On 12/02/2015 08:17 PM, P J P wrote:
> Hello Dmitry, all
>
> A memory leakage issue was reported by Mr Qinghao Tang, CC'd here.
>
> In that, the Qemu VMXNET3 paravirtual device emulator does not check
> if the device is already active, before activating it. This leads to
> host memory leakage via calls to vmxnet_tx_pkt_init(), which calls
> g_malloc0().
>
> ===
> static void vmxnet3_activate_device(VMXNET3State *s)
> {
> ...
> /* Preallocate TX packet wrapper */
> VMW_CFPRN("Max TX fragments is %u", s->max_tx_frags);
> vmxnet_tx_pkt_init(&s->tx_pkt, s->max_tx_frags, s->peer_has_vhdr);
> ...
> }
> ===
>
> A malicious guest driver could use this flaw to leak excessive memory
> on the host, eventually killing the Qemu process.
>
> Please see attached herein is a proposed (tested)patch which fixes
> this issue. Please let me know if it's okay or requires any changes.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
What if, guest de-active the device before re-active it?
Looks like it could be done through methods:
1) VMXNET3_CMD_QUIESCE_DEV
2) VMXNET3_REG_DSAL
So looks like need to free both tx_pkt and rx_pkt during deactivating?
