Reviewed-by: Dmitry Fleytman <dmitry.fleyt...@gmail.com> The idea looks good to me. I believe it makes sense to do the check in net_tx_pkt_add_raw_fragment() as suggested by Jason.
> On 27 Jul 2020, at 20:29, Alexander Bulekov <alx...@bu.edu> wrote: > > I sent a reproducer for the to the list some time ago, but never created > a Launchpad bug... > https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html > > Anyways.. I can confirm that I can't reproduce the issue with these > patches. > > Minimized Reproducer: > cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \ > -display none -serial none -monitor none -qtest stdio > outl 0xcf8 0x80001010 > outl 0xcfc 0xe1020000 > outl 0xcf8 0x80001004 > outw 0xcfc 0x7 > write 0xe10207e8 0x4 0x25ff13ff > write 0xe10200b8 0x7 0xe3055e411b0202 > write 0xe1020100 0x5 0x5e411b0202 > write 0xe1020110 0x4 0x1b0202e1 > write 0xe1020118 0x4 0x06fff105 > write 0xe1020128 0x7 0xf3055e411b0202 > write 0xe1020402 0x2 0x5e41 > write 0xe1020420 0x4 0x1b0202e1 > write 0xe1020428 0x4 0x06ff6105 > write 0xe1020438 0x1 0x63 > write 0xe1020439 0x1 0x05 > EOF > > -Alex > > On 200727 1908, Mauro Matteo Cascella wrote: >> An assertion failure issue was reported by Mr. Ziming Zhang (CC'd). >> It occurs in the code that processes network packets while adding data >> fragments into packet context. This flaw could potentially be abused by >> a malicious guest to abort the QEMU process on the host. This two patch >> series does a couple of things: >> >> - introduces a new function in net_tx_pkt.{c,h} to check the maximum number >> of data fragments >> - adds a check in both e1000e and vmxnet3 devices to skip the packet if the >> current data fragment exceeds max_raw_frags, preventing >> net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags >> >> Mauro Matteo Cascella (2): >> hw/net/net_tx_pkt: add function to check pkt->max_raw_frags >> hw/net: check max_raw_frags in e1000e and vmxnet3 devices >> >> hw/net/e1000e_core.c | 3 ++- >> hw/net/net_tx_pkt.c | 5 +++++ >> hw/net/net_tx_pkt.h | 8 ++++++++ >> hw/net/vmxnet3.c | 3 ++- >> 4 files changed, 17 insertions(+), 2 deletions(-) >> >> -- >> 2.26.2 >> >>
