On Tue, Mar 08, 2022 at 01:56:42PM +0800, Jason Wang wrote:
> Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
> tries to fix the use after free of the sg by caching the virtqueue
> elements in an array and unmap them at once after receiving the
> packets, But it forgot to unmap the cached elements on error which
> will lead to leaking of mapping and other unexpected results.
>
> Fixing this by detaching the cached elements on error. This addresses
> CVE-2022-26353.
Pls use a tag:
Fixes: CVE-2022-26353
Besides that
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Feel free to merge.
> Reported-by: Victor Tom <vv474172...@gmail.com>
> Cc: qemu-sta...@nongnu.org
> Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
> Signed-off-by: Jason Wang <jasow...@redhat.com>
> ---
> hw/net/virtio-net.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index cf8ab0f8af..65b61c836c 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1867,6 +1867,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> *nc, const uint8_t *buf,
>
> err:
> for (j = 0; j < i; j++) {
> + virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
> g_free(elems[j]);
> }
>
> --
> 2.25.1
