1. Patchew
  2. QEMU
  3. View series

[PATCH] virtio-net: correctly copy vnet header when flushing TX

Jason Wang posted 1 patch 10 months, 4 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20240102032901.3234-1-jasowang@redhat.com
Maintainers: "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>
hw/net/virtio-net.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
[PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Jason Wang 10 months, 4 weeks ago 
When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
the size of the mergeable rx buffer header. Using
virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
instead.

Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
Cc: qemu-stable@nongnu.org
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Fixes: CVE-2023-6693
Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/virtio-net.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 80c56f0cfc..73024babd4 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs,
 
     n->mergeable_rx_bufs = mergeable_rx_bufs;
 
+    /*
+     * Note: when extending the vnet header, please make sure to
+     * change the vnet header copying logic in virtio_net_flush_tx()
+     * as well.
+     */
     if (version_1) {
         n->guest_hdr_len = hash_report ?
             sizeof(struct virtio_net_hdr_v1_hash) :
@@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
         ssize_t ret;
         unsigned int out_num;
         struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg;
-        struct virtio_net_hdr_mrg_rxbuf mhdr;
+        struct virtio_net_hdr_v1_hash vhdr;
 
         elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
         if (!elem) {
@@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
         }
 
         if (n->has_vnet_hdr) {
-            if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
+            if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
                 n->guest_hdr_len) {
                 virtio_error(vdev, "virtio-net header incorrect");
                 virtqueue_detach_element(q->tx_vq, elem, 0);
@@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
                 return -EINVAL;
             }
             if (n->needs_vnet_hdr_swap) {
-                virtio_net_hdr_swap(vdev, (void *) &mhdr);
-                sg2[0].iov_base = &mhdr;
+                virtio_net_hdr_swap(vdev, (void *) &vhdr);
+                sg2[0].iov_base = &vhdr;
                 sg2[0].iov_len = n->guest_hdr_len;
                 out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
                                    out_sg, out_num,
-- 
2.42.0
Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Michael Tokarev 10 months, 1 week ago 
02.01.2024 06:29, Jason Wang :
> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> the size of the mergeable rx buffer header. Using
> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> instead.
> 
> Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
> Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
> Cc: qemu-stable@nongnu.org
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> Fixes: CVE-2023-6693
> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> Signed-off-by: Jason Wang <jasowang@redhat.com>

Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

/mjt
Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Michael Tokarev 10 months, 1 week ago 
02.01.2024 06:29, Jason Wang :
> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> the size of the mergeable rx buffer header. Using
> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> instead.
> 
> Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
> Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
> Cc: qemu-stable@nongnu.org
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> Fixes: CVE-2023-6693
> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> Signed-off-by: Jason Wang <jasowang@redhat.com>

Hi!  Can we get this to master before Jan-27 please, so it's included in 8.2.1?

Thanks!

/mjt
Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Jason Wang 10 months, 1 week ago 
On Sat, Jan 20, 2024 at 6:42 PM Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> 02.01.2024 06:29, Jason Wang :
> > When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> > the size of the mergeable rx buffer header. Using
> > virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> > overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> > instead.
> >
> > Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
> > Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
> > Cc: qemu-stable@nongnu.org
> > Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> > Fixes: CVE-2023-6693
> > Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> > Signed-off-by: Jason Wang <jasowang@redhat.com>
>
> Hi!  Can we get this to master before Jan-27 please, so it's included in 8.2.1?

I think it will be.

Thanks

>
> Thanks!
>
> /mjt
>
Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Jason Wang 10 months, 2 weeks ago 
On Tue, Jan 2, 2024 at 11:29 AM Jason Wang <jasowang@redhat.com> wrote:
>
> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> the size of the mergeable rx buffer header. Using
> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> instead.
>
> Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
> Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
> Cc: qemu-stable@nongnu.org
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> Fixes: CVE-2023-6693
> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> Signed-off-by: Jason Wang <jasowang@redhat.com>

Queued.

Thanks
Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Yuri Benditovich 10 months, 4 weeks ago 
I agree, thank you.

Where is this CVE-2023-6693 available?

Thanks,
Yuri

On Tue, Jan 2, 2024 at 5:29 AM Jason Wang <jasowang@redhat.com> wrote:

> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> the size of the mergeable rx buffer header. Using
> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> instead.
>
> Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
> Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
> Cc: qemu-stable@nongnu.org
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> Fixes: CVE-2023-6693
> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
>  hw/net/virtio-net.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 80c56f0cfc..73024babd4 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n,
> int mergeable_rx_bufs,
>
>      n->mergeable_rx_bufs = mergeable_rx_bufs;
>
> +    /*
> +     * Note: when extending the vnet header, please make sure to
> +     * change the vnet header copying logic in virtio_net_flush_tx()
> +     * as well.
> +     */
>      if (version_1) {
>          n->guest_hdr_len = hash_report ?
>              sizeof(struct virtio_net_hdr_v1_hash) :
> @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>          ssize_t ret;
>          unsigned int out_num;
>          struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1],
> *out_sg;
> -        struct virtio_net_hdr_mrg_rxbuf mhdr;
> +        struct virtio_net_hdr_v1_hash vhdr;
>
>          elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
>          if (!elem) {
> @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>          }
>
>          if (n->has_vnet_hdr) {
> -            if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
> +            if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
>                  n->guest_hdr_len) {
>                  virtio_error(vdev, "virtio-net header incorrect");
>                  virtqueue_detach_element(q->tx_vq, elem, 0);
> @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>                  return -EINVAL;
>              }
>              if (n->needs_vnet_hdr_swap) {
> -                virtio_net_hdr_swap(vdev, (void *) &mhdr);
> -                sg2[0].iov_base = &mhdr;
> +                virtio_net_hdr_swap(vdev, (void *) &vhdr);
> +                sg2[0].iov_base = &vhdr;
>                  sg2[0].iov_len = n->guest_hdr_len;
>                  out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
>                                     out_sg, out_num,
> --
> 2.42.0
>
>
Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX
Posted by Mauro Matteo Cascella 10 months, 4 weeks ago 
On Tue, Jan 2, 2024 at 12:20 PM Yuri Benditovich
<yuri.benditovich@daynix.com> wrote:
>
> I agree, thank you.
>
> Where is this CVE-2023-6693 available?

Here: https://bugzilla.redhat.com/show_bug.cgi?id=2254580.

> Thanks,
> Yuri
>
> On Tue, Jan 2, 2024 at 5:29 AM Jason Wang <jasowang@redhat.com> wrote:
>>
>> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
>> the size of the mergeable rx buffer header. Using
>> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
>> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
>> instead.
>>
>> Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
>> Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
>> Cc: qemu-stable@nongnu.org
>> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
>> Fixes: CVE-2023-6693
>> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> ---
>>  hw/net/virtio-net.c | 13 +++++++++----
>>  1 file changed, 9 insertions(+), 4 deletions(-)
>>
>> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
>> index 80c56f0cfc..73024babd4 100644
>> --- a/hw/net/virtio-net.c
>> +++ b/hw/net/virtio-net.c
>> @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs,
>>
>>      n->mergeable_rx_bufs = mergeable_rx_bufs;
>>
>> +    /*
>> +     * Note: when extending the vnet header, please make sure to
>> +     * change the vnet header copying logic in virtio_net_flush_tx()
>> +     * as well.
>> +     */
>>      if (version_1) {
>>          n->guest_hdr_len = hash_report ?
>>              sizeof(struct virtio_net_hdr_v1_hash) :
>> @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>>          ssize_t ret;
>>          unsigned int out_num;
>>          struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg;
>> -        struct virtio_net_hdr_mrg_rxbuf mhdr;
>> +        struct virtio_net_hdr_v1_hash vhdr;
>>
>>          elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
>>          if (!elem) {
>> @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>>          }
>>
>>          if (n->has_vnet_hdr) {
>> -            if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
>> +            if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
>>                  n->guest_hdr_len) {
>>                  virtio_error(vdev, "virtio-net header incorrect");
>>                  virtqueue_detach_element(q->tx_vq, elem, 0);
>> @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>>                  return -EINVAL;
>>              }
>>              if (n->needs_vnet_hdr_swap) {
>> -                virtio_net_hdr_swap(vdev, (void *) &mhdr);
>> -                sg2[0].iov_base = &mhdr;
>> +                virtio_net_hdr_swap(vdev, (void *) &vhdr);
>> +                sg2[0].iov_base = &vhdr;
>>                  sg2[0].iov_len = n->guest_hdr_len;
>>                  out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
>>                                     out_sg, out_num,
>> --
>> 2.42.0
>>

-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.