From: Dmitry Fleytman <dmitry.fleytman@gmail.com>
To: Alexander Bulekov <alxndr@bu.edu>
Cc: Jason Wang <jasowang@redhat.com>,
Mauro Matteo Cascella <mcascell@redhat.com>,
qemu-devel@nongnu.org, ezrakiez@gmail.com
Subject: Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Date: Wed, 29 Jul 2020 11:48:08 +0300 [thread overview]
Message-ID: <AA604F63-C36B-471C-9E0C-F9A84C9595BA@gmail.com> (raw)
In-Reply-To: <20200727172929.5nnasrbvp2gg3yyv@mozz.bu.edu>
Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
The idea looks good to me. I believe it makes sense to do the check in net_tx_pkt_add_raw_fragment() as suggested by Jason.
> On 27 Jul 2020, at 20:29, Alexander Bulekov <alxndr@bu.edu> wrote:
>
> I sent a reproducer for the to the list some time ago, but never created
> a Launchpad bug...
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html
>
> Anyways.. I can confirm that I can't reproduce the issue with these
> patches.
>
> Minimized Reproducer:
> cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \
> -display none -serial none -monitor none -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xe1020000
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> write 0xe10207e8 0x4 0x25ff13ff
> write 0xe10200b8 0x7 0xe3055e411b0202
> write 0xe1020100 0x5 0x5e411b0202
> write 0xe1020110 0x4 0x1b0202e1
> write 0xe1020118 0x4 0x06fff105
> write 0xe1020128 0x7 0xf3055e411b0202
> write 0xe1020402 0x2 0x5e41
> write 0xe1020420 0x4 0x1b0202e1
> write 0xe1020428 0x4 0x06ff6105
> write 0xe1020438 0x1 0x63
> write 0xe1020439 0x1 0x05
> EOF
>
> -Alex
>
> On 200727 1908, Mauro Matteo Cascella wrote:
>> An assertion failure issue was reported by Mr. Ziming Zhang (CC'd).
>> It occurs in the code that processes network packets while adding data
>> fragments into packet context. This flaw could potentially be abused by
>> a malicious guest to abort the QEMU process on the host. This two patch
>> series does a couple of things:
>>
>> - introduces a new function in net_tx_pkt.{c,h} to check the maximum number
>> of data fragments
>> - adds a check in both e1000e and vmxnet3 devices to skip the packet if the
>> current data fragment exceeds max_raw_frags, preventing
>> net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags
>>
>> Mauro Matteo Cascella (2):
>> hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
>> hw/net: check max_raw_frags in e1000e and vmxnet3 devices
>>
>> hw/net/e1000e_core.c | 3 ++-
>> hw/net/net_tx_pkt.c | 5 +++++
>> hw/net/net_tx_pkt.h | 8 ++++++++
>> hw/net/vmxnet3.c | 3 ++-
>> 4 files changed, 17 insertions(+), 2 deletions(-)
>>
>> --
>> 2.26.2
>>
>>
prev parent reply other threads:[~2020-07-29 8:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 17:08 [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c Mauro Matteo Cascella
2020-07-27 17:08 ` [PATCH 1/2] hw/net/net_tx_pkt: add function to check pkt->max_raw_frags Mauro Matteo Cascella
2020-07-28 4:06 ` Jason Wang
2020-07-28 16:26 ` Mauro Matteo Cascella
2020-07-30 5:27 ` Jason Wang
2020-07-30 17:05 ` Mauro Matteo Cascella
2020-07-31 3:33 ` Jason Wang
2020-07-27 17:08 ` [PATCH 2/2] hw/net: check max_raw_frags in e1000e and vmxnet3 devices Mauro Matteo Cascella
2020-07-27 17:29 ` [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c Alexander Bulekov
2020-07-28 16:59 ` Mauro Matteo Cascella
2020-07-29 8:48 ` Dmitry Fleytman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AA604F63-C36B-471C-9E0C-F9A84C9595BA@gmail.com \
--to=dmitry.fleytman@gmail.com \
--cc=alxndr@bu.edu \
--cc=ezrakiez@gmail.com \
--cc=jasowang@redhat.com \
--cc=mcascell@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).