| Message ID | 20200727170838.1101775-1-mcascell@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c | expand |
I sent a reproducer for the to the list some time ago, but never created a Launchpad bug... https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html Anyways.. I can confirm that I can't reproduce the issue with these patches. Minimized Reproducer: cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \ -display none -serial none -monitor none -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0xe10207e8 0x4 0x25ff13ff write 0xe10200b8 0x7 0xe3055e411b0202 write 0xe1020100 0x5 0x5e411b0202 write 0xe1020110 0x4 0x1b0202e1 write 0xe1020118 0x4 0x06fff105 write 0xe1020128 0x7 0xf3055e411b0202 write 0xe1020402 0x2 0x5e41 write 0xe1020420 0x4 0x1b0202e1 write 0xe1020428 0x4 0x06ff6105 write 0xe1020438 0x1 0x63 write 0xe1020439 0x1 0x05 EOF -Alex On 200727 1908, Mauro Matteo Cascella wrote: > An assertion failure issue was reported by Mr. Ziming Zhang (CC'd). > It occurs in the code that processes network packets while adding data > fragments into packet context. This flaw could potentially be abused by > a malicious guest to abort the QEMU process on the host. This two patch > series does a couple of things: > > - introduces a new function in net_tx_pkt.{c,h} to check the maximum number > of data fragments > - adds a check in both e1000e and vmxnet3 devices to skip the packet if the > current data fragment exceeds max_raw_frags, preventing > net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags > > Mauro Matteo Cascella (2): > hw/net/net_tx_pkt: add function to check pkt->max_raw_frags > hw/net: check max_raw_frags in e1000e and vmxnet3 devices > > hw/net/e1000e_core.c | 3 ++- > hw/net/net_tx_pkt.c | 5 +++++ > hw/net/net_tx_pkt.h | 8 ++++++++ > hw/net/vmxnet3.c | 3 ++- > 4 files changed, 17 insertions(+), 2 deletions(-) > > -- > 2.26.2 > >
Thank you Alexander for testing the patch and providing the reproducer. I think you should be credited, along with Ziming, for independently reporting the same issue. On Mon, Jul 27, 2020 at 7:40 PM Alexander Bulekov <alxndr@bu.edu> wrote: > > I sent a reproducer for the to the list some time ago, but never created > a Launchpad bug... > https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html > > Anyways.. I can confirm that I can't reproduce the issue with these > patches. > > Minimized Reproducer: > cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \ > -display none -serial none -monitor none -qtest stdio > outl 0xcf8 0x80001010 > outl 0xcfc 0xe1020000 > outl 0xcf8 0x80001004 > outw 0xcfc 0x7 > write 0xe10207e8 0x4 0x25ff13ff > write 0xe10200b8 0x7 0xe3055e411b0202 > write 0xe1020100 0x5 0x5e411b0202 > write 0xe1020110 0x4 0x1b0202e1 > write 0xe1020118 0x4 0x06fff105 > write 0xe1020128 0x7 0xf3055e411b0202 > write 0xe1020402 0x2 0x5e41 > write 0xe1020420 0x4 0x1b0202e1 > write 0xe1020428 0x4 0x06ff6105 > write 0xe1020438 0x1 0x63 > write 0xe1020439 0x1 0x05 > EOF > > -Alex > > On 200727 1908, Mauro Matteo Cascella wrote: > > An assertion failure issue was reported by Mr. Ziming Zhang (CC'd). > > It occurs in the code that processes network packets while adding data > > fragments into packet context. This flaw could potentially be abused by > > a malicious guest to abort the QEMU process on the host. This two patch > > series does a couple of things: > > > > - introduces a new function in net_tx_pkt.{c,h} to check the maximum number > > of data fragments > > - adds a check in both e1000e and vmxnet3 devices to skip the packet if the > > current data fragment exceeds max_raw_frags, preventing > > net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags > > > > Mauro Matteo Cascella (2): > > hw/net/net_tx_pkt: add function to check pkt->max_raw_frags > > hw/net: check max_raw_frags in e1000e and vmxnet3 devices > > > > hw/net/e1000e_core.c | 3 ++- > > hw/net/net_tx_pkt.c | 5 +++++ > > hw/net/net_tx_pkt.h | 8 ++++++++ > > hw/net/vmxnet3.c | 3 ++- > > 4 files changed, 17 insertions(+), 2 deletions(-) > > > > -- > > 2.26.2 > > > > >
Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> The idea looks good to me. I believe it makes sense to do the check in net_tx_pkt_add_raw_fragment() as suggested by Jason. > On 27 Jul 2020, at 20:29, Alexander Bulekov <alxndr@bu.edu> wrote: > > I sent a reproducer for the to the list some time ago, but never created > a Launchpad bug... > https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html > > Anyways.. I can confirm that I can't reproduce the issue with these > patches. > > Minimized Reproducer: > cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \ > -display none -serial none -monitor none -qtest stdio > outl 0xcf8 0x80001010 > outl 0xcfc 0xe1020000 > outl 0xcf8 0x80001004 > outw 0xcfc 0x7 > write 0xe10207e8 0x4 0x25ff13ff > write 0xe10200b8 0x7 0xe3055e411b0202 > write 0xe1020100 0x5 0x5e411b0202 > write 0xe1020110 0x4 0x1b0202e1 > write 0xe1020118 0x4 0x06fff105 > write 0xe1020128 0x7 0xf3055e411b0202 > write 0xe1020402 0x2 0x5e41 > write 0xe1020420 0x4 0x1b0202e1 > write 0xe1020428 0x4 0x06ff6105 > write 0xe1020438 0x1 0x63 > write 0xe1020439 0x1 0x05 > EOF > > -Alex > > On 200727 1908, Mauro Matteo Cascella wrote: >> An assertion failure issue was reported by Mr. Ziming Zhang (CC'd). >> It occurs in the code that processes network packets while adding data >> fragments into packet context. This flaw could potentially be abused by >> a malicious guest to abort the QEMU process on the host. This two patch >> series does a couple of things: >> >> - introduces a new function in net_tx_pkt.{c,h} to check the maximum number >> of data fragments >> - adds a check in both e1000e and vmxnet3 devices to skip the packet if the >> current data fragment exceeds max_raw_frags, preventing >> net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags >> >> Mauro Matteo Cascella (2): >> hw/net/net_tx_pkt: add function to check pkt->max_raw_frags >> hw/net: check max_raw_frags in e1000e and vmxnet3 devices >> >> hw/net/e1000e_core.c | 3 ++- >> hw/net/net_tx_pkt.c | 5 +++++ >> hw/net/net_tx_pkt.h | 8 ++++++++ >> hw/net/vmxnet3.c | 3 ++- >> 4 files changed, 17 insertions(+), 2 deletions(-) >> >> -- >> 2.26.2 >> >>
An assertion failure issue was reported by Mr. Ziming Zhang (CC'd). It occurs in the code that processes network packets while adding data fragments into packet context. This flaw could potentially be abused by a malicious guest to abort the QEMU process on the host. This two patch series does a couple of things: - introduces a new function in net_tx_pkt.{c,h} to check the maximum number of data fragments - adds a check in both e1000e and vmxnet3 devices to skip the packet if the current data fragment exceeds max_raw_frags, preventing net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags Mauro Matteo Cascella (2): hw/net/net_tx_pkt: add function to check pkt->max_raw_frags hw/net: check max_raw_frags in e1000e and vmxnet3 devices hw/net/e1000e_core.c | 3 ++- hw/net/net_tx_pkt.c | 5 +++++ hw/net/net_tx_pkt.h | 8 ++++++++ hw/net/vmxnet3.c | 3 ++- 4 files changed, 17 insertions(+), 2 deletions(-)