qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw


From: Mauro Matteo Cascella
Subject: Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Date: Tue, 28 Jul 2020 18:59:52 +0200

Thank you Alexander for testing the patch and providing the
reproducer. I think you should be credited, along with Ziming, for
independently reporting the same issue.

On Mon, Jul 27, 2020 at 7:40 PM Alexander Bulekov <alxndr@bu.edu> wrote:
>
> I sent a reproducer for the to the list some time ago, but never created
> a Launchpad bug...
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html
>
> Anyways.. I can confirm that I can't reproduce the issue with these
> patches.
>
> Minimized Reproducer:
> cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \
> -display none -serial none -monitor none -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xe1020000
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> write 0xe10207e8 0x4 0x25ff13ff
> write 0xe10200b8 0x7 0xe3055e411b0202
> write 0xe1020100 0x5 0x5e411b0202
> write 0xe1020110 0x4 0x1b0202e1
> write 0xe1020118 0x4 0x06fff105
> write 0xe1020128 0x7 0xf3055e411b0202
> write 0xe1020402 0x2 0x5e41
> write 0xe1020420 0x4 0x1b0202e1
> write 0xe1020428 0x4 0x06ff6105
> write 0xe1020438 0x1 0x63
> write 0xe1020439 0x1 0x05
> EOF
>
> -Alex
>
> On 200727 1908, Mauro Matteo Cascella wrote:
> > An assertion failure issue was reported by Mr. Ziming Zhang (CC'd).
> > It occurs in the code that processes network packets while adding data
> > fragments into packet context. This flaw could potentially be abused by
> > a malicious guest to abort the QEMU process on the host. This two patch
> > series does a couple of things:
> >
> > - introduces a new function in net_tx_pkt.{c,h} to check the maximum number
> >   of data fragments
> > - adds a check in both e1000e and vmxnet3 devices to skip the packet if the
> >   current data fragment exceeds max_raw_frags, preventing
> >   net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags
> >
> > Mauro Matteo Cascella (2):
> >   hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
> >   hw/net: check max_raw_frags in e1000e and vmxnet3 devices
> >
> >  hw/net/e1000e_core.c | 3 ++-
> >  hw/net/net_tx_pkt.c  | 5 +++++
> >  hw/net/net_tx_pkt.h  | 8 ++++++++
> >  hw/net/vmxnet3.c     | 3 ++-
> >  4 files changed, 17 insertions(+), 2 deletions(-)
> >
> > --
> > 2.26.2
> >
> >
>


-- 
Mauro Matteo Cascella, Red Hat Product Security
6F78 E20B 5935 928C F0A8  1A9D 4E55 23B8 BB34 10B0




reply via email to

[Prev in Thread] Current Thread [Next in Thread]