From nobody Sun May 19 03:38:09 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646719070979696.0209181760237; Mon, 7 Mar 2022 21:57:50 -0800 (PST) Received: from localhost ([::1]:51212 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRSqz-00065b-4v for importer@patchew.org; Tue, 08 Mar 2022 00:57:49 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59694) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nRSq9-0005Dj-Gb for qemu-devel@nongnu.org; Tue, 08 Mar 2022 00:56:57 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:29663) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nRSq6-00023F-IU for qemu-devel@nongnu.org; Tue, 08 Mar 2022 00:56:55 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-538-n6wn-UsuPZ2ZDvpCrNdB3Q-1; Tue, 08 Mar 2022 00:56:50 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A008B1800D50; Tue, 8 Mar 2022 05:56:49 +0000 (UTC) Received: from localhost.localdomain (ovpn-13-77.pek2.redhat.com [10.72.13.77]) by smtp.corp.redhat.com (Postfix) with ESMTP id BC02C5DB9C; Tue, 8 Mar 2022 05:56:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646719013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WQIEAE1AGR3D+IKQhRX/3HO9Q+p7GxnjkStt3cBnU7o=; b=MA9TWC4AappFyvrB4+nzMWu+H/57REsZua4N9iHplBR5tc6fhmVRb42Z5qnRsRYGJaitOa 7lpu2GG48SPWJWh0xS9Yx2HUYpKD727xwdR/vVpquXzHlgCYGtU2s8FSwx4OzXt9Ip08yZ NmSrHuBSwr7EzOiFUyvQGj3UfgOc+g8= X-MC-Unique: n6wn-UsuPZ2ZDvpCrNdB3Q-1 From: Jason Wang To: mst@redhat.com Subject: [PATCH] virtio-net: fix map leaking on error during receive Date: Tue, 8 Mar 2022 13:56:42 +0800 Message-Id: <20220308055642.20961-1-jasowang@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jasowang@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Victor Tom , Jason Wang , qemu-devel@nongnu.org, qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646719072584100003 Content-Type: text/plain; charset="utf-8" Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Fixing this by detaching the cached elements on error. This addresses CVE-2022-26353. Reported-by: Victor Tom Cc: qemu-stable@nongnu.org Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") Signed-off-by: Jason Wang Reviewed-by: Michael S. Tsirkin --- hw/net/virtio-net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index cf8ab0f8af..65b61c836c 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1867,6 +1867,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState = *nc, const uint8_t *buf, =20 err: for (j =3D 0; j < i; j++) { + virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); g_free(elems[j]); } =20 --=20 2.25.1