Hi Mauro, On 7/6/21 11:00 AM, Mauro Matteo Cascella wrote: > Hello Philippe, > > I think you don't need root privileges to craft such a highly > fragmented packet from within the guest (tools like hping3 or nmap > come to mind). Right? If so, we may consider allocating a CVE for this > bug. If not, this is not CVE worthy - root does not need an assertion > failure to cause damage to the system.
Thanks for worrying about CVE. I have no clue, so I'll defer that question to Andrew, Dmitry and Jason. Regards, Phil. > On Mon, Jul 5, 2021 at 10:40 AM Philippe Mathieu-Daudé > <phi...@redhat.com> wrote: >> >> Our infrastructure can handle fragmented packets up to >> NET_MAX_FRAG_SG_LIST (64) pieces. This hard limit has >> been proven enough in production for years. If it is >> reached, it is likely an evil crafted packet. Discard it. >> >> Include the qtest reproducer provided by Alexander Bulekov: >> >> $ make check-qtest-i386 >> ... >> Running test qtest-i386/fuzz-vmxnet3-test >> qemu-system-i386: net/eth.c:334: void eth_setup_ip4_fragmentation(const >> void *, size_t, void *, size_t, size_t, size_t, _Bool): >> Assertion `frag_offset % IP_FRAG_UNIT_SIZE == 0' failed. >> >> Cc: qemu-sta...@nongnu.org >> Reported-by: OSS-Fuzz (Issue 35799) >> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/460 >> Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> >> --- >> hw/net/net_tx_pkt.c | 8 ++ >> tests/qtest/fuzz-vmxnet3-test.c | 195 ++++++++++++++++++++++++++++++++ >> MAINTAINERS | 1 + >> tests/qtest/meson.build | 1 + >> 4 files changed, 205 insertions(+) >> create mode 100644 tests/qtest/fuzz-vmxnet3-test.c >> >> diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c >> index 1f9aa59eca2..77e9729a7ba 100644 >> --- a/hw/net/net_tx_pkt.c >> +++ b/hw/net/net_tx_pkt.c >> @@ -590,6 +590,14 @@ static bool net_tx_pkt_do_sw_fragmentation(struct >> NetTxPkt *pkt, >> fragment_len = net_tx_pkt_fetch_fragment(pkt, &src_idx, &src_offset, >> fragment, &dst_idx); >> >> + if (dst_idx == NET_MAX_FRAG_SG_LIST && fragment_len > 0) { >> + /* >> + * The packet is too fragmented for our infrastructure >> + * (not enough iovec), don't even try to send. >> + */ >> + return false; >> + } >> + >> more_frags = (fragment_offset + fragment_len < pkt->payload_len); >> >> eth_setup_ip4_fragmentation(l2_iov_base, l2_iov_len, l3_iov_base,