On Mon, Aug 15, 2016 at 09:51:21PM +0200, Gaudenz Steinlin wrote:
> Stefan Hajnoczi <stefa...@redhat.com> writes:
>
> > Gaudenz Steinlin <gaud...@debian.org> reported that virtqueue_pop()
> > terminates
> > QEMU because the virtqueue size is exceeded following the CVE-2016-5403
> > fix. I
> > have been unable to reproduce this or understand the root cause by code
> > inspection. Along the way I did discover a few bugs in virtio-balloon and
> > virtio code.
> >
> > Please see the individual patches for details.
> >
> > Gaudenz: If you can reproduce the bug you reported, please try again with
> > these
> > patches applied.
>
> As mentioned in the original thread I only tested on QEMU 2.0.0 so far.
> I tried to apply your patches to this version, but did not succeed. I
> could not apply the first patch in the series because the code changed
> too much and with only the others applied QEMU failed to compile. I gave
> up at that point.
>
> Does it make sense at all to test these patches on 2.0.0? Ubuntu
> reverted the problematic fix in their latest package update for trusty,
> so my immediate problem is "solved". Is there a chance to get a fix for
> CVE-2016-5403 that works on QEMU 2.0.0 without breaking migrations?
>
> Best regards and thanks to all for the effort so far,
> Gaudenz
You will have to debug the failure I'm afraid.
Most likely inuse is incremented in pop but not
decremented.
Maybe you need
commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3
Author: Jason Wang <jasow...@redhat.com>
Date: Fri Sep 25 13:21:30 2015 +0800
virtio-net: correctly drop truncated packets
It's hard to say.
--
MST
