The following changes since commit bdee969c0e65d4d509932b1d70e3a3b2ffbff6d5:

Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging (2021-03-19 18:01:17 +0000)

for you to fetch changes up to c7274b5ef43614dd133daec1e2018f71d8744088:

net/eth: Add an assert() and invert if() statement to simplify code (2021-03-22 17:34:31 +0800)

Bin Meng (4):

net: eth: Add a helper to pad a short Ethernet frame

net: Add a 'do_not_pad" to NetClientState

net: Pad short frames to minimum size before sending from SLiRP/TAP

hw/net: virtio-net: Initialize nc->do_not_pad to true

Lukas Straub (2):

net/colo-compare.c: Fix memory leak for non-tcp packet

net/colo-compare.c: Optimize removal of secondary packet

Philippe Mathieu-Daudé (7):

net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()

net/eth: Simplify _eth_get_rss_ex_dst_addr()

net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument

net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()

net/eth: Check iovec has enough data earlier

net/eth: Read ip6_ext_hdr_routing buffer before accessing it

net/eth: Add an assert() and invert if() statement to simplify code

MAINTAINERS | 1 +

hw/net/virtio-net.c | 4 +++

include/net/eth.h | 17 ++++++++++++

include/net/net.h | 1 +

net/colo-compare.c | 3 ++-

net/eth.c | 61 +++++++++++++++++++++++++++---------------

net/slirp.c | 10 +++++++

net/tap-win32.c | 10 +++++++

net/tap.c | 10 +++++++

tests/qtest/fuzz-e1000e-test.c | 53 ++++++++++++++++++++++++++++++++++++

tests/qtest/meson.build | 1 +

11 files changed, 148 insertions(+), 23 deletions(-)

create mode 100644 tests/qtest/fuzz-e1000e-test.c

From: Bin Meng <bmeng.cn@gmail.com>

This adds a flag in NetClientState, so that a net client can tell

its peer that the packets do not need to be padded to the minimum

size of an Ethernet frame (60 bytes) before sending to it.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

include/net/net.h | 1 +

1 file changed, 1 insertion(+)

@@ -XXX,XX +XXX,XX @@ struct NetClientState {

int vring_enable;

int vnet_hdr_len;

bool is_netdev;

+ bool do_not_pad; /* do not pad to the minimum ethernet frame length */

QTAILQ_HEAD(, NetFilterState) filters;

};

From: Bin Meng <bmeng.cn@gmail.com>

The minimum Ethernet frame length is 60 bytes. For short frames with

smaller length like ARP packets (only 42 bytes), on a real world NIC

it can choose either padding its length to the minimum required 60

bytes, or sending it out directly to the wire. Such behavior can be

hardcoded or controled by a register bit. Similarly on the receive

path, NICs can choose either dropping such short frames directly or

handing them over to software to handle.

On the other hand, for the network backends like SLiRP/TAP, they

don't expose a way to control the short frame behavior. As of today

they just send/receive data from/to the other end connected to them,

which means any sized packet is acceptable. So they can send and

receive short frames without any problem. It is observed that ARP

packets sent from SLiRP/TAP are 42 bytes, and SLiRP/TAP just send

these ARP packets to the other end which might be a NIC model that

does not allow short frames to pass through.

To provide better compatibility, for packets sent from QEMU network

backends like SLiRP/TAP, we change to pad short frames before sending

it out to the other end, if the other end does not forbid it via the

nc->do_not_pad flag. This ensures a backend as an Ethernet sender

does not violate the spec. But with this change, the behavior of

dropping short frames from SLiRP/TAP interfaces in the NIC model

cannot be emulated because it always receives a packet that is spec

complaint. The capability of sending short frames from NIC models is

still supported and short frames can still pass through SLiRP/TAP.

This commit should be able to fix the issue as reported with some

NIC models before, that ARP requests get dropped, preventing the

guest from becoming visible on the network. It was workarounded in

these NIC models on the receive path, that when a short frame is

received, it is padded up to 60 bytes.

The following 2 commits seem to be the one to workaround this issue

in e1000 and vmxenet3 before, and should probably be reverted.

commit 78aeb23eded2 ("e1000: Pad short frames to minimum size (60 bytes)")

commit 40a87c6c9b11 ("vmxnet3: Pad short frames to minimum size (60 bytes)")

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

net/slirp.c | 10 ++++++++++

net/tap-win32.c | 10 ++++++++++

net/tap.c | 10 ++++++++++

3 files changed, 30 insertions(+)

@@ -XXX,XX +XXX,XX @@

#include <sys/socket.h>

#include <net/if.h>

+#include "net/eth.h"

#include "net/net.h"

#include "clients.h"

#include "monitor/monitor.h"

@@ -XXX,XX +XXX,XX @@ static void tap_send(void *opaque)

while (true) {

uint8_t *buf = s->buf;

+ uint8_t min_pkt[ETH_ZLEN];

+ size_t min_pktsz = sizeof(min_pkt);

size = tap_read_packet(s->fd, s->buf, sizeof(s->buf));

if (size <= 0) {

@@ -XXX,XX +XXX,XX @@ static void tap_send(void *opaque)

size -= s->host_vnet_hdr_len;

+ if (!s->nc.peer->do_not_pad) {

+ if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) {

+ buf = min_pkt;

+ size = min_pktsz;

+ }

+ }

+

size = qemu_send_packet_async(&s->nc, buf, size, tap_send_completed);

if (size == 0) {

tap_read_poll(s, false);

From: Philippe Mathieu-Daudé <philmd@redhat.com>

We want to check fields from ip6_ext_hdr_routing structure

and if correct read the full in6_address. Let's directly check

if our iovec contains enough data for everything, else return

early.

Suggested-by: Stefano Garzarella <sgarzare@redhat.com>

Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

net/eth.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/eth.c b/net/eth.c

--- a/net/eth.c

+++ b/net/eth.c

@@ -XXX,XX +XXX,XX @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,

size_t input_size = iov_size(pkt, pkt_frags);

size_t bytes_read;

- if (input_size < ext_hdr_offset + sizeof(*ext_hdr)) {

+ if (input_size < ext_hdr_offset + sizeof(*rthdr) + sizeof(*dst_addr)) {

return false;

From: Philippe Mathieu-Daudé <philmd@redhat.com>

We can't know the caller read enough data in the memory pointed

by ext_hdr to cast it as a ip6_ext_hdr_routing.

Declare rt_hdr on the stack and fill it again from the iovec.

Since we already checked there is enough data in the iovec buffer,

simply add an assert() call to consume the bytes_read variable.

This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported

by QEMU fuzzer:

$ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \

-accel qtest -monitor none \

-serial none -nographic -qtest stdio

outl 0xcf8 0x80001010

outl 0xcfc 0xe1020000

outl 0xcf8 0x80001004

outw 0xcfc 0x7

write 0x25 0x1 0x86

write 0x26 0x1 0xdd

write 0x4f 0x1 0x2b

write 0xe1020030 0x4 0x190002e1

write 0xe102003a 0x2 0x0807

write 0xe1020048 0x4 0x12077cdd

write 0xe1020400 0x4 0xba077cdd

write 0xe1020420 0x4 0x190002e1

write 0xe1020428 0x4 0x3509d807

write 0xe1020438 0x1 0xe2

EOF

=================================================================

==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818

READ of size 1 at 0x7ffdef904902 thread T0

#0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17

#1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17

#2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14

#3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9

#4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29

#5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9

#6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9

#7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9

#8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5

Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame

#0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486

This frame has 1 object(s):

[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

(longjmp and C++ exceptions *are* supported)

SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr

Shadow bytes around the buggy address:

0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1

=>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Stack left redzone: f1

Stack right redzone: f3

==2859770==ABORTING

Add the corresponding qtest case with the fuzzer reproducer.

FWIW GCC 11 similarly reported:

net/eth.c: In function 'eth_parse_ipv6_hdr':

net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]

410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {

| ~~~~~^~~~~~~

net/eth.c:485:24: note: while referencing 'ext_hdr'

485 | struct ip6_ext_hdr ext_hdr;

| ^~~~~~~

net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]

410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {

| ~~~~~^~~~~~~~~

net/eth.c:485:24: note: while referencing 'ext_hdr'

485 | struct ip6_ext_hdr ext_hdr;

| ^~~~~~~

Cc: qemu-stable@nongnu.org

Buglink: https://bugs.launchpad.net/qemu/+bug/1879531

Reported-by: Alexander Bulekov <alxndr@bu.edu>

Reported-by: Miroslav Rezanina <mrezanin@redhat.com>

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>

Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality")

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

MAINTAINERS | 1 +

net/eth.c | 13 +++++++----

tests/qtest/fuzz-e1000e-test.c | 53 ++++++++++++++++++++++++++++++++++++++++++

tests/qtest/meson.build | 1 +

4 files changed, 63 insertions(+), 5 deletions(-)

create mode 100644 tests/qtest/fuzz-e1000e-test.c

diff --git a/MAINTAINERS b/MAINTAINERS

--- a/MAINTAINERS

+++ b/MAINTAINERS

@@ -XXX,XX +XXX,XX @@ e1000e

M: Dmitry Fleytman <dmitry.fleytman@gmail.com>

S: Maintained

F: hw/net/e1000e*

+F: tests/qtest/fuzz-e1000e-test.c

eepro100

M: Stefan Weil <sw@weilnetz.de>

diff --git a/net/eth.c b/net/eth.c

index XXXXXXX..XXXXXXX 100644

--- a/net/eth.c

+++ b/net/eth.c

@@ -XXX,XX +XXX,XX @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,

struct ip6_ext_hdr *ext_hdr,

struct in6_address *dst_addr)

{

- struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr;

+ struct ip6_ext_hdr_routing rt_hdr;

size_t input_size = iov_size(pkt, pkt_frags);

size_t bytes_read;

- if (input_size < ext_hdr_offset + sizeof(*rthdr) + sizeof(*dst_addr)) {

+ if (input_size < ext_hdr_offset + sizeof(rt_hdr) + sizeof(*dst_addr)) {

return false;

}

- if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {

- bytes_read = iov_to_buf(pkt, pkt_frags,

- ext_hdr_offset + sizeof(*rthdr),

+ bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset,

+ &rt_hdr, sizeof(rt_hdr));

+ assert(bytes_read == sizeof(rt_hdr));

+

+ if ((rt_hdr.rtype == 2) && (rt_hdr.segleft == 1)) {

+ bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(rt_hdr),

dst_addr, sizeof(*dst_addr));

return bytes_read == sizeof(*dst_addr);

diff --git a/tests/qtest/fuzz-e1000e-test.c b/tests/qtest/fuzz-e1000e-test.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/qtest/fuzz-e1000e-test.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * QTest testcase for e1000e device generated by fuzzer

+ *

+ * Copyright (c) 2021 Red Hat, Inc.

+ *

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include "qemu/osdep.h"

+

+#include "libqos/libqtest.h"

+

+/*

+ * https://bugs.launchpad.net/qemu/+bug/1879531

+ */

+static void test_lp1879531_eth_get_rss_ex_dst_addr(void)

+{

+ QTestState *s;

+

+ s = qtest_init("-nographic -monitor none -serial none -M pc-q35-5.0");

+

+ qtest_outl(s, 0xcf8, 0x80001010);

+ qtest_outl(s, 0xcfc, 0xe1020000);

+ qtest_outl(s, 0xcf8, 0x80001004);

+ qtest_outw(s, 0xcfc, 0x7);

+ qtest_writeb(s, 0x25, 0x86);

+ qtest_writeb(s, 0x26, 0xdd);

+ qtest_writeb(s, 0x4f, 0x2b);

+

+ qtest_writel(s, 0xe1020030, 0x190002e1);

+ qtest_writew(s, 0xe102003a, 0x0807);

+ qtest_writel(s, 0xe1020048, 0x12077cdd);

+ qtest_writel(s, 0xe1020400, 0xba077cdd);

+ qtest_writel(s, 0xe1020420, 0x190002e1);

+ qtest_writel(s, 0xe1020428, 0x3509d807);

+ qtest_writeb(s, 0xe1020438, 0xe2);

+ qtest_writeb(s, 0x4f, 0x2b);

+ qtest_quit(s);

+}

+

+int main(int argc, char **argv)

+{

+ const char *arch = qtest_get_arch();

+

+ g_test_init(&argc, &argv, NULL);

+

+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {

+ qtest_add_func("fuzz/test_lp1879531_eth_get_rss_ex_dst_addr",

+ test_lp1879531_eth_get_rss_ex_dst_addr);

+ }

+

+ return g_test_run();

+}

diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build

index XXXXXXX..XXXXXXX 100644

--- a/tests/qtest/meson.build

+++ b/tests/qtest/meson.build

@@ -XXX,XX +XXX,XX @@ qtests_i386 = \

(config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-test'] : []) + \

(config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test'] : []) + \

(config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : []) + \

+ (config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ? ['fuzz-e1000e-test'] : []) + \

qtests_pci + \

['fdc-test',

'ide-test',

From: Philippe Mathieu-Daudé <philmd@redhat.com>

To simplify the function body, invert the if() statement, returning

earlier.

Since we already checked there is enough data in the iovec buffer,

simply add an assert() call to consume the bytes_read variable.

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

net/eth.c | 13 ++++++-------

1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/net/eth.c b/net/eth.c

--- a/net/eth.c

+++ b/net/eth.c

@@ -XXX,XX +XXX,XX @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,

bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset,

&rt_hdr, sizeof(rt_hdr));

assert(bytes_read == sizeof(rt_hdr));

-

- if ((rt_hdr.rtype == 2) && (rt_hdr.segleft == 1)) {

- bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(rt_hdr),

- dst_addr, sizeof(*dst_addr));

-

- return bytes_read == sizeof(*dst_addr);

+ if ((rt_hdr.rtype != 2) || (rt_hdr.segleft != 1)) {

+ return false;

}

+ bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(rt_hdr),

+ dst_addr, sizeof(*dst_addr));

+ assert(bytes_read == sizeof(*dst_addr));

- return false;

+ return true;

}

static bool