switch to use qemu_receive_packet() for loopback packet
msf2-mac: switch to use qemu_receive_packet() for loopback
sungem: switch to use qemu_receive_packet() for loopback
tx_pkt: switch to use qemu_receive_packet_iov() for loopback
hw/net/cadence_gem.c | 4 ++--
hw/net/dp8393x.c | 2 +-
hw/net/e1000.c | 2 +-
hw/net/lan9118.c | 2 +-
hw/net/msf2-emac.c | 2 +-
hw/net/net_tx_pkt.c | 2 +-
hw/net/pcnet.c | 2 +-
hw/net/rtl8139.c | 2 +-
hw/net/sungem.c | 2 +-
include/net/net.h | 5 +++++
include/net/queue.h | 8 ++++++++
net/net.c | 38 +++++++++++++++++++++++++++++++-------
net/queue.c | 22 ++++++++++++++++++++++
13 files changed, 76 insertions(+), 17 deletions(-)
--
2.24.3 (Apple Git-128)
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH V4 01/10] net: introduce qemu_receive_packet()
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 02/10] e1000: switch to use qemu_receive_packet() for loopback Jason Wang
` (11 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().
Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.
NIC that supports loopback mode will be converted to this helper.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
include/net/net.h | 5 +++++
include/net/queue.h | 8 ++++++++
net/net.c | 38 +++++++++++++++++++++++++++++++-------
net/queue.c | 22 ++++++++++++++++++++++
4 files changed, 66 insertions(+), 7 deletions(-)
diff --git a/include/net/net.h b/include/net/net.h
index 919facaad2..4f56cae0fa 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -144,12 +144,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
void qemu_del_net_client(NetClientState *nc);
typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
+int qemu_can_receive_packet(NetClientState *nc);
int qemu_can_send_packet(NetClientState *nc);
ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
int iovcnt);
ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
int iovcnt, NetPacketSent *sent_cb);
ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet_iov(NetClientState *nc,
+ const struct iovec *iov,
+ int iovcnt);
ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
int size, NetPacketSent *sent_cb);
diff --git a/include/net/queue.h b/include/net/queue.h
index c0269bb1dc..9f2f289d77 100644
--- a/include/net/queue.h
+++ b/include/net/queue.h
@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
void qemu_del_net_queue(NetQueue *queue);
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+ const uint8_t *data,
+ size_t size);
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+ const struct iovec *iov,
+ int iovcnt);
+
ssize_t qemu_net_queue_send(NetQueue *queue,
NetClientState *sender,
unsigned flags,
diff --git a/net/net.c b/net/net.c
index da4aa313be..d889487c0d 100644
--- a/net/net.c
+++ b/net/net.c
@@ -530,6 +530,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
#endif
}
+int qemu_can_receive_packet(NetClientState *nc)
+{
+ if (nc->receive_disabled) {
+ return 0;
+ } else if (nc->info->can_receive &&
+ !nc->info->can_receive(nc)) {
+ return 0;
+ }
+ return 1;
+}
+
int qemu_can_send_packet(NetClientState *sender)
{
int vm_running = runstate_is_running();
@@ -542,13 +553,7 @@ int qemu_can_send_packet(NetClientState *sender)
return 1;
}
- if (sender->peer->receive_disabled) {
- return 0;
- } else if (sender->peer->info->can_receive &&
- !sender->peer->info->can_receive(sender->peer)) {
- return 0;
- }
- return 1;
+ return qemu_can_receive_packet(sender->peer);
}
static ssize_t filter_receive_iov(NetClientState *nc,
@@ -681,6 +686,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
return qemu_send_packet_async(nc, buf, size, NULL);
}
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+{
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
+}
+
+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
+ int iovcnt)
+{
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
+}
+
ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
{
return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
diff --git a/net/queue.c b/net/queue.c
index 19e32c80fd..c872d51df8 100644
--- a/net/queue.c
+++ b/net/queue.c
@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
return ret;
}
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+ const uint8_t *data,
+ size_t size)
+{
+ if (queue->delivering) {
+ return 0;
+ }
+
+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
+}
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+ const struct iovec *iov,
+ int iovcnt)
+{
+ if (queue->delivering) {
+ return 0;
+ }
+
+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
+}
+
ssize_t qemu_net_queue_send(NetQueue *queue,
NetClientState *sender,
unsigned flags,
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 02/10] e1000: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
2021-03-05 6:26 ` [PATCH V4 01/10] net: introduce qemu_receive_packet() Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 03/10] dp8393x: switch to use qemu_receive_packet() for loopback packet Jason Wang
` (10 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/e1000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 4345d863e6..4f75b44cfc 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
NetClientState *nc = qemu_get_queue(s->nic);
if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 03/10] dp8393x: switch to use qemu_receive_packet() for loopback packet
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
2021-03-05 6:26 ` [PATCH V4 01/10] net: introduce qemu_receive_packet() Jason Wang
2021-03-05 6:26 ` [PATCH V4 02/10] e1000: switch to use qemu_receive_packet() for loopback Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 04/10] msf2-mac: switch to use qemu_receive_packet() for loopback Jason Wang
` (9 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/dp8393x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 205c0decc5..533a8304d0 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
if (nc->info->can_receive(nc)) {
s->loopback_packet = 1;
- nc->info->receive(nc, s->tx_buffer, tx_len);
+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
}
} else {
/* Transmit packet */
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 04/10] msf2-mac: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (2 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 03/10] dp8393x: switch to use qemu_receive_packet() for loopback packet Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 05/10] sungem: " Jason Wang
` (8 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/msf2-emac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
index 32ba9e8412..3e6206044f 100644
--- a/hw/net/msf2-emac.c
+++ b/hw/net/msf2-emac.c
@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
* R_CFG1 bit 0 is set.
*/
if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 05/10] sungem: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (3 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 04/10] msf2-mac: switch to use qemu_receive_packet() for loopback Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 06/10] tx_pkt: switch to use qemu_receive_packet_iov() " Jason Wang
` (7 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security
Cc: alxndr, Jason Wang, philmd, Mark Cave-Ayland, ppandit
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/sungem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/sungem.c b/hw/net/sungem.c
index 33c3722df6..3684a4d733 100644
--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
NetClientState *nc = qemu_get_queue(s->nic);
if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (4 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 05/10] sungem: " Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 07/10] rtl8139: switch to use qemu_receive_packet() " Jason Wang
` (6 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
This patch switches to use qemu_receive_receive_iov() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/net_tx_pkt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index da262edc3e..1f9aa59eca 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
NetClientState *nc, const struct iovec *iov, int iov_cnt)
{
if (pkt->is_loopback) {
- nc->info->receive_iov(nc, iov, iov_cnt);
+ qemu_receive_packet_iov(nc, iov, iov_cnt);
} else {
qemu_sendv_packet(nc, iov, iov_cnt);
}
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 07/10] rtl8139: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (5 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 06/10] tx_pkt: switch to use qemu_receive_packet_iov() " Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 08/10] pcnet: " Jason Wang
` (5 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 4675ac878e..90b4fc63ce 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
}
DPRINTF("+++ transmit loopback mode\n");
- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
if (iov) {
g_free(buf2);
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 08/10] pcnet: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (6 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 07/10] rtl8139: switch to use qemu_receive_packet() " Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 09/10] cadence_gem: " Jason Wang
` (4 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/pcnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index f3f18d8598..dcd3fc4948 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1250,7 +1250,7 @@ txagain:
if (BCR_SWSTYLE(s) == 1)
add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
s->looptest = 0;
} else {
if (s->nic) {
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 09/10] cadence_gem: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (7 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 08/10] pcnet: " Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:26 ` [PATCH V4 10/10] lan9118: " Jason Wang
` (3 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/cadence_gem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 9a4474a084..24b3a0ff66 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
/* Send the packet somewhere */
if (s->phy_loop || (s->regs[GEM_NWCTRL] &
GEM_NWCTRL_LOCALLOOP)) {
- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
- total_bytes);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
+ total_bytes);
} else {
qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
total_bytes);
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH V4 10/10] lan9118: switch to use qemu_receive_packet() for loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (8 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 09/10] cadence_gem: " Jason Wang
@ 2021-03-05 6:26 ` Jason Wang
2021-03-05 6:39 ` [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback P J P
` (2 subsequent siblings)
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:26 UTC (permalink / raw)
To: qemu-devel, qemu-security; +Cc: alxndr, Jason Wang, philmd, ppandit
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/lan9118.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index abc796285a..6aff424cbe 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -680,7 +680,7 @@ static void do_tx_packet(lan9118_state *s)
/* FIXME: Honor TX disable, and allow queueing of packets. */
if (s->phy_control & 0x4000) {
/* This assumes the receive routine doesn't touch the VLANClient. */
- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
} else {
qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
}
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (9 preceding siblings ...)
2021-03-05 6:26 ` [PATCH V4 10/10] lan9118: " Jason Wang
@ 2021-03-05 6:39 ` P J P
2021-03-05 6:44 ` Jason Wang
2021-03-05 9:38 ` Philippe Mathieu-Daudé
2021-03-08 3:55 ` Jason Wang
12 siblings, 1 reply; 16+ messages in thread
From: P J P @ 2021-03-05 6:39 UTC (permalink / raw)
To: qemu-devel, qemu-security, Jason Wang; +Cc: alxndr, philmd, ppandit
Hello all,
Just to note:
* Let's use <qemu-security> list to review non-public/embargoed patch(es) only.
* If patch(es) is being reviewed publicly on <qemu-devel> list,
CC'ing <qemu-security> list does not help much.
Thank you.
---
-P J P
http://feedmug.com
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback
2021-03-05 6:39 ` [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback P J P
@ 2021-03-05 6:44 ` Jason Wang
0 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-05 6:44 UTC (permalink / raw)
To: P J P, qemu-devel, qemu-security; +Cc: alxndr, philmd, ppandit
On 2021/3/5 2:39 下午, P J P wrote:
> Hello all,
>
> Just to note:
>
> * Let's use <qemu-security> list to review non-public/embargoed patch(es) only.
>
> * If patch(es) is being reviewed publicly on <qemu-devel> list,
> CC'ing <qemu-security> list does not help much.
>
>
> Thank you.
> ---
> -P J P
> http://feedmug.com
I see.
Thanks
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH V4 00/10] Detect reentrant RX casued by loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (10 preceding siblings ...)
2021-03-05 6:39 ` [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback P J P
@ 2021-03-05 9:38 ` Philippe Mathieu-Daudé
2021-03-08 3:26 ` Jason Wang
2021-03-08 3:55 ` Jason Wang
12 siblings, 1 reply; 16+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-03-05 9:38 UTC (permalink / raw)
To: Jason Wang, qemu-devel, qemu-security; +Cc: alxndr, ppandit
On 3/5/21 7:26 AM, Jason Wang wrote:
> Hi All:
>
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
>
> The fix is to introduce new network helper and check the
> queue->delivering.
>
> This series addresses CVE-2021-3416.
>
> Thanks
>
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
>
> Changes since V2:
> - add more fixes from Alexander
>
> Changes since V1:
>
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
>
> Alexander Bulekov (4):
> rtl8139: switch to use qemu_receive_packet() for loopback
> pcnet: switch to use qemu_receive_packet() for loopback
> cadence_gem: switch to use qemu_receive_packet() for loopback
> lan9118: switch to use qemu_receive_packet() for loopback
>
> Jason Wang (6):
> net: introduce qemu_receive_packet()
> e1000: switch to use qemu_receive_packet() for loopback
> dp8393x: switch to use qemu_receive_packet() for loopback packet
> msf2-mac: switch to use qemu_receive_packet() for loopback
> sungem: switch to use qemu_receive_packet() for loopback
> tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>
> hw/net/cadence_gem.c | 4 ++--
> hw/net/dp8393x.c | 2 +-
> hw/net/e1000.c | 2 +-
> hw/net/lan9118.c | 2 +-
> hw/net/msf2-emac.c | 2 +-
> hw/net/net_tx_pkt.c | 2 +-
> hw/net/pcnet.c | 2 +-
> hw/net/rtl8139.c | 2 +-
> hw/net/sungem.c | 2 +-
> include/net/net.h | 5 +++++
> include/net/queue.h | 8 ++++++++
> net/net.c | 38 +++++++++++++++++++++++++++++++-------
> net/queue.c | 22 ++++++++++++++++++++++
> 13 files changed, 76 insertions(+), 17 deletions(-)
>
LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
when applying.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH V4 00/10] Detect reentrant RX casued by loopback
2021-03-05 9:38 ` Philippe Mathieu-Daudé
@ 2021-03-08 3:26 ` Jason Wang
0 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-08 3:26 UTC (permalink / raw)
To: Philippe Mathieu-Daudé, qemu-devel, qemu-security; +Cc: alxndr, ppandit
On 2021/3/5 5:38 下午, Philippe Mathieu-Daudé wrote:
> On 3/5/21 7:26 AM, Jason Wang wrote:
>> Hi All:
>>
>> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
>> still need to fix the issues casued by loopback mode where the NIC
>> usually it via calling nc->info->receive() directly.
>>
>> The fix is to introduce new network helper and check the
>> queue->delivering.
>>
>> This series addresses CVE-2021-3416.
>>
>> Thanks
>>
>> Changes since V3:
>> - clarify CVE number in the commit log
>> - ident fix
>>
>> Changes since V2:
>> - add more fixes from Alexander
>>
>> Changes since V1:
>>
>> - Fix dp8393x compiling
>> - Add rtl8139 fix
>> - Tweak the commit log
>> - Silent patchew warning
>>
>> Alexander Bulekov (4):
>> rtl8139: switch to use qemu_receive_packet() for loopback
>> pcnet: switch to use qemu_receive_packet() for loopback
>> cadence_gem: switch to use qemu_receive_packet() for loopback
>> lan9118: switch to use qemu_receive_packet() for loopback
>>
>> Jason Wang (6):
>> net: introduce qemu_receive_packet()
>> e1000: switch to use qemu_receive_packet() for loopback
>> dp8393x: switch to use qemu_receive_packet() for loopback packet
>> msf2-mac: switch to use qemu_receive_packet() for loopback
>> sungem: switch to use qemu_receive_packet() for loopback
>> tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>>
>> hw/net/cadence_gem.c | 4 ++--
>> hw/net/dp8393x.c | 2 +-
>> hw/net/e1000.c | 2 +-
>> hw/net/lan9118.c | 2 +-
>> hw/net/msf2-emac.c | 2 +-
>> hw/net/net_tx_pkt.c | 2 +-
>> hw/net/pcnet.c | 2 +-
>> hw/net/rtl8139.c | 2 +-
>> hw/net/sungem.c | 2 +-
>> include/net/net.h | 5 +++++
>> include/net/queue.h | 8 ++++++++
>> net/net.c | 38 +++++++++++++++++++++++++++++++-------
>> net/queue.c | 22 ++++++++++++++++++++++
>> 13 files changed, 76 insertions(+), 17 deletions(-)
>>
> LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
> when applying.
Yes, will do.
Thanks
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH V4 00/10] Detect reentrant RX casued by loopback
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
` (11 preceding siblings ...)
2021-03-05 9:38 ` Philippe Mathieu-Daudé
@ 2021-03-08 3:55 ` Jason Wang
12 siblings, 0 replies; 16+ messages in thread
From: Jason Wang @ 2021-03-08 3:55 UTC (permalink / raw)
To: qemu-devel; +Cc: alxndr, philmd, ppandit
On 2021/3/5 2:26 下午, Jason Wang wrote:
> Hi All:
>
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
>
> The fix is to introduce new network helper and check the
> queue->delivering.
>
> This series addresses CVE-2021-3416.
>
> Thanks
So, I've queued this series with stable cced.
Thanks
>
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
>
> Changes since V2:
> - add more fixes from Alexander
>
> Changes since V1:
>
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
>
> Alexander Bulekov (4):
> rtl8139: switch to use qemu_receive_packet() for loopback
> pcnet: switch to use qemu_receive_packet() for loopback
> cadence_gem: switch to use qemu_receive_packet() for loopback
> lan9118: switch to use qemu_receive_packet() for loopback
>
> Jason Wang (6):
> net: introduce qemu_receive_packet()
> e1000: switch to use qemu_receive_packet() for loopback
> dp8393x: switch to use qemu_receive_packet() for loopback packet
> msf2-mac: switch to use qemu_receive_packet() for loopback
> sungem: switch to use qemu_receive_packet() for loopback
> tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>
> hw/net/cadence_gem.c | 4 ++--
> hw/net/dp8393x.c | 2 +-
> hw/net/e1000.c | 2 +-
> hw/net/lan9118.c | 2 +-
> hw/net/msf2-emac.c | 2 +-
> hw/net/net_tx_pkt.c | 2 +-
> hw/net/pcnet.c | 2 +-
> hw/net/rtl8139.c | 2 +-
> hw/net/sungem.c | 2 +-
> include/net/net.h | 5 +++++
> include/net/queue.h | 8 ++++++++
> net/net.c | 38 +++++++++++++++++++++++++++++++-------
> net/queue.c | 22 ++++++++++++++++++++++
> 13 files changed, 76 insertions(+), 17 deletions(-)
>
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2021-03-08 3:56 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-05 6:26 [PATCH V4 00/10] Detect reentrant RX casued by loopback Jason Wang
2021-03-05 6:26 ` [PATCH V4 01/10] net: introduce qemu_receive_packet() Jason Wang
2021-03-05 6:26 ` [PATCH V4 02/10] e1000: switch to use qemu_receive_packet() for loopback Jason Wang
2021-03-05 6:26 ` [PATCH V4 03/10] dp8393x: switch to use qemu_receive_packet() for loopback packet Jason Wang
2021-03-05 6:26 ` [PATCH V4 04/10] msf2-mac: switch to use qemu_receive_packet() for loopback Jason Wang
2021-03-05 6:26 ` [PATCH V4 05/10] sungem: " Jason Wang
2021-03-05 6:26 ` [PATCH V4 06/10] tx_pkt: switch to use qemu_receive_packet_iov() " Jason Wang
2021-03-05 6:26 ` [PATCH V4 07/10] rtl8139: switch to use qemu_receive_packet() " Jason Wang
2021-03-05 6:26 ` [PATCH V4 08/10] pcnet: " Jason Wang
2021-03-05 6:26 ` [PATCH V4 09/10] cadence_gem: " Jason Wang
2021-03-05 6:26 ` [PATCH V4 10/10] lan9118: " Jason Wang
2021-03-05 6:39 ` [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback P J P
2021-03-05 6:44 ` Jason Wang
2021-03-05 9:38 ` Philippe Mathieu-Daudé
2021-03-08 3:26 ` Jason Wang
2021-03-08 3:55 ` Jason Wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.