From patchwork Thu Feb 16 12:29:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Fleytman X-Patchwork-Id: 9577019 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1509F600C5 for ; Thu, 16 Feb 2017 12:34:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED0BA2856A for ; Thu, 16 Feb 2017 12:34:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DEC4228598; Thu, 16 Feb 2017 12:34:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 482DF2856A for ; Thu, 16 Feb 2017 12:34:47 +0000 (UTC) Received: from localhost ([::1]:46133 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceLGo-0007F0-BW for patchwork-qemu-devel@patchwork.kernel.org; Thu, 16 Feb 2017 07:34:46 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47633) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ceLCN-0003BM-Il for qemu-devel@nongnu.org; Thu, 16 Feb 2017 07:30:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ceLCK-0007uM-Fc for qemu-devel@nongnu.org; Thu, 16 Feb 2017 07:30:11 -0500 Received: from mail-wr0-x244.google.com ([2a00:1450:400c:c0c::244]:32792) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ceLCK-0007td-9s for qemu-devel@nongnu.org; Thu, 16 Feb 2017 07:30:08 -0500 Received: by mail-wr0-x244.google.com with SMTP id i10so1881442wrb.0 for ; Thu, 16 Feb 2017 04:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daynix-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=RsxC5F76me4wK5EDizeUV3Sjei4uNLSQWKP08LxgAWs=; b=xiO2ISr/v1/8XHsS7GuI0QQaDD7jCervefioqh15b0+1PcbigXWTVB1Fukt7xGjBIf 4Ld0GDsAylJGQX7yG2L8CDezmqesKVr9/45tEEFUy8Bcli5GPuez/3iHV6bhGEPuKYFK H+QFnxuqxz7fU7wsmKf/r+uJtsxroDfpsVJbrWRtaC0t6pvWx5RcMM6Qv+yEg4LKKdDZ vAFxOyURhJRgkPZ/k57XBFaHaNzIY6ktiypt3DfrINUIj7TxTmwhMI2z8zBdviVLVlqD BuIBkU6p7oSuVMTZQLr+DxHmbxODC9hxey6D2GTCaHLsMtn9Fcjm/XyY/ronhJ78Fd0w Z+hA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=RsxC5F76me4wK5EDizeUV3Sjei4uNLSQWKP08LxgAWs=; b=mzhVV8ErYIa+rqaUCrQY/ZvmNr0n4zE69HWHmnKvG35U2w5iE1PzKluvq00bgV40dG 9pkkW7OpNsa1HRHKotMMOAjBqe+/zq1UPSs7ZycWmL8JloYohm8B5665DKiajhZocj0g 9toN5sBdneyO7i5JwaFyV8WsTcWxJc06IYQeb6BrymKTLApePyWdEIlQW4oxOcXFWfzy oZoLreQaqqTJeYy3cLDze+F8hOF+9uNuvsofgkLQ5k62kQD7sVMsqhoykarMsAhd0Swz CJAfY2kD9h9R+h+sK3pBGuxOMAz5X4jkZR8T7C95a3npDRAHR4BBp/fkjsc7R1iRvV/F NFbA== X-Gm-Message-State: AMke39loMNZMaVfYg9ygPyYocN07M11st9JmDMlPTLlbjjSPHhRDAaKGiCFdCRS+dMiRQQ== X-Received: by 10.223.133.68 with SMTP id 62mr2049345wrh.195.1487248207243; Thu, 16 Feb 2017 04:30:07 -0800 (PST) Received: from bark.daynix ([141.226.163.173]) by smtp.gmail.com with ESMTPSA id b51sm8827365wrd.39.2017.02.16.04.30.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Feb 2017 04:30:06 -0800 (PST) From: Dmitry Fleytman To: qemu-devel@nongnu.org Date: Thu, 16 Feb 2017 14:29:33 +0200 Message-Id: <1487248176-29602-3-git-send-email-dmitry@daynix.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1487248176-29602-1-git-send-email-dmitry@daynix.com> References: <1487248176-29602-1-git-send-email-dmitry@daynix.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c0c::244 Subject: [Qemu-devel] [PATCH 2/5] NetRxPkt: Fix memory corruption on VLAN header stripping X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Yan Vugenfirer , Dmitry Fleytman , Jason Wang , P J P Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP This patch fixed a problem that was introduced in commit eb700029. When net_rx_pkt_attach_iovec() calls eth_strip_vlan() this can result in pkt->ehdr_buf being overflowed, because ehdr_buf is only sizeof(struct eth_header) bytes large but eth_strip_vlan() can write sizeof(struct eth_header) + sizeof(struct vlan_header) bytes into it. Devices affected by this problem: vmxnet3. Reported-by: Peter Maydell Signed-off-by: Dmitry Fleytman --- hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c index 1019b50..7c0beac 100644 --- a/hw/net/net_rx_pkt.c +++ b/hw/net/net_rx_pkt.c @@ -23,13 +23,13 @@ struct NetRxPkt { struct virtio_net_hdr virt_hdr; - uint8_t ehdr_buf[sizeof(struct eth_header)]; + uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; struct iovec *vec; uint16_t vec_len_total; uint16_t vec_len; uint32_t tot_len; uint16_t tci; - bool vlan_stripped; + size_t ehdr_buf_len; bool has_virt_hdr; eth_pkt_types_e packet_type; @@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, const struct iovec *iov, int iovcnt, size_t ploff) { - if (pkt->vlan_stripped) { + if (pkt->ehdr_buf_len) { net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); pkt->vec[0].iov_base = pkt->ehdr_buf; - pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); - - pkt->tot_len = - iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); + pkt->vec[0].iov_len = pkt->ehdr_buf_len; + pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, iov, iovcnt, ploff, pkt->tot_len); } else { @@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, uint16_t tci = 0; uint16_t ploff = iovoff; assert(pkt); - pkt->vlan_stripped = false; if (strip_vlan) { - pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, - &ploff, &tci); + pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, + &ploff, &tci); + } else { + pkt->ehdr_buf_len = 0; } pkt->tci = tci; @@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, uint16_t tci = 0; uint16_t ploff = iovoff; assert(pkt); - pkt->vlan_stripped = false; if (strip_vlan) { - pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, - pkt->ehdr_buf, - &ploff, &tci); + pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, + pkt->ehdr_buf, + &ploff, &tci); + } else { + pkt->ehdr_buf_len = 0; } pkt->tci = tci; @@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) NetRxPkt *pkt = (NetRxPkt *)pkt; assert(pkt); - printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", - pkt->tot_len, pkt->vlan_stripped, pkt->tci); + printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", + pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); #endif } @@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) { assert(pkt); - return pkt->vlan_stripped; + return pkt->ehdr_buf_len ? true : false; } bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)