From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dmitry Fleytman <dmitry@daynix.com>,
Jason Wang <jasowang@redhat.com>
Subject: [Qemu-devel] [PATCH 74/81] NetRxPkt: Fix memory corruption on VLAN header stripping
Date: Mon, 20 Mar 2017 18:08:38 -0500 [thread overview]
Message-ID: <1490051325-3770-75-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1490051325-3770-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Dmitry Fleytman <dmitry@daynix.com>
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 1019b50..7c0beac 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -23,13 +23,13 @@
struct NetRxPkt {
struct virtio_net_hdr virt_hdr;
- uint8_t ehdr_buf[sizeof(struct eth_header)];
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
struct iovec *vec;
uint16_t vec_len_total;
uint16_t vec_len;
uint32_t tot_len;
uint16_t tci;
- bool vlan_stripped;
+ size_t ehdr_buf_len;
bool has_virt_hdr;
eth_pkt_types_e packet_type;
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
const struct iovec *iov, int iovcnt,
size_t ploff)
{
- if (pkt->vlan_stripped) {
+ if (pkt->ehdr_buf_len) {
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
pkt->vec[0].iov_base = pkt->ehdr_buf;
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
-
- pkt->tot_len =
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff, pkt->tot_len);
} else {
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
- pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
+ pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
NetRxPkt *pkt = (NetRxPkt *)pkt;
assert(pkt);
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
#endif
}
@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
{
assert(pkt);
- return pkt->vlan_stripped;
+ return pkt->ehdr_buf_len ? true : false;
}
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
--
2.7.4
next prev parent reply other threads:[~2017-03-20 23:10 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 23:07 [Qemu-devel] [PATCH 00/81] Patch Round-up for stable 2.8.1, freeze on 2017-03-27 Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 01/81] 9pfs: local: move xattr security ops to 9p-xattr.c Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 02/81] 9pfs: remove side-effects in local_init() Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 03/81] 9pfs: remove side-effects in local_open() and local_opendir() Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 04/81] 9pfs: introduce relative_openat_nofollow() helper Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 05/81] 9pfs: local: keep a file descriptor on the shared folder Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 06/81] 9pfs: local: open/opendir: don't follow symlinks Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 07/81] 9pfs: local: lgetxattr: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 08/81] 9pfs: local: llistxattr: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 09/81] 9pfs: local: lsetxattr: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 10/81] 9pfs: local: lremovexattr: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 11/81] 9pfs: local: unlinkat: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 12/81] 9pfs: local: remove: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 13/81] 9pfs: local: utimensat: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 14/81] 9pfs: local: statfs: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 15/81] 9pfs: local: truncate: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 16/81] 9pfs: local: readlink: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 17/81] 9pfs: local: lstat: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 18/81] 9pfs: local: renameat: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 19/81] 9pfs: local: rename: use renameat Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 20/81] 9pfs: local: improve error handling in link op Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 21/81] 9pfs: local: link: don't follow symlinks Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 22/81] 9pfs: local: chmod: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 23/81] 9pfs: local: chown: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 24/81] 9pfs: local: symlink: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 25/81] 9pfs: local: mknod: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 26/81] 9pfs: local: mkdir: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 27/81] 9pfs: local: open2: " Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 28/81] 9pfs: local: drop unused code Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 29/81] 9pfs: fix bogus fd check in local_remove() Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 30/81] 9pfs: fix fd leak in local_opendir() Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 31/81] 9pfs: fail local_statfs() earlier Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 32/81] 9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough() Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 33/81] 9pfs: fix O_PATH build break with older glibc versions Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 34/81] 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common() Michael Roth
2017-03-20 23:07 ` [Qemu-devel] [PATCH 35/81] machine: Convert abstract typename on compat_props to subclass names Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 36/81] balloon: Don't balloon roms Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 37/81] pci: fix error message for express slots Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 38/81] virtio: fix vq->inuse recalc after migr Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 39/81] 9pfs: fix crash when fsdev is missing Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 40/81] pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 41/81] ui/gtk: fix crash at startup when no console is available Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 42/81] scsi-block: fix direction of BYTCHK test for VERIFY commands Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 43/81] ui/vnc: Fix problem with sending too many bytes as server name Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 44/81] qemu-thread: fix qemu_thread_set_name() race in qemu_thread_create() Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 45/81] virtio-crypto: fix possible integer and heap overflow Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 46/81] exec: Add missing rcu_read_unlock Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 47/81] display: cirrus: ignore source pitch value as needed in blit_is_unsafe Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 48/81] x86: ioapic: fix fail migration when irqchip=split Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 49/81] char: fix ctrl-a b not working Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 50/81] tcg/aarch64: Fix addsub2 for 0+C Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 51/81] tcg/aarch64: Fix tcg_out_movi Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 52/81] ui: use evdev keymap when running under wayland Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 53/81] virtio: fix up max size checks Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 54/81] block/iscsi: avoid data corruption with cache=writeback Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 55/81] s390x/kvm: fix cmma reset for KVM Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 56/81] cirrus: fix oob access issue (CVE-2017-2615) Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 58/81] ahci: advertise HOST_CAP_64 Michael Roth
2017-03-22 13:11 ` John Snow
2017-03-20 23:08 ` [Qemu-devel] [PATCH 59/81] target/s390x: use "qemu" cpu model in user mode Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 60/81] s390x/kvm: fix small race reboot vs. cmma Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 61/81] block/nfs: fix NULL pointer dereference in URI parsing Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 62/81] block/nfs: fix naming of runtime opts Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 63/81] sd: sdhci: check data length during dma_memory_read Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 64/81] vnc: do not disconnect on EAGAIN Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 65/81] target-ppc, tcg: fix usermode segfault with pthread_create() Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 66/81] block/vmdk: Fix the endian problem of buf_len and lba Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 67/81] target/sparc: Restore ldstub of odd asis Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 68/81] apic: reset apic_delivered global variable on machine reset Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 69/81] target-i386: correctly propagate retaddr into SVM helpers Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 70/81] qga: ignore EBUSY when freezing a filesystem Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 71/81] hmp: fix block_set_io_throttle Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 72/81] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620) Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 73/81] eth: Extend vlan stripping functions Michael Roth
2017-03-20 23:08 ` Michael Roth [this message]
2017-03-20 23:08 ` [Qemu-devel] [PATCH 75/81] NetRxPkt: Do not try to pull more data than present Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 76/81] NetRxPkt: Account buffer with ETH header in IOV length Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 77/81] e1000e: correctly tear down MSI-X memory regions Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 78/81] scsi: mptsas: fix the wrong reading size in fetch request Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 79/81] virtio-pci: reset modern vq meta data Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 80/81] s390x/css: reassign subchannel if schid is changed after migration Michael Roth
2017-03-20 23:08 ` [Qemu-devel] [PATCH 81/81] thread-pool: add missing qemu_bh_cancel in completion function Michael Roth
2017-03-21 0:47 ` [Qemu-devel] [PATCH 00/81] Patch Round-up for stable 2.8.1, freeze on 2017-03-27 Eric Blake
2017-03-21 1:31 ` Richard Henderson
2017-03-21 9:13 ` [Qemu-devel] [Qemu-stable] " Greg Kurz
2017-03-21 16:26 ` Greg Kurz
2017-03-22 14:31 ` [Qemu-devel] " Christian Borntraeger
2017-04-05 2:01 ` [Qemu-devel] [Qemu-stable] " Gonglei (Arei)
2017-04-05 4:08 ` Michael Roth
2017-04-05 4:51 ` Gonglei (Arei)
2017-04-05 5:21 ` Michael Roth
2017-04-05 5:52 ` Gonglei (Arei)
2017-04-05 6:16 ` Michael Roth
2017-04-05 6:22 ` Gonglei (Arei)
2017-04-06 2:32 ` Gonglei (Arei)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490051325-3770-75-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=dmitry@daynix.com \
--cc=jasowang@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).