Re: [PATCH 1/6] net: introduce qemu_receive_packet() - Philippe Mathieu-Daudé

From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Jason Wang <jasowang@redhat.com>, qemu-devel@nongnu.org
Cc: QEMU Security <qemu-security@nongnu.org>, ppandit@redhat.com
Subject: Re: [PATCH 1/6] net: introduce qemu_receive_packet()
Date: Wed, 24 Feb 2021 11:11:12 +0100	[thread overview]
Message-ID: <9e432ff0-793e-64a7-97f3-ff3a374ee98f@redhat.com> (raw)
In-Reply-To: <20210224055401.492407-2-jasowang@redhat.com>

On 2/24/21 6:53 AM, Jason Wang wrote:
> Some NIC supports loopback mode and this is done by calling
> nc->info->receive() directly which in fact suppresses the effort of
> reentrancy check that is done in qemu_net_queue_send().
> 
> Unfortunately we can use qemu_net_queue_send() here since for loop
> back there's no sender as peer, so this patch introduce a
> qemu_receive_packet() which is used for implementing loopback mode
> for a NIC with this check.

IIUC the guest could trigger an infinite loop and brick the emulated
device model. Likely exhausting the stack, so either SEGV by
corruption or some ENOMEM?

Since this is guest triggerable, shouldn't we contact qemu-security@
list and ask for a CVE for this issue, so distributions can track
the patches to backport in their stable releases? (it seems to be
within the KVM devices boundary).

> 
> NIC that supports loopback mode will be converted to this helper.
> 
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
>  include/net/net.h   |  5 +++++
>  include/net/queue.h |  8 ++++++++
>  net/net.c           | 38 +++++++++++++++++++++++++++++++-------
>  net/queue.c         | 22 ++++++++++++++++++++++
>  4 files changed, 66 insertions(+), 7 deletions(-)