[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] net: check payload length limit for all frames
From: |
Alexander Bulekov |
Subject: |
Re: [PATCH] net: check payload length limit for all frames |
Date: |
Mon, 20 Jul 2020 10:02:57 -0400 |
User-agent: |
NeoMutt/20180716 |
On 200720 1946, Li Qiang wrote:
>
> This seems is the same issue as LP#1886362 .
> Look at the free path.
> Here the 'e1000e_write_to_rx_buffers' trigger DMA and then go to
> address space dispatch. So the DMA is not RAM but a MMIO range.
> Then we go to another send path, and in that we frees the 'iov'.
>
> Alex do you tried my patch to solve LP#1886362 ?
> I have tried it and it seems no this UAF triggered.
Hi Li,
I think the bugs are triggered in a similar way, and they stem from the
same underlying issue (the code wasn't designed to read/write to its own
MMIO range), but the actual UAFs are different.
I agree that your patch should fix all of these types of bugs in the
e1000e.
Thanks
-Alex
> Thanks,
> Li Qiang
>
>
> > previously allocated by thread T0 here:
> > #0 0x561dd231130d in malloc
> > (/home/alxndr/Development/qemu/build-asan/i386-softmmu/qemu-system-i386+0x2bb630d)
> > #1 0x7f58c023d500 in g_malloc
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54500)
> > #2 0x561dd43d0666 in net_rx_pkt_pull_data
> > /home/alxndr/Development/qemu/hw/net/net_rx_pkt.c:103:9
> > #3 0x561dd43d2cf6 in net_rx_pkt_attach_iovec_ex
> > /home/alxndr/Development/qemu/hw/net/net_rx_pkt.c:158:5
> > #4 0x561dd440360f in e1000e_receive_iov
> > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1695:5
> > #5 0x561dd43fd91a in e1000e_nc_receive_iov
> > /home/alxndr/Development/qemu/hw/net/e1000e.c:213:12
> > #6 0x561dd43c82e7 in net_tx_pkt_sendv
> > /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:553:9
> > #7 0x561dd43c65e6 in net_tx_pkt_send
> > /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:629:9
> > #8 0x561dd43c9c78 in net_tx_pkt_send_loopback
> > /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:642:11
> > #9 0x561dd4472cf6 in e1000e_tx_pkt_send
> > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:664:16
> > #10 0x561dd446f296 in e1000e_process_tx_desc
> > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743:17
> > #11 0x561dd446ce68 in e1000e_start_xmit
> > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934:9
> > #12 0x561dd445635d in e1000e_set_tdt
> > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451:9
> > #13 0x561dd440f19e in e1000e_core_write
> > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3265:9
> > #14 0x561dd43f77b7 in e1000e_mmio_write
> > /home/alxndr/Development/qemu/hw/net/e1000e.c:109:5
> > #15 0x561dd2ff62a3 in memory_region_write_accessor
> > /home/alxndr/Development/qemu/softmmu/memory.c:483:5
> > #16 0x561dd2ff5747 in access_with_adjusted_size
> > /home/alxndr/Development/qemu/softmmu/memory.c:544:18
> > #17 0x561dd2ff3366 in memory_region_dispatch_write
> > /home/alxndr/Development/qemu/softmmu/memory.c:1465:16
> > #18 0x561dd23a5476 in flatview_write_continue
> > /home/alxndr/Development/qemu/exec.c:3176:23
> > #19 0x561dd238de86 in flatview_write
> > /home/alxndr/Development/qemu/exec.c:3216:14
> > #20 0x561dd238d9a7 in address_space_write
> > /home/alxndr/Development/qemu/exec.c:3307:18
> > #21 0x561dd30a43b1 in qtest_process_command
> > /home/alxndr/Development/qemu/softmmu/qtest.c:567:9
> > #22 0x561dd3094b38 in qtest_process_inbuf
> > /home/alxndr/Development/qemu/softmmu/qtest.c:710:9
> > #23 0x561dd30937c5 in qtest_read
> > /home/alxndr/Development/qemu/softmmu/qtest.c:722:5
> > #24 0x561dd5f33993 in qemu_chr_be_write_impl
> > /home/alxndr/Development/qemu/chardev/char.c:188:9
> > #25 0x561dd5f33b17 in qemu_chr_be_write
> > /home/alxndr/Development/qemu/chardev/char.c:200:9
> > #26 0x561dd5f47e03 in fd_chr_read
> > /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
> > #27 0x561dd609c1c4 in qio_channel_fd_source_dispatch
> > /home/alxndr/Development/qemu/io/channel-watch.c:84:12
> > #28 0x7f58c0237897 in g_main_context_dispatch
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
> >
> > Let me know if I can help with anything else!
> > -Alex
> >
> > > Thank you.
> > > --
> > > Prasad J Pandit / Red Hat Product Security Team
> > > 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
> >
- Re: [PATCH] net: check payload length limit for all frames, (continued)
- Re: [PATCH] net: check payload length limit for all frames, Jason Wang, 2020/07/16
- Re: [PATCH] net: check payload length limit for all frames, P J P, 2020/07/17
- Re: [PATCH] net: check payload length limit for all frames, Jason Wang, 2020/07/17
- Re: [PATCH] net: check payload length limit for all frames, P J P, 2020/07/17
- Re: [PATCH] net: check payload length limit for all frames, Li Qiang, 2020/07/17
- Re: [PATCH] net: check payload length limit for all frames, P J P, 2020/07/19
- Re: [PATCH] net: check payload length limit for all frames, Alexander Bulekov, 2020/07/19
- Re: [PATCH] net: check payload length limit for all frames, Li Qiang, 2020/07/20
- Re: [PATCH] net: check payload length limit for all frames, P J P, 2020/07/20
- Re: [PATCH] net: check payload length limit for all frames, Li Qiang, 2020/07/20
- Re: [PATCH] net: check payload length limit for all frames,
Alexander Bulekov <=