From nobody Thu Dec 18 19:36:39 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646746992469811.4195102514425; Tue, 8 Mar 2022 05:43:12 -0800 (PST) Received: from localhost ([::1]:57536 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nRa7L-0000DR-DC for importer@patchew.org; Tue, 08 Mar 2022 08:43:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:43272) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nRZzz-0001Te-UZ for qemu-devel@nongnu.org; Tue, 08 Mar 2022 08:35:36 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30318) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nRZzw-00025v-Cf for qemu-devel@nongnu.org; Tue, 08 Mar 2022 08:35:34 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-662-zXad-_B4O6C08wAh8GszRw-1; Tue, 08 Mar 2022 08:35:12 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3B3861091DA0; Tue, 8 Mar 2022 13:35:11 +0000 (UTC) Received: from localhost.localdomain (ovpn-12-181.pek2.redhat.com [10.72.12.181]) by smtp.corp.redhat.com (Postfix) with ESMTP id B235B85EE5; Tue, 8 Mar 2022 13:34:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646746515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SccI0G3wTK40LFvYuyzFjnGT4qJU6O0ugVUWXihieFM=; b=EZRhCndKFk1HtLcdzx1zvbQ+u5mR1XQSncUzz4RbJZVuStkf89EnNmDwXHNwQSODT7nYfx mK99zi1/bOsUd/wAOxb+FlgPW+njxhQ+YN3fXDmCDjE1hylauPZIUAjgfneeX1P8fY2ItF MjNynv6P+AHZblo2XUmCebHoC9WG2oA= X-MC-Unique: zXad-_B4O6C08wAh8GszRw-1 From: Jason Wang To: qemu-devel@nongnu.org, peter.maydell@linaro.org Subject: [PULL 01/15] virtio-net: fix map leaking on error during receive Date: Tue, 8 Mar 2022 21:34:37 +0800 Message-Id: <20220308133451.25378-2-jasowang@redhat.com> In-Reply-To: <20220308133451.25378-1-jasowang@redhat.com> References: <20220308133451.25378-1-jasowang@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jasowang@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=jasowang@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Victor Tom , Jason Wang , qemu-stable@nongnu.org, "Michael S . Tsirkin" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646746994114100003 Content-Type: text/plain; charset="utf-8" Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Fixing this by detaching the cached elements on error. This addresses CVE-2022-26353. Reported-by: Victor Tom Cc: qemu-stable@nongnu.org Fixes: CVE-2022-26353 Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") Reviewed-by: Michael S. Tsirkin Signed-off-by: Jason Wang --- hw/net/virtio-net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index cf8ab0f..65b61c8 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1867,6 +1867,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState = *nc, const uint8_t *buf, =20 err: for (j =3D 0; j < i; j++) { + virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); g_free(elems[j]); } =20 --=20 2.7.4