From nobody Wed Dec 17 21:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1595338608; cv=none; d=zohomail.com; s=zohoarc; b=FIPX/rOCeELskNiG6NOB+QimoIcksGUo9gPj+KvXqYZZWAw1nOJbrhQSOAPcx2pBn5RD4k+nE/W3ZLXrBBVlXm1WqkCdHCflQy/xGJENFBRKXdqZkoq5nz/CzXjxugT1RXZB9NDJUI72umYiU+IOrhjnR6Tf7bOd3K0wopCxObM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1595338608; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=dUpCejBEy0mdMSclHGAndCnKPfJgOVEva6hgaHpZLUc=; b=ZCHHpu49KV3kVyHAp95P/JI+054m7vQn+1EFz1e4kQZcMUsA4kaTya+kfzY3V2kWQWGNiqNkijQLItxKsq1npgwkXhSG4tXAf+tNtNLCeMw4DKDn+tuIik73UIV3K1JTJJQehjsygGYCWfV4S8kkl7C2LJC0IRt2AlKr3cfEAaA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 159533860818884.90562700220687; Tue, 21 Jul 2020 06:36:48 -0700 (PDT) Received: from localhost ([::1]:60144 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jxsRq-0000bN-T8 for importer@patchew.org; Tue, 21 Jul 2020 09:36:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52406) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jxsPt-0006i3-3k for qemu-devel@nongnu.org; Tue, 21 Jul 2020 09:34:45 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:52160 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jxsPn-0004Vr-D9 for qemu-devel@nongnu.org; Tue, 21 Jul 2020 09:34:44 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-130-Vt5qQnmWOcuiTNX1UsKv3w-1; Tue, 21 Jul 2020 09:34:34 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8A22A100CCC4; Tue, 21 Jul 2020 13:34:33 +0000 (UTC) Received: from jason-ThinkPad-T430s.redhat.com (ovpn-12-193.pek2.redhat.com [10.72.12.193]) by smtp.corp.redhat.com (Postfix) with ESMTP id D633787B0D; Tue, 21 Jul 2020 13:34:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595338478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type:in-reply-to:in-reply-to: references:references; bh=dUpCejBEy0mdMSclHGAndCnKPfJgOVEva6hgaHpZLUc=; b=eUh0VfUaEh+MROf1Kh7cDwiOi1jHGSF4IwLqb95T1j4aVYQCsb1d18lk2b6lLyu/kAylqI qJEPSmlDzK2ticzGwOHGfdznB3L9UtmIwCapidxptIYCbAYAA3RBs9oV7t55091102HWfD D/D7DU2ZdSXOAuL+OhUVwPTahjxlRu0= X-MC-Unique: Vt5qQnmWOcuiTNX1UsKv3w-1 From: Jason Wang To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL 1/2] hw/net: Added plen fix for IPv6 Date: Tue, 21 Jul 2020 21:34:26 +0800 Message-Id: <1595338467-19556-2-git-send-email-jasowang@redhat.com> In-Reply-To: <1595338467-19556-1-git-send-email-jasowang@redhat.com> References: <1595338467-19556-1-git-send-email-jasowang@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.120; envelope-from=jasowang@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/21 01:30:29 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -40 X-Spam_score: -4.1 X-Spam_bar: ---- X-Spam_report: (-4.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrew , Jason Wang Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Andrew Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1708065 With network backend with 'virtual header' - there was an issue in 'plen' field. Overall, during TSO, 'plen' would be changed, but with 'vheader' this field should be set to the size of the payload itself instead of '0'. Signed-off-by: Andrew Melnychenko Signed-off-by: Jason Wang --- hw/net/net_tx_pkt.c | 23 +++++++++++++++++++++++ hw/net/net_tx_pkt.h | 14 ++++++++++++++ include/net/eth.h | 1 + 3 files changed, 38 insertions(+) diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 331c73c..9560e4a 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -626,6 +626,7 @@ bool net_tx_pkt_send(struct NetTxPkt *pkt, NetClientSta= te *nc) =20 if (pkt->has_virt_hdr || pkt->virt_hdr.gso_type =3D=3D VIRTIO_NET_HDR_GSO_NONE) { + net_tx_pkt_fix_ip6_payload_len(pkt); net_tx_pkt_sendv(pkt, nc, pkt->vec, pkt->payload_frags + NET_TX_PKT_PL_START_FRAG); return true; @@ -644,3 +645,25 @@ bool net_tx_pkt_send_loopback(struct NetTxPkt *pkt, Ne= tClientState *nc) =20 return res; } + +void net_tx_pkt_fix_ip6_payload_len(struct NetTxPkt *pkt) +{ + struct iovec *l2 =3D &pkt->vec[NET_TX_PKT_L2HDR_FRAG]; + if (eth_get_l3_proto(l2, 1, l2->iov_len) =3D=3D ETH_P_IPV6) { + struct ip6_header *ip6 =3D (struct ip6_header *) pkt->l3_hdr; + /* + * TODO: if qemu would support >64K packets - add jumbo option che= ck + * something like that: + * 'if (ip6->ip6_plen =3D=3D 0 && !has_jumbo_option(ip6)) {' + */ + if (ip6->ip6_plen =3D=3D 0) { + if (pkt->payload_len <=3D ETH_MAX_IP_DGRAM_LEN) { + ip6->ip6_plen =3D htons(pkt->payload_len); + } + /* + * TODO: if qemu would support >64K packets + * add jumbo option for packets greater then 65,535 bytes + */ + } + } +} diff --git a/hw/net/net_tx_pkt.h b/hw/net/net_tx_pkt.h index 212ecc6..4ec8bbe 100644 --- a/hw/net/net_tx_pkt.h +++ b/hw/net/net_tx_pkt.h @@ -187,4 +187,18 @@ bool net_tx_pkt_parse(struct NetTxPkt *pkt); */ bool net_tx_pkt_has_fragments(struct NetTxPkt *pkt); =20 +/** + * Fix IPv6 'plen' field. + * If ipv6 payload length field is 0 - then there should be Hop-by-Hop + * option for packets greater than 65,535. + * For packets with a payload less than 65,535: fix 'plen' field. + * For backends with vheader, we need just one packet with proper + * payload size. For now, qemu drops every packet with size greater 64K + * (see net_tx_pkt_send()) so, there is no reason to add jumbo option to i= p6 + * hop-by-hop extension if it's missed + * + * @pkt packet + */ +void net_tx_pkt_fix_ip6_payload_len(struct NetTxPkt *pkt); + #endif diff --git a/include/net/eth.h b/include/net/eth.h index 7f45c67..0671be6 100644 --- a/include/net/eth.h +++ b/include/net/eth.h @@ -186,6 +186,7 @@ struct tcp_hdr { =20 #define ip6_nxt ip6_ctlun.ip6_un1.ip6_un1_nxt #define ip6_ecn_acc ip6_ctlun.ip6_un3.ip6_un3_ecn +#define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen =20 #define PKT_GET_ETH_HDR(p) \ ((struct eth_header *)(p)) --=20 2.5.0 From nobody Wed Dec 17 21:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1595338540; cv=none; d=zohomail.com; s=zohoarc; b=fTmGw1+9K1HwT1tj+RsAxje4inj/SHk7rZqRnNaqojoT3DAU+Uv11WdsamQOc9qvWbdc3uT6p8RzFrAYcuZpBa58we3YhfaJxDKhafyEDOyEIfrleVTzxuR1AZWwXDY3Xo6hdyySeGCCX2pYHEXlxjYzkUmmq2n73QIliRB+0Zk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1595338540; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=zuKvytfWXGiwndSHk/NMfe56Nu4ILWa74wDdEtF0UAw=; b=NZprkiHtKMqgJzgrnVXH6yHzdNx65cLHEMVmlXFp5rVPS/A6GoGWYELC/nH/pnRZ78XZCEuKX1Xgo9yt35Xu+dK1A1vy+JdEMMiMmsHMZyI5yFdmYfNOmZxboBOiou6asXKevz89nhTBJDb02sg0UHNa2Ywt6CGuWoofsP5s/00= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1595338540974345.7292978202032; Tue, 21 Jul 2020 06:35:40 -0700 (PDT) Received: from localhost ([::1]:56678 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jxsQl-0007Yk-OO for importer@patchew.org; Tue, 21 Jul 2020 09:35:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52374) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jxsPp-0006ci-MO for qemu-devel@nongnu.org; Tue, 21 Jul 2020 09:34:41 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:21751 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jxsPo-0004Vv-3V for qemu-devel@nongnu.org; Tue, 21 Jul 2020 09:34:41 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-193-S_TchI1rMCew8G1q8SfGsw-1; Tue, 21 Jul 2020 09:34:36 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B990D91273; Tue, 21 Jul 2020 13:34:35 +0000 (UTC) Received: from jason-ThinkPad-T430s.redhat.com (ovpn-12-193.pek2.redhat.com [10.72.12.193]) by smtp.corp.redhat.com (Postfix) with ESMTP id 153AC87B01; Tue, 21 Jul 2020 13:34:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595338479; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type:in-reply-to:in-reply-to: references:references; bh=zuKvytfWXGiwndSHk/NMfe56Nu4ILWa74wDdEtF0UAw=; b=CLG4sU7uR2XqzKg8HzykdGQ0E/+xb0tR261xPjWr0hEZDKI7TwD1dAWgYzsph9BqI4pk1K F6YT2QWoR4jHNUibsSmplCqGZYdALvStmslhUqar2OyRL0bAJ7Ohxba/X7lW0/V1ZJBEJN jrqjwbet9TtUsUmwrzcSVq5Z5qHu88M= X-MC-Unique: S_TchI1rMCew8G1q8SfGsw-1 From: Jason Wang To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL 2/2] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() Date: Tue, 21 Jul 2020 21:34:27 +0800 Message-Id: <1595338467-19556-3-git-send-email-jasowang@redhat.com> In-Reply-To: <1595338467-19556-1-git-send-email-jasowang@redhat.com> References: <1595338467-19556-1-git-send-email-jasowang@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=207.211.31.120; envelope-from=jasowang@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/21 01:46:39 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mauro Matteo Cascella , Jason Wang Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Mauro Matteo Cascella A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It occurs while sending an Ethernet frame due to missing break statements and improper checking of the buffer size. Reported-by: Ziming Zhang Signed-off-by: Mauro Matteo Cascella Reviewed-by: Peter Maydell Signed-off-by: Jason Wang --- hw/net/xgmac.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c index 574dd47..5bf1b61 100644 --- a/hw/net/xgmac.c +++ b/hw/net/xgmac.c @@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) } len =3D (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); =20 + /* + * FIXME: these cases of malformed tx descriptors (bad sizes) + * should probably be reported back to the guest somehow + * rather than simply silently stopping processing, but we + * don't know what the hardware does in this situation. + * This will only happen for buggy guests anyway. + */ if ((bd.buffer1_size & 0xfff) > 2048) { DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " "xgmac buffer 1 len on send > 2048 (0x%x)\n", __func__, bd.buffer1_size & 0xfff); + break; } if ((bd.buffer2_size & 0xfff) !=3D 0) { DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " "xgmac buffer 2 len on send !=3D 0 (0x%x)\n", __func__, bd.buffer2_size & 0xfff); + break; } - if (len >=3D sizeof(frame)) { + if (frame_size + len >=3D sizeof(frame)) { DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " - "buffer\n" , __func__, len, sizeof(frame)); + "buffer\n" , __func__, frame_size + len, sizeof(fr= ame)); DEBUGF_BRK("qemu:%s: buffer1.size=3D%d; buffer2.size=3D%d\n", __func__, bd.buffer1_size, bd.buffer2_size); + break; } =20 cpu_physical_memory_read(bd.buffer1_addr, ptr, len); --=20 2.5.0