[V4,00/10] Detect reentrant RX casued by loopback

Message ID	20210305062638.6749-1-jasowang@redhat.com (mailing list archive)
Headers	show Return-Path: <SRS0=6Jgg=ID=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7296A64F23 From: Jason Wang <jasowang@redhat.com> To: qemu-devel@nongnu.org, qemu-security@nongnu.org Subject: [PATCH V4 00/10] Detect reentrant RX casued by loopback Date: Fri, 5 Mar 2021 14:26:28 +0800 Message-Id: <20210305062638.6749-1-jasowang@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action Precedence: list Cc: alxndr@bu.edu, Jason Wang <jasowang@redhat.com>, philmd@redhat.com, ppandit@redhat.com Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	Detect reentrant RX casued by loopback \| expand [V4,00/10] Detect reentrant RX casued by loopback [V4,01/10] net: introduce qemu_receive_packet() [V4,02/10] e1000: switch to use qemu_receive_packet() for loopback [V4,03/10] dp8393x: switch to use qemu_receive_packet() for loopback packet [V4,04/10] msf2-mac: switch to use qemu_receive_packet() for loopback [V4,05/10] sungem: switch to use qemu_receive_packet() for loopback [V4,06/10] tx_pkt: switch to use qemu_receive_packet_iov() for loopback [V4,07/10] rtl8139: switch to use qemu_receive_packet() for loopback [V4,08/10] pcnet: switch to use qemu_receive_packet() for loopback [V4,09/10] cadence_gem: switch to use qemu_receive_packet() for loopback [V4,10/10] lan9118: switch to use qemu_receive_packet() for loopback

Jason Wang March 5, 2021, 6:26 a.m. UTC

Hi All:

Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
still need to fix the issues casued by loopback mode where the NIC
usually it via calling nc->info->receive() directly.

The fix is to introduce new network helper and check the
queue->delivering.

This series addresses CVE-2021-3416.

Thanks

Changes since V3:
- clarify CVE number in the commit log
- ident fix

Changes since V2:
- add more fixes from Alexander

Changes since V1:

- Fix dp8393x compiling
- Add rtl8139 fix
- Tweak the commit log
- Silent patchew warning

Alexander Bulekov (4):
  rtl8139: switch to use qemu_receive_packet() for loopback
  pcnet: switch to use qemu_receive_packet() for loopback
  cadence_gem: switch to use qemu_receive_packet() for loopback
  lan9118: switch to use qemu_receive_packet() for loopback

Jason Wang (6):
  net: introduce qemu_receive_packet()
  e1000: switch to use qemu_receive_packet() for loopback
  dp8393x: switch to use qemu_receive_packet() for loopback packet
  msf2-mac: switch to use qemu_receive_packet() for loopback
  sungem: switch to use qemu_receive_packet() for loopback
  tx_pkt: switch to use qemu_receive_packet_iov() for loopback

 hw/net/cadence_gem.c |  4 ++--
 hw/net/dp8393x.c     |  2 +-
 hw/net/e1000.c       |  2 +-
 hw/net/lan9118.c     |  2 +-
 hw/net/msf2-emac.c   |  2 +-
 hw/net/net_tx_pkt.c  |  2 +-
 hw/net/pcnet.c       |  2 +-
 hw/net/rtl8139.c     |  2 +-
 hw/net/sungem.c      |  2 +-
 include/net/net.h    |  5 +++++
 include/net/queue.h  |  8 ++++++++
 net/net.c            | 38 +++++++++++++++++++++++++++++++-------
 net/queue.c          | 22 ++++++++++++++++++++++
 13 files changed, 76 insertions(+), 17 deletions(-)

Prasad Pandit March 5, 2021, 6:39 a.m. UTC | #1

Hello all,

Just to note:

* Let's use <qemu-security> list to review non-public/embargoed patch(es) only.

* If patch(es) is being reviewed publicly on <qemu-devel> list,
  CC'ing <qemu-security> list does not help much.


Thank you.
---
  -P J P
http://feedmug.com

Jason Wang March 5, 2021, 6:44 a.m. UTC | #2

On 2021/3/5 2:39 下午, P J P wrote:
> Hello all,
>
> Just to note:
>
> * Let's use <qemu-security> list to review non-public/embargoed patch(es) only.
>
> * If patch(es) is being reviewed publicly on <qemu-devel> list,
>    CC'ing <qemu-security> list does not help much.
>
>
> Thank you.
> ---
>    -P J P
> http://feedmug.com


I see.

Thanks

Philippe Mathieu-Daudé March 5, 2021, 9:38 a.m. UTC | #3

On 3/5/21 7:26 AM, Jason Wang wrote:
> Hi All:
> 
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
> 
> The fix is to introduce new network helper and check the
> queue->delivering.
> 
> This series addresses CVE-2021-3416.
> 
> Thanks
> 
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
> 
> Changes since V2:
> - add more fixes from Alexander
> 
> Changes since V1:
> 
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
> 
> Alexander Bulekov (4):
>   rtl8139: switch to use qemu_receive_packet() for loopback
>   pcnet: switch to use qemu_receive_packet() for loopback
>   cadence_gem: switch to use qemu_receive_packet() for loopback
>   lan9118: switch to use qemu_receive_packet() for loopback
> 
> Jason Wang (6):
>   net: introduce qemu_receive_packet()
>   e1000: switch to use qemu_receive_packet() for loopback
>   dp8393x: switch to use qemu_receive_packet() for loopback packet
>   msf2-mac: switch to use qemu_receive_packet() for loopback
>   sungem: switch to use qemu_receive_packet() for loopback
>   tx_pkt: switch to use qemu_receive_packet_iov() for loopback
> 
>  hw/net/cadence_gem.c |  4 ++--
>  hw/net/dp8393x.c     |  2 +-
>  hw/net/e1000.c       |  2 +-
>  hw/net/lan9118.c     |  2 +-
>  hw/net/msf2-emac.c   |  2 +-
>  hw/net/net_tx_pkt.c  |  2 +-
>  hw/net/pcnet.c       |  2 +-
>  hw/net/rtl8139.c     |  2 +-
>  hw/net/sungem.c      |  2 +-
>  include/net/net.h    |  5 +++++
>  include/net/queue.h  |  8 ++++++++
>  net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>  net/queue.c          | 22 ++++++++++++++++++++++
>  13 files changed, 76 insertions(+), 17 deletions(-)
> 

LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
when applying.

Jason Wang March 8, 2021, 3:26 a.m. UTC | #4

On 2021/3/5 5:38 下午, Philippe Mathieu-Daudé wrote:
> On 3/5/21 7:26 AM, Jason Wang wrote:
>> Hi All:
>>
>> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
>> still need to fix the issues casued by loopback mode where the NIC
>> usually it via calling nc->info->receive() directly.
>>
>> The fix is to introduce new network helper and check the
>> queue->delivering.
>>
>> This series addresses CVE-2021-3416.
>>
>> Thanks
>>
>> Changes since V3:
>> - clarify CVE number in the commit log
>> - ident fix
>>
>> Changes since V2:
>> - add more fixes from Alexander
>>
>> Changes since V1:
>>
>> - Fix dp8393x compiling
>> - Add rtl8139 fix
>> - Tweak the commit log
>> - Silent patchew warning
>>
>> Alexander Bulekov (4):
>>    rtl8139: switch to use qemu_receive_packet() for loopback
>>    pcnet: switch to use qemu_receive_packet() for loopback
>>    cadence_gem: switch to use qemu_receive_packet() for loopback
>>    lan9118: switch to use qemu_receive_packet() for loopback
>>
>> Jason Wang (6):
>>    net: introduce qemu_receive_packet()
>>    e1000: switch to use qemu_receive_packet() for loopback
>>    dp8393x: switch to use qemu_receive_packet() for loopback packet
>>    msf2-mac: switch to use qemu_receive_packet() for loopback
>>    sungem: switch to use qemu_receive_packet() for loopback
>>    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>>
>>   hw/net/cadence_gem.c |  4 ++--
>>   hw/net/dp8393x.c     |  2 +-
>>   hw/net/e1000.c       |  2 +-
>>   hw/net/lan9118.c     |  2 +-
>>   hw/net/msf2-emac.c   |  2 +-
>>   hw/net/net_tx_pkt.c  |  2 +-
>>   hw/net/pcnet.c       |  2 +-
>>   hw/net/rtl8139.c     |  2 +-
>>   hw/net/sungem.c      |  2 +-
>>   include/net/net.h    |  5 +++++
>>   include/net/queue.h  |  8 ++++++++
>>   net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>>   net/queue.c          | 22 ++++++++++++++++++++++
>>   13 files changed, 76 insertions(+), 17 deletions(-)
>>
> LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
> when applying.


Yes, will do.

Thanks


>

Jason Wang March 8, 2021, 3:55 a.m. UTC | #5

On 2021/3/5 2:26 下午, Jason Wang wrote:
> Hi All:
>
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
>
> The fix is to introduce new network helper and check the
> queue->delivering.
>
> This series addresses CVE-2021-3416.
>
> Thanks


So, I've queued this series with stable cced.

Thanks


>
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
>
> Changes since V2:
> - add more fixes from Alexander
>
> Changes since V1:
>
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
>
> Alexander Bulekov (4):
>    rtl8139: switch to use qemu_receive_packet() for loopback
>    pcnet: switch to use qemu_receive_packet() for loopback
>    cadence_gem: switch to use qemu_receive_packet() for loopback
>    lan9118: switch to use qemu_receive_packet() for loopback
>
> Jason Wang (6):
>    net: introduce qemu_receive_packet()
>    e1000: switch to use qemu_receive_packet() for loopback
>    dp8393x: switch to use qemu_receive_packet() for loopback packet
>    msf2-mac: switch to use qemu_receive_packet() for loopback
>    sungem: switch to use qemu_receive_packet() for loopback
>    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>
>   hw/net/cadence_gem.c |  4 ++--
>   hw/net/dp8393x.c     |  2 +-
>   hw/net/e1000.c       |  2 +-
>   hw/net/lan9118.c     |  2 +-
>   hw/net/msf2-emac.c   |  2 +-
>   hw/net/net_tx_pkt.c  |  2 +-
>   hw/net/pcnet.c       |  2 +-
>   hw/net/rtl8139.c     |  2 +-
>   hw/net/sungem.c      |  2 +-
>   include/net/net.h    |  5 +++++
>   include/net/queue.h  |  8 ++++++++
>   net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>   net/queue.c          | 22 ++++++++++++++++++++++
>   13 files changed, 76 insertions(+), 17 deletions(-)
>

[V4,00/10] Detect reentrant RX casued by loopback

Message

Comments