Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX

Yuri Benditovich Tue, 02 Jan 2024 03:20:46 -0800

I agree, thank you.

Where is this CVE-2023-6693 available?


Thanks,
Yuri

On Tue, Jan 2, 2024 at 5:29 AM Jason Wang <jasow...@redhat.com> wrote:

> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
> the size of the mergeable rx buffer header. Using
> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
> instead.
>
> Reported-by: Xiao Lei <leixiao....@zju.edu.cn>
> Cc: Yuri Benditovich <yuri.benditov...@daynix.com>
> Cc: qemu-sta...@nongnu.org
> Cc: Mauro Matteo Cascella <mcasc...@redhat.com>
> Fixes: CVE-2023-6693
> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
> Signed-off-by: Jason Wang <jasow...@redhat.com>
> ---
>  hw/net/virtio-net.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 80c56f0cfc..73024babd4 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n,
> int mergeable_rx_bufs,
>
>      n->mergeable_rx_bufs = mergeable_rx_bufs;
>
> +    /*
> +     * Note: when extending the vnet header, please make sure to
> +     * change the vnet header copying logic in virtio_net_flush_tx()
> +     * as well.
> +     */
>      if (version_1) {
>          n->guest_hdr_len = hash_report ?
>              sizeof(struct virtio_net_hdr_v1_hash) :
> @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>          ssize_t ret;
>          unsigned int out_num;
>          struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1],
> *out_sg;
> -        struct virtio_net_hdr_mrg_rxbuf mhdr;
> +        struct virtio_net_hdr_v1_hash vhdr;
>
>          elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
>          if (!elem) {
> @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>          }
>
>          if (n->has_vnet_hdr) {
> -            if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
> +            if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
>                  n->guest_hdr_len) {
>                  virtio_error(vdev, "virtio-net header incorrect");
>                  virtqueue_detach_element(q->tx_vq, elem, 0);
> @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
>                  return -EINVAL;
>              }
>              if (n->needs_vnet_hdr_swap) {
> -                virtio_net_hdr_swap(vdev, (void *) &mhdr);
> -                sg2[0].iov_base = &mhdr;
> +                virtio_net_hdr_swap(vdev, (void *) &vhdr);
> +                sg2[0].iov_base = &vhdr;
>                  sg2[0].iov_len = n->guest_hdr_len;
>                  out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
>                                     out_sg, out_num,
> --
> 2.42.0
>
>

Re: [PATCH] virtio-net: correctly copy vnet header when flushing TX

Reply via email to