From: Jason Wang <jasowang@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>, qemu-devel@nongnu.org
Cc: QEMU Security <qemu-security@nongnu.org>, ppandit@redhat.com
Subject: Re: [PATCH 1/6] net: introduce qemu_receive_packet()
Date: Wed, 24 Feb 2021 21:17:03 +0800 [thread overview]
Message-ID: <b7d39898-d688-70bb-4546-612150a1635b@redhat.com> (raw)
In-Reply-To: <9e432ff0-793e-64a7-97f3-ff3a374ee98f@redhat.com>
On 2021/2/24 6:11 下午, Philippe Mathieu-Daudé wrote:
> On 2/24/21 6:53 AM, Jason Wang wrote:
>> Some NIC supports loopback mode and this is done by calling
>> nc->info->receive() directly which in fact suppresses the effort of
>> reentrancy check that is done in qemu_net_queue_send().
>>
>> Unfortunately we can use qemu_net_queue_send() here since for loop
>> back there's no sender as peer, so this patch introduce a
>> qemu_receive_packet() which is used for implementing loopback mode
>> for a NIC with this check.
> IIUC the guest could trigger an infinite loop and brick the emulated
> device model. Likely exhausting the stack, so either SEGV by
> corruption or some ENOMEM?
Yes.
>
> Since this is guest triggerable, shouldn't we contact qemu-security@
> list and ask for a CVE for this issue, so distributions can track
> the patches to backport in their stable releases? (it seems to be
> within the KVM devices boundary).
That's the plan. I discussed this with Prasad before and he promise to
ask CVE for this.
But it's a knwon issue, the reentrant DMA which has been discussed
before[1], unfortuantely we don't make any progress. This patch can only
fix the NIC RX issue.
Thanks
[1] https://mail.gnu.org/archive/html/qemu-devel/2020-09/msg00906.html
>
>> NIC that supports loopback mode will be converted to this helper.
>>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> ---
>> include/net/net.h | 5 +++++
>> include/net/queue.h | 8 ++++++++
>> net/net.c | 38 +++++++++++++++++++++++++++++++-------
>> net/queue.c | 22 ++++++++++++++++++++++
>> 4 files changed, 66 insertions(+), 7 deletions(-)
next prev parent reply other threads:[~2021-02-24 13:44 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-24 5:53 [PATCH 0/6] Detect reentrant RX casue by loopback Jason Wang
2021-02-24 5:53 ` [PATCH 1/6] net: introduce qemu_receive_packet() Jason Wang
2021-02-24 10:11 ` Philippe Mathieu-Daudé
2021-02-24 13:17 ` Jason Wang [this message]
2021-02-24 13:43 ` Philippe Mathieu-Daudé
2021-02-25 14:01 ` P J P
2021-02-25 16:28 ` Alexander Bulekov
2021-02-25 16:29 ` Alexander Bulekov
2021-02-26 18:14 ` [QEMU-SECURITY] " P J P
2021-02-26 18:53 ` Alexander Bulekov
2021-02-25 14:31 ` Philippe Mathieu-Daudé
2021-02-24 5:53 ` [PATCH 2/6] e1000: switch to use qemu_receive_packet() for loopback Jason Wang
2021-02-25 14:34 ` Philippe Mathieu-Daudé
2021-02-24 5:53 ` [PATCH 3/6] dp8393x: switch to use qemu_receive_packet() for loopback packet Jason Wang
2021-02-24 6:13 ` Stefan Weil
2021-02-25 14:36 ` Philippe Mathieu-Daudé
2021-02-25 14:42 ` Stefan Weil
2021-02-26 7:04 ` Jason Wang
2021-02-24 5:53 ` [PATCH 4/6] msf2-mac: switch to use qemu_receive_packet() for loopback Jason Wang
2021-02-25 14:34 ` Philippe Mathieu-Daudé
2021-02-24 5:54 ` [PATCH 5/6] sungem: " Jason Wang
2021-02-25 14:35 ` Philippe Mathieu-Daudé
2021-02-24 5:54 ` [PATCH 6/6] tx_pkt: switch to use qemu_receive_packet_iov() " Jason Wang
2021-02-25 14:35 ` Philippe Mathieu-Daudé
2021-02-24 6:03 ` [PATCH 0/6] Detect reentrant RX casue by loopback no-reply
2021-02-26 18:47 ` [PATCH] rtl8193: switch to use qemu_receive_packet() for loopback Alexander Bulekov
2021-03-01 7:14 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7d39898-d688-70bb-4546-612150a1635b@redhat.com \
--to=jasowang@redhat.com \
--cc=philmd@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-security@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.