On Tue, Jan 2, 2024 at 12:20 PM Yuri Benditovich <yuri.benditov...@daynix.com> wrote: > > I agree, thank you. > > Where is this CVE-2023-6693 available?
Here: https://bugzilla.redhat.com/show_bug.cgi?id=2254580. > Thanks, > Yuri > > On Tue, Jan 2, 2024 at 5:29 AM Jason Wang <jasow...@redhat.com> wrote: >> >> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than >> the size of the mergeable rx buffer header. Using >> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack >> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash >> instead. >> >> Reported-by: Xiao Lei <leixiao....@zju.edu.cn> >> Cc: Yuri Benditovich <yuri.benditov...@daynix.com> >> Cc: qemu-sta...@nongnu.org >> Cc: Mauro Matteo Cascella <mcasc...@redhat.com> >> Fixes: CVE-2023-6693 >> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") >> Signed-off-by: Jason Wang <jasow...@redhat.com> >> --- >> hw/net/virtio-net.c | 13 +++++++++---- >> 1 file changed, 9 insertions(+), 4 deletions(-) >> >> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c >> index 80c56f0cfc..73024babd4 100644 >> --- a/hw/net/virtio-net.c >> +++ b/hw/net/virtio-net.c >> @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, >> int mergeable_rx_bufs, >> >> n->mergeable_rx_bufs = mergeable_rx_bufs; >> >> + /* >> + * Note: when extending the vnet header, please make sure to >> + * change the vnet header copying logic in virtio_net_flush_tx() >> + * as well. >> + */ >> if (version_1) { >> n->guest_hdr_len = hash_report ? >> sizeof(struct virtio_net_hdr_v1_hash) : >> @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) >> ssize_t ret; >> unsigned int out_num; >> struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], >> *out_sg; >> - struct virtio_net_hdr_mrg_rxbuf mhdr; >> + struct virtio_net_hdr_v1_hash vhdr; >> >> elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); >> if (!elem) { >> @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) >> } >> >> if (n->has_vnet_hdr) { >> - if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < >> + if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < >> n->guest_hdr_len) { >> virtio_error(vdev, "virtio-net header incorrect"); >> virtqueue_detach_element(q->tx_vq, elem, 0); >> @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) >> return -EINVAL; >> } >> if (n->needs_vnet_hdr_swap) { >> - virtio_net_hdr_swap(vdev, (void *) &mhdr); >> - sg2[0].iov_base = &mhdr; >> + virtio_net_hdr_swap(vdev, (void *) &vhdr); >> + sg2[0].iov_base = &vhdr; >> sg2[0].iov_len = n->guest_hdr_len; >> out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, >> out_sg, out_num, >> -- >> 2.42.0 >> -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
