[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/net: Discard overly fragmented packets
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [PATCH] hw/net: Discard overly fragmented packets |
Date: |
Tue, 6 Jul 2021 11:09:22 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
Hi Mauro,
On 7/6/21 11:00 AM, Mauro Matteo Cascella wrote:
> Hello Philippe,
>
> I think you don't need root privileges to craft such a highly
> fragmented packet from within the guest (tools like hping3 or nmap
> come to mind). Right? If so, we may consider allocating a CVE for this
> bug. If not, this is not CVE worthy - root does not need an assertion
> failure to cause damage to the system.
Thanks for worrying about CVE. I have no clue, so I'll
defer that question to Andrew, Dmitry and Jason.
Regards,
Phil.
> On Mon, Jul 5, 2021 at 10:40 AM Philippe Mathieu-Daudé
> <philmd@redhat.com> wrote:
>>
>> Our infrastructure can handle fragmented packets up to
>> NET_MAX_FRAG_SG_LIST (64) pieces. This hard limit has
>> been proven enough in production for years. If it is
>> reached, it is likely an evil crafted packet. Discard it.
>>
>> Include the qtest reproducer provided by Alexander Bulekov:
>>
>> $ make check-qtest-i386
>> ...
>> Running test qtest-i386/fuzz-vmxnet3-test
>> qemu-system-i386: net/eth.c:334: void eth_setup_ip4_fragmentation(const
>> void *, size_t, void *, size_t, size_t, size_t, _Bool):
>> Assertion `frag_offset % IP_FRAG_UNIT_SIZE == 0' failed.
>>
>> Cc: qemu-stable@nongnu.org
>> Reported-by: OSS-Fuzz (Issue 35799)
>> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/460
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> ---
>> hw/net/net_tx_pkt.c | 8 ++
>> tests/qtest/fuzz-vmxnet3-test.c | 195 ++++++++++++++++++++++++++++++++
>> MAINTAINERS | 1 +
>> tests/qtest/meson.build | 1 +
>> 4 files changed, 205 insertions(+)
>> create mode 100644 tests/qtest/fuzz-vmxnet3-test.c
>>
>> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
>> index 1f9aa59eca2..77e9729a7ba 100644
>> --- a/hw/net/net_tx_pkt.c
>> +++ b/hw/net/net_tx_pkt.c
>> @@ -590,6 +590,14 @@ static bool net_tx_pkt_do_sw_fragmentation(struct
>> NetTxPkt *pkt,
>> fragment_len = net_tx_pkt_fetch_fragment(pkt, &src_idx, &src_offset,
>> fragment, &dst_idx);
>>
>> + if (dst_idx == NET_MAX_FRAG_SG_LIST && fragment_len > 0) {
>> + /*
>> + * The packet is too fragmented for our infrastructure
>> + * (not enough iovec), don't even try to send.
>> + */
>> + return false;
>> + }
>> +
>> more_frags = (fragment_offset + fragment_len < pkt->payload_len);
>>
>> eth_setup_ip4_fragmentation(l2_iov_base, l2_iov_len, l3_iov_base,