Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer

From:	Pankaj Gupta
Subject:	Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer
Date:	Mon, 19 Jul 2021 08:04:35 +0200

> QEMU currently crashes when it's started like this:
>
> cat << EOF | ./qemu-system-i386 -device vmxnet3 -nodefaults -qtest stdio
> outl 0xcf8 0x80001014
> outl 0xcfc 0xe0001000
> outl 0xcf8 0x80001018
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> outl 0xcf8 0x80001083
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> writeq 0xe0001020 0xefefff5ecafe0000
> writeq 0xe0001020 0xffff5e5ccafe0002
> EOF
>
> It hits this assertion:
>
> qemu-system-i386: ../qemu/hw/net/net_tx_pkt.c:453: net_tx_pkt_reset:
>  Assertion `pkt->raw' failed.
>
> This happens because net_tx_pkt_init() is called with max_frags == 0 and
> thus the allocation
>
>     p->raw = g_new(struct iovec, max_frags);
>
> results in a NULL pointer that cause the
>
>     assert(pkt->raw);
>
> in net_tx_pkt_reset() to fail later. To fix this issue we can check
> that max_raw_frags was not zero before asserting that pkt->raw is
> a non-NULL pointer.
>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1890157
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> ---
>  hw/net/net_tx_pkt.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
> index 1f9aa59eca..1cb1125d9f 100644
> --- a/hw/net/net_tx_pkt.c
> +++ b/hw/net/net_tx_pkt.c
> @@ -450,11 +450,13 @@ void net_tx_pkt_reset(struct NetTxPkt *pkt)
>      pkt->payload_len = 0;
>      pkt->payload_frags = 0;
>
> -    assert(pkt->raw);
> -    for (i = 0; i < pkt->raw_frags; i++) {
> -        assert(pkt->raw[i].iov_base);
> -        pci_dma_unmap(pkt->pci_dev, pkt->raw[i].iov_base, 
> pkt->raw[i].iov_len,
> -                      DMA_DIRECTION_TO_DEVICE, 0);
> +    if (pkt->max_raw_frags > 0) {
> +        assert(pkt->raw);
> +        for (i = 0; i < pkt->raw_frags; i++) {
> +            assert(pkt->raw[i].iov_base);
> +            pci_dma_unmap(pkt->pci_dev, pkt->raw[i].iov_base,
> +                          pkt->raw[i].iov_len, DMA_DIRECTION_TO_DEVICE, 0);
> +        }
>      }
>      pkt->raw_frags = 0;
>

Reviewed-by: Pankaj Gupta <pankaj.gupta@ionos.com>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer, Thomas Huth, 2021/07/15
- Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer, Philippe Mathieu-Daudé, 2021/07/15
- Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer, Pankaj Gupta <=
- Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer, Jason Wang, 2021/07/22

Prev by Date: RE: [PATCH v2] migration: clear the memory region dirty bitmap when skipping free pages
Next by Date: RE: [PATCH 1/2] virtio-gpu: splitting one extended mode guest fb into n-scanouts
Previous by thread: Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer
Next by thread: Re: [PATCH] hw/net/net_tx_pkt: Fix crash detected by fuzzer
Index(es):
- Date
- Thread