From: Mauro Matteo Cascella <mcascell@redhat.com>
To: qemu-devel@nongnu.org
Cc: jasowang@redhat.com, dmitry.fleytman@gmail.com,
mcascell@redhat.com, ezrakiez@gmail.com
Subject: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Date: Mon, 27 Jul 2020 19:08:36 +0200 [thread overview]
Message-ID: <20200727170838.1101775-1-mcascell@redhat.com> (raw)
An assertion failure issue was reported by Mr. Ziming Zhang (CC'd).
It occurs in the code that processes network packets while adding data
fragments into packet context. This flaw could potentially be abused by
a malicious guest to abort the QEMU process on the host. This two patch
series does a couple of things:
- introduces a new function in net_tx_pkt.{c,h} to check the maximum number
of data fragments
- adds a check in both e1000e and vmxnet3 devices to skip the packet if the
current data fragment exceeds max_raw_frags, preventing
net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags
Mauro Matteo Cascella (2):
hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
hw/net: check max_raw_frags in e1000e and vmxnet3 devices
hw/net/e1000e_core.c | 3 ++-
hw/net/net_tx_pkt.c | 5 +++++
hw/net/net_tx_pkt.h | 8 ++++++++
hw/net/vmxnet3.c | 3 ++-
4 files changed, 17 insertions(+), 2 deletions(-)
--
2.26.2
next reply other threads:[~2020-07-27 17:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 17:08 Mauro Matteo Cascella [this message]
2020-07-27 17:08 ` [PATCH 1/2] hw/net/net_tx_pkt: add function to check pkt->max_raw_frags Mauro Matteo Cascella
2020-07-28 4:06 ` Jason Wang
2020-07-28 16:26 ` Mauro Matteo Cascella
2020-07-30 5:27 ` Jason Wang
2020-07-30 17:05 ` Mauro Matteo Cascella
2020-07-31 3:33 ` Jason Wang
2020-07-27 17:08 ` [PATCH 2/2] hw/net: check max_raw_frags in e1000e and vmxnet3 devices Mauro Matteo Cascella
2020-07-27 17:29 ` [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c Alexander Bulekov
2020-07-28 16:59 ` Mauro Matteo Cascella
2020-07-29 8:48 ` Dmitry Fleytman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727170838.1101775-1-mcascell@redhat.com \
--to=mcascell@redhat.com \
--cc=dmitry.fleytman@gmail.com \
--cc=ezrakiez@gmail.com \
--cc=jasowang@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).