hw/net/e1000e: Fix assertion failures in e1000e_write_payload_frag_to_rx_buffers()

[PATCH 0/3] hw/net/e1000e: Fix assertion failures in e1000e_write_payload_frag_to_rx_buffers()

Peter Maydell posted 3 patches 1 week, 5 days ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20251103175851.428816-1-peter.maydell@linaro.org

Maintainers: Dmitry Fleytman <dmitry.fleytman@gmail.com>, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>, Jason Wang <jasowang@redhat.com>

hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++--------------
1 file changed, 59 insertions(+), 26 deletions(-)

Expand all Fold all

[PATCH 0/3] hw/net/e1000e: Fix assertion failures in e1000e_write_payload_frag_to_rx_buffers()

Posted by Peter Maydell 1 week, 5 days ago

This patchset fixes assertion failures in
e1000e_write_payload_frag_to_rx_buffers().  There turn out to be two
ways this assert could be triggered.

The first is the one reported in
https://gitlab.com/qemu-project/qemu/-/issues/537 where a malicious
guest could set up the device into loopback mode and then send a
carefully sized packet that trips a bug in the logic in
e1000e_write_packet_to_guest() that tries to calculate how much data
it is going to put into an RX descriptor, causing us to hit the
assertion.

The second is one I spotted by code inspection, where the assert is
slightly over-eager and could assert in one valid case of a just
exactly large enough packet.

Patch 1 fixes what I believe to be an incorrect-behaviour bug
for descriptors with NULL buffer addresses, largely because
that makes the following patch to fix the assertion less awkward.

thanks
-- PMM

Peter Maydell (3):
  hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX
    descriptors
  hw/net/e1000e_core: Correct rx oversize packet checks
  hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers()
    assert

 hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++--------------
 1 file changed, 59 insertions(+), 26 deletions(-)

-- 
2.43.0

Re: [PATCH 0/3] hw/net/e1000e: Fix assertion failures in e1000e_write_payload_frag_to_rx_buffers()

Posted by Akihiko Odaki 1 week, 3 days ago

On 2025/11/04 2:58, Peter Maydell wrote:
> This patchset fixes assertion failures in
> e1000e_write_payload_frag_to_rx_buffers().  There turn out to be two
> ways this assert could be triggered.
> 
> The first is the one reported in
> https://gitlab.com/qemu-project/qemu/-/issues/537 where a malicious
> guest could set up the device into loopback mode and then send a
> carefully sized packet that trips a bug in the logic in
> e1000e_write_packet_to_guest() that tries to calculate how much data
> it is going to put into an RX descriptor, causing us to hit the
> assertion.
> 
> The second is one I spotted by code inspection, where the assert is
> slightly over-eager and could assert in one valid case of a just
> exactly large enough packet.
> 
> Patch 1 fixes what I believe to be an incorrect-behaviour bug
> for descriptors with NULL buffer addresses, largely because
> that makes the following patch to fix the assertion less awkward.
> 
> thanks
> -- PMM
> 
> Peter Maydell (3):
>    hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX
>      descriptors
>    hw/net/e1000e_core: Correct rx oversize packet checks
>    hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers()
>      assert
> 
>   hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++--------------
>   1 file changed, 59 insertions(+), 26 deletions(-)
> 

For the whole series:

Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>