On Mon, Mar 23, 2026 at 01:53:53PM +0000, Peter Maydell wrote: > On Mon, 23 Mar 2026 at 13:43, Daniel P. Berrangé <[email protected]> wrote: > > > > On Mon, Mar 23, 2026 at 09:15:31PM +0800, Junjie Cao wrote: > > > virtio_net_handle_rss() enforces that indirections_len is a non-zero > > > power of two no larger than VIRTIO_NET_RSS_MAX_TABLE_LEN, but > > > virtio_net_rss_post_load() applies none of these checks to values > > > restored from the migration stream. > > > > > > A crafted migration stream can set indirections_len to 0. Even if it > > > > The migration stream originating from the source QEMU is trusted. > > Is it? In https://www.qemu.org/docs/master/system/security.html we say: > > # The following entities are untrusted, meaning that they may be buggy > # or malicious: > > # * Guest > # * User-facing interfaces (e.g. VNC, SPICE, WebSocket) > # * Network protocols (e.g. NBD, live migration) > # * User-supplied files (e.g. disk images, kernels, device trees) > # * Passthrough devices (e.g. PCI, USB) > > which explicitly lists "live migration" as an untrusted entity. > > I would definitely be extremely cautious about having a threat > model where I had to distrust inbound migration data, but the > above does suggest we aim to handle that, and we have I think > in the past taken patches which add sanity-checking to the > migration data. > > thanks > -- PMM
And we even assigned a low priority CVEs to these.
