From nobody Sun May 19 08:30:50 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=163.com ARC-Seal: i=1; a=rsa-sha256; t=1594916184; cv=none; d=zohomail.com; s=zohoarc; b=jxA6+BqYNeTEllu8KyL7+nHqIHFSkGT2L3gl9c2HmCtJvSWlWKBnwc5L89iTEuFHbMAOWjuPxRYWoAeEfuS6VwzRx0RoLH1tTT2U2DUDc+JfTMnpkOl3ZqWOshQQ7CYCuYdOL7dVGBXnBVd/yUFvipuCAFH2RIhpfiG2JEXv6rM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1594916184; h=Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To; bh=K3QDI1n14KjXlsuQgzQ7UpUSIhhGosxngIiJe2WIvLE=; b=IHllZ2wmtFZfc7KlQa9oogo4OQb8Z8SZ95IXRuosfnHUfJpk+a8yGklQl3bh4C/LTjE8z+3oyOhdaDq+ikeXdDpqcaIEHZo6V5c17plyW1xEIWDrOMKzNhP6PPeGX6Iu8QbsnftVobbLqV/DnMLqnJewlmxghNa1E+I1o8iHIiI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1594916184508609.6586851838866; Thu, 16 Jul 2020 09:16:24 -0700 (PDT) Received: from localhost ([::1]:56334 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jw6YY-00023p-T0 for importer@patchew.org; Thu, 16 Jul 2020 12:16:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47402) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw6XZ-0001a6-FB for qemu-devel@nongnu.org; Thu, 16 Jul 2020 12:15:21 -0400 Received: from mail-m975.mail.163.com ([123.126.97.5]:38712) by eggs.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jw6XP-0000Od-MC for qemu-devel@nongnu.org; Thu, 16 Jul 2020 12:15:19 -0400 Received: from ubuntu.localdomain (unknown [183.159.72.144]) by smtp5 (Coremail) with SMTP id HdxpCgA357b+fBBfAHv3CA--.14459S4; Fri, 17 Jul 2020 00:14:55 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=K3QDI1n14KjXlsuQgz Q7UpUSIhhGosxngIiJe2WIvLE=; b=Kh31d+3Ar2F3hWNeGXY7POEM47oSjJh4c5 xYfAFz7ERv14LxUPQiEJR13kyywuUc5ZO3hJsp5nKpYlMfkAOGhbLohY1ztR4sRT OsgOA38WfoQ0YtLkaauZb9E0NLftcYwAtJ/OakVKnZC9fu5b9HY9I2f+kdOeYi5m 73vsZIxck= From: Li Qiang To: dmitry.fleytman@gmail.com, jasowang@redhat.com, pbonzini@redhat.com, mst@redhat.com Subject: [PATCH] e1000e: using bottom half to send packets Date: Thu, 16 Jul 2020 09:14:53 -0700 Message-Id: <20200716161453.61295-1-liq3ea@163.com> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: HdxpCgA357b+fBBfAHv3CA--.14459S4 X-Coremail-Antispam: 1Uf129KBjvJXoWxXw1kKF4fJF4fAry7tr1DKFg_yoW5KFykpa ykG39xXF45Gry3Jrs7Wry5Jr15Jw48Xwn7Wr4Uu34FqFZ3C3s7Jr1kKF47Z3y3ua9FyrZY kr4Yyr1avrWqqaUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UbIDcUUUUU= X-Originating-IP: [183.159.72.144] X-CM-SenderInfo: 5oltjvrd6rljoofrz/xtbBawFjbVet1PLOMwAAsF Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=123.126.97.5; envelope-from=liq3ea@163.com; helo=mail-m975.mail.163.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/16 10:57:31 X-ACL-Warn: Detected OS = Linux 3.1-3.10 X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , liq3ea@gmail.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @163.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Alexander Bulekov reported a UAF bug related e1000e packets send. -->https://bugs.launchpad.net/qemu/+bug/1886362 This is because the guest trigger a e1000e packet send and set the data's address to e1000e's MMIO address. So when the e1000e do DMA it will write the MMIO again and trigger re-entrancy and finally causes this UAF. Paolo suggested to use a bottom half whenever MMIO is doing complicate things in here: -->https://lists.nongnu.org/archive/html/qemu-devel/2020-07/msg03342.html Reference here: 'The easiest solution is to delay processing of descriptors to a bottom half whenever MMIO is doing something complicated. This is also better for latency because it will free the vCPU thread more quickly and leave the work to the I/O thread.' This patch fixes this UAF. Signed-off-by: Li Qiang --- hw/net/e1000e_core.c | 25 +++++++++++++++++-------- hw/net/e1000e_core.h | 2 ++ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index bcd186cac5..6165b04b68 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -2423,32 +2423,27 @@ e1000e_set_dbal(E1000ECore *core, int index, uint32= _t val) static void e1000e_set_tctl(E1000ECore *core, int index, uint32_t val) { - E1000E_TxRing txr; core->mac[index] =3D val; =20 if (core->mac[TARC0] & E1000_TARC_ENABLE) { - e1000e_tx_ring_init(core, &txr, 0); - e1000e_start_xmit(core, &txr); + qemu_bh_schedule(core->tx[0].tx_bh); } =20 if (core->mac[TARC1] & E1000_TARC_ENABLE) { - e1000e_tx_ring_init(core, &txr, 1); - e1000e_start_xmit(core, &txr); + qemu_bh_schedule(core->tx[1].tx_bh); } } =20 static void e1000e_set_tdt(E1000ECore *core, int index, uint32_t val) { - E1000E_TxRing txr; int qidx =3D e1000e_mq_queue_idx(TDT, index); uint32_t tarc_reg =3D (qidx =3D=3D 0) ? TARC0 : TARC1; =20 core->mac[index] =3D val & 0xffff; =20 if (core->mac[tarc_reg] & E1000_TARC_ENABLE) { - e1000e_tx_ring_init(core, &txr, qidx); - e1000e_start_xmit(core, &txr); + qemu_bh_schedule(core->tx[qidx].tx_bh); } } =20 @@ -3322,6 +3317,16 @@ e1000e_vm_state_change(void *opaque, int running, Ru= nState state) } } =20 +static void e1000e_core_tx_bh(void *opaque) +{ + struct e1000e_tx *tx =3D opaque; + E1000ECore *core =3D tx->core; + E1000E_TxRing txr; + + e1000e_tx_ring_init(core, &txr, tx - &core->tx[0]); + e1000e_start_xmit(core, &txr); +} + void e1000e_core_pci_realize(E1000ECore *core, const uint16_t *eeprom_templ, @@ -3340,6 +3345,8 @@ e1000e_core_pci_realize(E1000ECore *core, for (i =3D 0; i < E1000E_NUM_QUEUES; i++) { net_tx_pkt_init(&core->tx[i].tx_pkt, core->owner, E1000E_MAX_TX_FRAGS, core->has_vnet); + core->tx[i].core =3D core; + core->tx[i].tx_bh =3D qemu_bh_new(e1000e_core_tx_bh, &core->tx[i]); } =20 net_rx_pkt_init(&core->rx_pkt, core->has_vnet); @@ -3367,6 +3374,8 @@ e1000e_core_pci_uninit(E1000ECore *core) for (i =3D 0; i < E1000E_NUM_QUEUES; i++) { net_tx_pkt_reset(core->tx[i].tx_pkt); net_tx_pkt_uninit(core->tx[i].tx_pkt); + qemu_bh_delete(core->tx[i].tx_bh); + core->tx[i].tx_bh =3D NULL; } =20 net_rx_pkt_uninit(core->rx_pkt); diff --git a/hw/net/e1000e_core.h b/hw/net/e1000e_core.h index aee32f7e48..94ddc6afc2 100644 --- a/hw/net/e1000e_core.h +++ b/hw/net/e1000e_core.h @@ -77,6 +77,8 @@ struct E1000Core { unsigned char sum_needed; bool cptse; struct NetTxPkt *tx_pkt; + QEMUBH *tx_bh; + E1000ECore *core; } tx[E1000E_NUM_QUEUES]; =20 struct NetRxPkt *rx_pkt; --=20 2.17.1