Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw

From:	Mauro Matteo Cascella
Subject:	Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Date:	Tue, 28 Jul 2020 18:59:52 +0200

Thank you Alexander for testing the patch and providing the
reproducer. I think you should be credited, along with Ziming, for
independently reporting the same issue.

On Mon, Jul 27, 2020 at 7:40 PM Alexander Bulekov <alxndr@bu.edu> wrote:
>
> I sent a reproducer for the to the list some time ago, but never created
> a Launchpad bug...
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html
>
> Anyways.. I can confirm that I can't reproduce the issue with these
> patches.
>
> Minimized Reproducer:
> cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \
> -display none -serial none -monitor none -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xe1020000
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> write 0xe10207e8 0x4 0x25ff13ff
> write 0xe10200b8 0x7 0xe3055e411b0202
> write 0xe1020100 0x5 0x5e411b0202
> write 0xe1020110 0x4 0x1b0202e1
> write 0xe1020118 0x4 0x06fff105
> write 0xe1020128 0x7 0xf3055e411b0202
> write 0xe1020402 0x2 0x5e41
> write 0xe1020420 0x4 0x1b0202e1
> write 0xe1020428 0x4 0x06ff6105
> write 0xe1020438 0x1 0x63
> write 0xe1020439 0x1 0x05
> EOF
>
> -Alex
>
> On 200727 1908, Mauro Matteo Cascella wrote:
> > An assertion failure issue was reported by Mr. Ziming Zhang (CC'd).
> > It occurs in the code that processes network packets while adding data
> > fragments into packet context. This flaw could potentially be abused by
> > a malicious guest to abort the QEMU process on the host. This two patch
> > series does a couple of things:
> >
> > - introduces a new function in net_tx_pkt.{c,h} to check the maximum number
> >   of data fragments
> > - adds a check in both e1000e and vmxnet3 devices to skip the packet if the
> >   current data fragment exceeds max_raw_frags, preventing
> >   net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags
> >
> > Mauro Matteo Cascella (2):
> >   hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
> >   hw/net: check max_raw_frags in e1000e and vmxnet3 devices
> >
> >  hw/net/e1000e_core.c | 3 ++-
> >  hw/net/net_tx_pkt.c  | 5 +++++
> >  hw/net/net_tx_pkt.h  | 8 ++++++++
> >  hw/net/vmxnet3.c     | 3 ++-
> >  4 files changed, 17 insertions(+), 2 deletions(-)
> >
> > --
> > 2.26.2
> >
> >
>


-- 
Mauro Matteo Cascella, Red Hat Product Security
6F78 E20B 5935 928C F0A8  1A9D 4E55 23B8 BB34 10B0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c, Mauro Matteo Cascella, 2020/07/27
- [PATCH 1/2] hw/net/net_tx_pkt: add function to check pkt->max_raw_frags, Mauro Matteo Cascella, 2020/07/27
  - Re: [PATCH 1/2] hw/net/net_tx_pkt: add function to check pkt->max_raw_frags, Jason Wang, 2020/07/28
    - Re: [PATCH 1/2] hw/net/net_tx_pkt: add function to check pkt->max_raw_frags, Mauro Matteo Cascella, 2020/07/28
- [PATCH 2/2] hw/net: check max_raw_frags in e1000e and vmxnet3 devices, Mauro Matteo Cascella, 2020/07/27
- Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c, Alexander Bulekov, 2020/07/27
  - Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c, Mauro Matteo Cascella <=
  - Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c, Dmitry Fleytman, 2020/07/29

Prev by Date: Re: [PATCH v1 1/2] qemu-timer: gracefully handle the end of time
Next by Date: Re: [PULL 0/3] Linux user for 5.1 patches
Previous by thread: Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Next by thread: Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Index(es):
- Date
- Thread