[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/6] net: introduce qemu_receive_packet()

From: Jason Wang
Subject: Re: [PATCH 1/6] net: introduce qemu_receive_packet()
Date: Wed, 24 Feb 2021 21:17:03 +0800
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.7.1

On 2021/2/24 6:11 下午, Philippe Mathieu-Daudé wrote:
On 2/24/21 6:53 AM, Jason Wang wrote:
Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().

Unfortunately we can use qemu_net_queue_send() here since for loop
back there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.
IIUC the guest could trigger an infinite loop and brick the emulated
device model. Likely exhausting the stack, so either SEGV by
corruption or some ENOMEM?


Since this is guest triggerable, shouldn't we contact qemu-security@
list and ask for a CVE for this issue, so distributions can track
the patches to backport in their stable releases? (it seems to be
within the KVM devices boundary).

That's the plan. I discussed this with Prasad before and he promise to ask CVE for this.

But it's a knwon issue, the reentrant DMA which has been discussed before[1], unfortuantely we don't make any progress. This patch can only fix the NIC RX issue.


[1] https://mail.gnu.org/archive/html/qemu-devel/2020-09/msg00906.html

NIC that supports loopback mode will be converted to this helper.

Signed-off-by: Jason Wang <jasowang@redhat.com>
  include/net/net.h   |  5 +++++
  include/net/queue.h |  8 ++++++++
  net/net.c           | 38 +++++++++++++++++++++++++++++++-------
  net/queue.c         | 22 ++++++++++++++++++++++
  4 files changed, 66 insertions(+), 7 deletions(-)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]