| Message ID | 20240102032901.3234-1-jasowang@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | virtio-net: correctly copy vnet header when flushing TX | expand |
I agree, thank you. Where is this CVE-2023-6693 available? Thanks, Yuri On Tue, Jan 2, 2024 at 5:29 AM Jason Wang <jasowang@redhat.com> wrote: > When HASH_REPORT is negotiated, the guest_hdr_len might be larger than > the size of the mergeable rx buffer header. Using > virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack > overflow in this case. Fixing this by using virtio_net_hdr_v1_hash > instead. > > Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> > Cc: Yuri Benditovich <yuri.benditovich@daynix.com> > Cc: qemu-stable@nongnu.org > Cc: Mauro Matteo Cascella <mcascell@redhat.com> > Fixes: CVE-2023-6693 > Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") > Signed-off-by: Jason Wang <jasowang@redhat.com> > --- > hw/net/virtio-net.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c > index 80c56f0cfc..73024babd4 100644 > --- a/hw/net/virtio-net.c > +++ b/hw/net/virtio-net.c > @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, > int mergeable_rx_bufs, > > n->mergeable_rx_bufs = mergeable_rx_bufs; > > + /* > + * Note: when extending the vnet header, please make sure to > + * change the vnet header copying logic in virtio_net_flush_tx() > + * as well. > + */ > if (version_1) { > n->guest_hdr_len = hash_report ? > sizeof(struct virtio_net_hdr_v1_hash) : > @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) > ssize_t ret; > unsigned int out_num; > struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], > *out_sg; > - struct virtio_net_hdr_mrg_rxbuf mhdr; > + struct virtio_net_hdr_v1_hash vhdr; > > elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); > if (!elem) { > @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) > } > > if (n->has_vnet_hdr) { > - if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < > + if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < > n->guest_hdr_len) { > virtio_error(vdev, "virtio-net header incorrect"); > virtqueue_detach_element(q->tx_vq, elem, 0); > @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) > return -EINVAL; > } > if (n->needs_vnet_hdr_swap) { > - virtio_net_hdr_swap(vdev, (void *) &mhdr); > - sg2[0].iov_base = &mhdr; > + virtio_net_hdr_swap(vdev, (void *) &vhdr); > + sg2[0].iov_base = &vhdr; > sg2[0].iov_len = n->guest_hdr_len; > out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, > out_sg, out_num, > -- > 2.42.0 > >
On Tue, Jan 2, 2024 at 12:20 PM Yuri Benditovich <yuri.benditovich@daynix.com> wrote: > > I agree, thank you. > > Where is this CVE-2023-6693 available? Here: https://bugzilla.redhat.com/show_bug.cgi?id=2254580. > Thanks, > Yuri > > On Tue, Jan 2, 2024 at 5:29 AM Jason Wang <jasowang@redhat.com> wrote: >> >> When HASH_REPORT is negotiated, the guest_hdr_len might be larger than >> the size of the mergeable rx buffer header. Using >> virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack >> overflow in this case. Fixing this by using virtio_net_hdr_v1_hash >> instead. >> >> Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> >> Cc: Yuri Benditovich <yuri.benditovich@daynix.com> >> Cc: qemu-stable@nongnu.org >> Cc: Mauro Matteo Cascella <mcascell@redhat.com> >> Fixes: CVE-2023-6693 >> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") >> Signed-off-by: Jason Wang <jasowang@redhat.com> >> --- >> hw/net/virtio-net.c | 13 +++++++++---- >> 1 file changed, 9 insertions(+), 4 deletions(-) >> >> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c >> index 80c56f0cfc..73024babd4 100644 >> --- a/hw/net/virtio-net.c >> +++ b/hw/net/virtio-net.c >> @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs, >> >> n->mergeable_rx_bufs = mergeable_rx_bufs; >> >> + /* >> + * Note: when extending the vnet header, please make sure to >> + * change the vnet header copying logic in virtio_net_flush_tx() >> + * as well. >> + */ >> if (version_1) { >> n->guest_hdr_len = hash_report ? >> sizeof(struct virtio_net_hdr_v1_hash) : >> @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) >> ssize_t ret; >> unsigned int out_num; >> struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg; >> - struct virtio_net_hdr_mrg_rxbuf mhdr; >> + struct virtio_net_hdr_v1_hash vhdr; >> >> elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); >> if (!elem) { >> @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) >> } >> >> if (n->has_vnet_hdr) { >> - if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < >> + if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < >> n->guest_hdr_len) { >> virtio_error(vdev, "virtio-net header incorrect"); >> virtqueue_detach_element(q->tx_vq, elem, 0); >> @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) >> return -EINVAL; >> } >> if (n->needs_vnet_hdr_swap) { >> - virtio_net_hdr_swap(vdev, (void *) &mhdr); >> - sg2[0].iov_base = &mhdr; >> + virtio_net_hdr_swap(vdev, (void *) &vhdr); >> + sg2[0].iov_base = &vhdr; >> sg2[0].iov_len = n->guest_hdr_len; >> out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, >> out_sg, out_num, >> -- >> 2.42.0 >>
On Tue, Jan 2, 2024 at 11:29 AM Jason Wang <jasowang@redhat.com> wrote: > > When HASH_REPORT is negotiated, the guest_hdr_len might be larger than > the size of the mergeable rx buffer header. Using > virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack > overflow in this case. Fixing this by using virtio_net_hdr_v1_hash > instead. > > Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> > Cc: Yuri Benditovich <yuri.benditovich@daynix.com> > Cc: qemu-stable@nongnu.org > Cc: Mauro Matteo Cascella <mcascell@redhat.com> > Fixes: CVE-2023-6693 > Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") > Signed-off-by: Jason Wang <jasowang@redhat.com> Queued. Thanks
02.01.2024 06:29, Jason Wang : > When HASH_REPORT is negotiated, the guest_hdr_len might be larger than > the size of the mergeable rx buffer header. Using > virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack > overflow in this case. Fixing this by using virtio_net_hdr_v1_hash > instead. > > Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> > Cc: Yuri Benditovich <yuri.benditovich@daynix.com> > Cc: qemu-stable@nongnu.org > Cc: Mauro Matteo Cascella <mcascell@redhat.com> > Fixes: CVE-2023-6693 > Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") > Signed-off-by: Jason Wang <jasowang@redhat.com> Hi! Can we get this to master before Jan-27 please, so it's included in 8.2.1? Thanks! /mjt
02.01.2024 06:29, Jason Wang : > When HASH_REPORT is negotiated, the guest_hdr_len might be larger than > the size of the mergeable rx buffer header. Using > virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack > overflow in this case. Fixing this by using virtio_net_hdr_v1_hash > instead. > > Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> > Cc: Yuri Benditovich <yuri.benditovich@daynix.com> > Cc: qemu-stable@nongnu.org > Cc: Mauro Matteo Cascella <mcascell@redhat.com> > Fixes: CVE-2023-6693 > Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") > Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> /mjt
On Sat, Jan 20, 2024 at 6:42 PM Michael Tokarev <mjt@tls.msk.ru> wrote: > > 02.01.2024 06:29, Jason Wang : > > When HASH_REPORT is negotiated, the guest_hdr_len might be larger than > > the size of the mergeable rx buffer header. Using > > virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack > > overflow in this case. Fixing this by using virtio_net_hdr_v1_hash > > instead. > > > > Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> > > Cc: Yuri Benditovich <yuri.benditovich@daynix.com> > > Cc: qemu-stable@nongnu.org > > Cc: Mauro Matteo Cascella <mcascell@redhat.com> > > Fixes: CVE-2023-6693 > > Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") > > Signed-off-by: Jason Wang <jasowang@redhat.com> > > Hi! Can we get this to master before Jan-27 please, so it's included in 8.2.1? I think it will be. Thanks > > Thanks! > > /mjt >
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 80c56f0cfc..73024babd4 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs, n->mergeable_rx_bufs = mergeable_rx_bufs; + /* + * Note: when extending the vnet header, please make sure to + * change the vnet header copying logic in virtio_net_flush_tx() + * as well. + */ if (version_1) { n->guest_hdr_len = hash_report ? sizeof(struct virtio_net_hdr_v1_hash) : @@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) ssize_t ret; unsigned int out_num; struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg; - struct virtio_net_hdr_mrg_rxbuf mhdr; + struct virtio_net_hdr_v1_hash vhdr; elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); if (!elem) { @@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) } if (n->has_vnet_hdr) { - if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < + if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < n->guest_hdr_len) { virtio_error(vdev, "virtio-net header incorrect"); virtqueue_detach_element(q->tx_vq, elem, 0); @@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) return -EINVAL; } if (n->needs_vnet_hdr_swap) { - virtio_net_hdr_swap(vdev, (void *) &mhdr); - sg2[0].iov_base = &mhdr; + virtio_net_hdr_swap(vdev, (void *) &vhdr); + sg2[0].iov_base = &vhdr; sg2[0].iov_len = n->guest_hdr_len; out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, out_sg, out_num,
When HASH_REPORT is negotiated, the guest_hdr_len might be larger than the size of the mergeable rx buffer header. Using virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack overflow in this case. Fixing this by using virtio_net_hdr_v1_hash instead. Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> Cc: Yuri Benditovich <yuri.benditovich@daynix.com> Cc: qemu-stable@nongnu.org Cc: Mauro Matteo Cascella <mcascell@redhat.com> Fixes: CVE-2023-6693 Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") Signed-off-by: Jason Wang <jasowang@redhat.com> --- hw/net/virtio-net.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)