Re: [PATCH v2] virtio-net: validate RSS indirections_len in post_load

Wed, 13 May 2026 03:01:25 -0700 

On Wed, May 13, 2026 at 09:42:59AM +0300, Michael Tokarev wrote:
> On 24.03.2026 09:01, Junjie Cao wrote:
> > virtio_net_handle_rss() enforces that indirections_len is a non-zero
> > power of two no larger than VIRTIO_NET_RSS_MAX_TABLE_LEN, but
> > virtio_net_rss_post_load() applies none of these checks to values
> > restored from the migration stream.
> > 
> > A corrupted save file or crafted migration stream can set
> > indirections_len to 0.  Even if it also clears redirect,
> > virtio_load() calls set_features_nocheck() after the device vmstate
> > (including the RSS subsection and its post_load) has already been
> > loaded, re-deriving redirect from the negotiated guest features.
> > When VIRTIO_NET_F_RSS was negotiated, redirect is set back to true
> > regardless of the migration stream value.  The receive path then
> > computes
> > 
> >      hash & (indirections_len - 1)   /* wraps to 0xFFFFFFFF via int 
> > promotion */
> > 
> > and uses the result to index into indirections_table, which was not
> > allocated by the VMState loader when the element count is zero (see
> > vmstate_handle_alloc()), resulting in a NULL pointer dereference that
> > crashes QEMU:
> > 
> >    #0  virtio_net_process_rss    ../hw/net/virtio-net.c:1901
> >    #1  virtio_net_receive_rcu    ../hw/net/virtio-net.c:1921
> >    #2  virtio_net_do_receive     ../hw/net/virtio-net.c:2061
> >    #3  nc_sendv_compat           ../net/net.c:823
> >    #4  qemu_deliver_packet_iov   ../net/net.c:870
> > 
> > The RSS subsection is only loaded when rss_data.enabled is true (via
> > virtio_net_rss_needed()), and the command path always produces
> > indirections_len in {1, 2, 4, …, 128}, so an unconditional check
> > cannot reject a legitimate migration stream.
> > 
> > Factor the validation into virtio_net_rss_indirections_len_valid()
> > and call it from both virtio_net_handle_rss() and
> > virtio_net_rss_post_load().
> > 
> > Fixes: e41b711485e5 ("virtio-net: add migration support for RSS and hash 
> > report")
> > Cc: [email protected]
> > Signed-off-by: Junjie Cao <[email protected]>
> 
> Hi!
> 
> Has this patch been forgotten, or is it not needed anymore?
> 
> I'm preparing next set of the stable qemu releases, if it's needed,
> it would be nice if it lands in the master branch in the next 10
> days.
> 
> Thanks,
> 
> /mjt

I'll pick it now, thanks.

Reply via email to