From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>,
qemu-stable@nongnu.org, "Zheyu Ma" <zheyuma97@gmail.com>,
"Akihiko Odaki" <akihiko.odaki@daynix.com>,
"Jason Wang" <jasowang@redhat.com>,
"Dmitry Fleytman" <dmitry.fleytman@gmail.com>
Subject: [PULL 15/16] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()
Date: Wed, 10 Apr 2024 11:13:14 +0200 [thread overview]
Message-ID: <20240410091315.57241-16-philmd@linaro.org> (raw)
In-Reply-To: <20240410091315.57241-1-philmd@linaro.org>
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
-device igb,netdev=net0 \
-netdev user,id=net0 \
-qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000403 0x1 0x02
writel 0xe0003808 0xffffffff
write 0xe000381a 0x1 0x5b
write 0xe000381b 0x1 0x00
EOF
Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39.
#1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5
#2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9
#3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11
#4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10
#5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17
#6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9
#7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5
#8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9
Fixes: CVE-2024-3567
Cc: qemu-stable@nongnu.org
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20240410070459.49112-1-philmd@linaro.org>
---
hw/net/net_tx_pkt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 2134a18c4c..b7b1de816d 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt)
uint32_t csum = 0;
struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
+ if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
+ return false;
+ }
+
if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) {
return false;
}
--
2.41.0
next prev parent reply other threads:[~2024-04-10 9:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-10 9:12 [PULL 00/16] Misc HW patches for 2024-04-10 Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 01/16] hw/virtio: Introduce virtio_bh_new_guarded() helper Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 02/16] hw/display/virtio-gpu: Protect from DMA re-entrancy bugs Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 03/16] hw/char/virtio-serial-bus: " Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 04/16] hw/virtio/virtio-crypto: " Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 05/16] qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 06/16] hw/block/nand: Factor nand_load_iolen() method out Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 07/16] hw/block/nand: Have blk_load() take unsigned offset and return boolean Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 08/16] hw/block/nand: Fix out-of-bound access in NAND block buffer Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 09/16] hw/misc/applesmc: Do not call DeviceReset from DeviceRealize Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 10/16] hw/misc/applesmc: Fix memory leak in reset() handler Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 11/16] backends/cryptodev: Do not abort for invalid session ID Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 12/16] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 13/16] hw/net/lan9118: Fix overflow in MIL TX FIFO Philippe Mathieu-Daudé
2024-04-10 9:13 ` [PULL 14/16] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set Philippe Mathieu-Daudé
2024-04-10 9:13 ` Philippe Mathieu-Daudé [this message]
2024-04-10 9:13 ` [PULL 16/16] hw/audio/virtio-snd: Remove unused assignment Philippe Mathieu-Daudé
2024-04-10 15:08 ` [PULL 00/16] Misc HW patches for 2024-04-10 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240410091315.57241-16-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=akihiko.odaki@daynix.com \
--cc=dmitry.fleytman@gmail.com \
--cc=jasowang@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.