Re: [PATCH] net: check payload length limit for all frames

Thu, 16 Jul 2020 18:23:14 -0700 

On 200717 0853, Li Qiang wrote:
> P J P <ppan...@redhat.com> 于2020年7月17日周五 上午3:26写道:
> >
> > From: Prasad J Pandit <p...@fedoraproject.org>
> >
> > While sending packets, the check that packet 'payload_len'
> > is within 64kB limit, seems to happen only for GSO frames.
> > It may lead to use-after-free or out-of-bounds access like
> > issues when sending non-GSO frames. Check the 'payload_len'
> > limit for all packets, irrespective of the gso type.
> >
> 
> Hello Prasad,
> Which issue are you trying to solve, any reference linking?
> 
> I also send a patch related this part and also a UAF.
> 
> Thanks,
> Li Qiang

Hi Li, Prasad,
I reported a UAF privately to QEMU-Security in May. I believe the one Li
is referring to is this one https://bugs.launchpad.net/qemu/+bug/1886362

When I saw Prasad's email, I was worried that I reported the same bug
twice, but I can still reproduce LP#1886362 with Prasad's patch.

On the other hand, I cannot reproduce either issue with Li's patch:
Message-Id: <20200716161453.61295-1-liq...@163.com>

Based on this, I think there were two distinct issues. Both of the
crashes rely on e1000e tx loopback into e1000e MMIO. Since Li's
patch adds a TX bh, it seems to mitigate such types of issues.

Sorry about any confusion.
-Alex

> > Reported-by: Alexander Bulekov <alx...@bu.edu>
> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> > ---
> >  hw/net/net_tx_pkt.c | 10 ++++------
> >  1 file changed, 4 insertions(+), 6 deletions(-)
> >
> > diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
> > index 162f802dd7..e66998a8f9 100644
> > --- a/hw/net/net_tx_pkt.c
> > +++ b/hw/net/net_tx_pkt.c
> > @@ -607,12 +607,10 @@ bool net_tx_pkt_send(struct NetTxPkt *pkt, 
> > NetClientState *nc)
> >       * Since underlying infrastructure does not support IP datagrams longer
> >       * than 64K we should drop such packets and don't even try to send
> >       */
> > -    if (VIRTIO_NET_HDR_GSO_NONE != pkt->virt_hdr.gso_type) {
> > -        if (pkt->payload_len >
> > -            ETH_MAX_IP_DGRAM_LEN -
> > -            pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
> > -            return false;
> > -        }
> > +    if (pkt->payload_len >
> > +        ETH_MAX_IP_DGRAM_LEN -
> > +        pkt->vec[NET_TX_PKT_L3HDR_FRAG].iov_len) {
> > +        return false;
> >      }
> >
> >      if (pkt->has_virt_hdr ||
> > --
> > 2.26.2
> >
> >

Reply via email to