Re: [PATCH] virtio-net: validate RSS indirections_len in post_load

["Daniel P. Berrangé" <berrange@redhat.com>]

On Mon, Mar 23, 2026 at 09:57:24AM -0400, Michael S. Tsirkin wrote:
> On Mon, Mar 23, 2026 at 01:53:53PM +0000, Peter Maydell wrote:
> > On Mon, 23 Mar 2026 at 13:43, Daniel P. Berrangé <berrange@redhat.com> wrote:
> > >
> > > On Mon, Mar 23, 2026 at 09:15:31PM +0800, Junjie Cao wrote:
> > > > virtio_net_handle_rss() enforces that indirections_len is a non-zero
> > > > power of two no larger than VIRTIO_NET_RSS_MAX_TABLE_LEN, but
> > > > virtio_net_rss_post_load() applies none of these checks to values
> > > > restored from the migration stream.
> > > >
> > > > A crafted migration stream can set indirections_len to 0.  Even if it
> > >
> > > The migration stream originating from the source QEMU is trusted.
> > 
> > Is it? In https://www.qemu.org/docs/master/system/security.html we say:
> > 
> > # The following entities are untrusted, meaning that they may be buggy
> > # or malicious:
> > 
> > #  * Guest
> > #  * User-facing interfaces (e.g. VNC, SPICE, WebSocket)
> > #  * Network protocols (e.g. NBD, live migration)
> > #  * User-supplied files (e.g. disk images, kernels, device trees)
> > #  * Passthrough devices (e.g. PCI, USB)
> > 
> > which explicitly lists "live migration" as an untrusted entity.
> > 
> > I would definitely be extremely cautious about having a threat
> > model where I had to distrust inbound migration data, but the
> > above does suggest we aim to handle that, and we have I think
> > in the past taken patches which add sanity-checking to the
> > migration data.
> 
> And we even assigned a low priority CVEs to these.

Do you have an example of that ?

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|