On Tue, Jan 2, 2024 at 11:29 AM Jason Wang <jasow...@redhat.com> wrote:
>
> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> the size of the mergeable rx buffer header. Using
> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> instead.
>
> Reported-by: Xiao Lei <leixiao....@zju.edu.cn>
> Cc: Yuri Benditovich <yuri.benditov...@daynix.com>
> Cc: qemu-sta...@nongnu.org
> Cc: Mauro Matteo Cascella <mcasc...@redhat.com>
> Fixes: CVE-2023-6693
> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> Signed-off-by: Jason Wang <jasow...@redhat.com>Queued. Thanks
