yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
ae23c9
From 3f33dce627f419cbc77a9f6406b3353077697740 Mon Sep 17 00:00:00 2001
ae23c9
From: Xiao Wang <jasowang@redhat.com>
ae23c9
Date: Fri, 11 Jan 2019 07:59:00 +0000
ae23c9
Subject: [PATCH 05/11] net: drop too large packet early
ae23c9
MIME-Version: 1.0
ae23c9
Content-Type: text/plain; charset=UTF-8
ae23c9
Content-Transfer-Encoding: 8bit
ae23c9
ae23c9
RH-Author: Xiao Wang <jasowang@redhat.com>
ae23c9
Message-id: <20190111075904.2030-6-jasowang@redhat.com>
ae23c9
Patchwork-id: 83979
ae23c9
O-Subject: [RHEL8 qemu-kvm PATCH 5/9] net: drop too large packet early
ae23c9
Bugzilla: 1636784
ae23c9
RH-Acked-by: Thomas Huth <thuth@redhat.com>
ae23c9
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
ae23c9
RH-Acked-by: Jens Freimann <jfreimann@redhat.com>
ae23c9
RH-Acked-by: Maxime Coquelin <maxime.coquelin@redhat.com>
ae23c9
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
ae23c9
ae23c9
We try to detect and drop too large packet (>INT_MAX) in 1592a9947036
ae23c9
("net: ignore packet size greater than INT_MAX") during packet
ae23c9
delivering. Unfortunately, this is not sufficient as we may hit
ae23c9
another integer overflow when trying to queue such large packet in
ae23c9
qemu_net_queue_append_iov():
ae23c9
ae23c9
- size of the allocation may overflow on 32bit
ae23c9
- packet->size is integer which may overflow even on 64bit
ae23c9
ae23c9
Fixing this by moving the check to qemu_sendv_packet_async() which is
ae23c9
the entrance of all networking codes and reduce the limit to
ae23c9
NET_BUFSIZE to be more conservative. This works since:
ae23c9
ae23c9
- For the callers that call qemu_sendv_packet_async() directly, they
ae23c9
  only care about if zero is returned to determine whether to prevent
ae23c9
  the source from producing more packets. A callback will be triggered
ae23c9
  if peer can accept more then source could be enabled. This is
ae23c9
  usually used by high speed networking implementation like virtio-net
ae23c9
  or netmap.
ae23c9
- For the callers that call qemu_sendv_packet() that calls
ae23c9
  qemu_sendv_packet_async() indirectly, they often ignore the return
ae23c9
  value. In this case qemu will just the drop packets if peer can't
ae23c9
  receive.
ae23c9
ae23c9
Qemu will copy the packet if it was queued. So it was safe for both
ae23c9
kinds of the callers to assume the packet was sent.
ae23c9
ae23c9
Since we move the check from qemu_deliver_packet_iov() to
ae23c9
qemu_sendv_packet_async(), it would be safer to make
ae23c9
qemu_deliver_packet_iov() static to prevent any external user in the
ae23c9
future.
ae23c9
ae23c9
This is a revised patch of CVE-2018-17963.
ae23c9
ae23c9
Cc: qemu-stable@nongnu.org
ae23c9
Cc: Li Qiang <liq3ea@163.com>
ae23c9
Fixes: 1592a9947036 ("net: ignore packet size greater than INT_MAX")
ae23c9
Reported-by: Li Qiang <liq3ea@gmail.com>
ae23c9
Reviewed-by: Li Qiang <liq3ea@gmail.com>
ae23c9
Signed-off-by: Jason Wang <jasowang@redhat.com>
ae23c9
Reviewed-by: Thomas Huth <thuth@redhat.com>
ae23c9
Message-id: 20181204035347.6148-2-jasowang@redhat.com
ae23c9
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
ae23c9
(cherry picked from commit 25c01bd19d0e4b66f357618aeefda1ef7a41e21a)
ae23c9
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
ae23c9
---
ae23c9
 include/net/net.h |  6 ------
ae23c9
 net/net.c         | 28 +++++++++++++++++-----------
ae23c9
 2 files changed, 17 insertions(+), 17 deletions(-)
ae23c9
ae23c9
diff --git a/include/net/net.h b/include/net/net.h
ae23c9
index 1f7341e..df4df25 100644
ae23c9
--- a/include/net/net.h
ae23c9
+++ b/include/net/net.h
ae23c9
@@ -170,12 +170,6 @@ void qemu_check_nic_model(NICInfo *nd, const char *model);
ae23c9
 int qemu_find_nic_model(NICInfo *nd, const char * const *models,
ae23c9
                         const char *default_model);
ae23c9
 
ae23c9
-ssize_t qemu_deliver_packet_iov(NetClientState *sender,
ae23c9
-                            unsigned flags,
ae23c9
-                            const struct iovec *iov,
ae23c9
-                            int iovcnt,
ae23c9
-                            void *opaque);
ae23c9
-
ae23c9
 void print_net_client(Monitor *mon, NetClientState *nc);
ae23c9
 void hmp_info_network(Monitor *mon, const QDict *qdict);
ae23c9
 void net_socket_rs_init(SocketReadState *rs,
ae23c9
diff --git a/net/net.c b/net/net.c
ae23c9
index c991243..6e5c335 100644
ae23c9
--- a/net/net.c
ae23c9
+++ b/net/net.c
ae23c9
@@ -231,6 +231,11 @@ static void qemu_net_client_destructor(NetClientState *nc)
ae23c9
 {
ae23c9
     g_free(nc);
ae23c9
 }
ae23c9
+static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
ae23c9
+                                       unsigned flags,
ae23c9
+                                       const struct iovec *iov,
ae23c9
+                                       int iovcnt,
ae23c9
+                                       void *opaque);
ae23c9
 
ae23c9
 static void qemu_net_client_setup(NetClientState *nc,
ae23c9
                                   NetClientInfo *info,
ae23c9
@@ -705,22 +710,18 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov,
ae23c9
     return ret;
ae23c9
 }
ae23c9
 
ae23c9
-ssize_t qemu_deliver_packet_iov(NetClientState *sender,
ae23c9
-                                unsigned flags,
ae23c9
-                                const struct iovec *iov,
ae23c9
-                                int iovcnt,
ae23c9
-                                void *opaque)
ae23c9
+static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
ae23c9
+                                       unsigned flags,
ae23c9
+                                       const struct iovec *iov,
ae23c9
+                                       int iovcnt,
ae23c9
+                                       void *opaque)
ae23c9
 {
ae23c9
     NetClientState *nc = opaque;
ae23c9
-    size_t size = iov_size(iov, iovcnt);
ae23c9
     int ret;
ae23c9
 
ae23c9
-    if (size > INT_MAX) {
ae23c9
-        return size;
ae23c9
-    }
ae23c9
 
ae23c9
     if (nc->link_down) {
ae23c9
-        return size;
ae23c9
+        return iov_size(iov, iovcnt);
ae23c9
     }
ae23c9
 
ae23c9
     if (nc->receive_disabled) {
ae23c9
@@ -745,10 +746,15 @@ ssize_t qemu_sendv_packet_async(NetClientState *sender,
ae23c9
                                 NetPacketSent *sent_cb)
ae23c9
 {
ae23c9
     NetQueue *queue;
ae23c9
+    size_t size = iov_size(iov, iovcnt);
ae23c9
     int ret;
ae23c9
 
ae23c9
+    if (size > NET_BUFSIZE) {
ae23c9
+        return size;
ae23c9
+    }
ae23c9
+
ae23c9
     if (sender->link_down || !sender->peer) {
ae23c9
-        return iov_size(iov, iovcnt);
ae23c9
+        return size;
ae23c9
     }
ae23c9
 
ae23c9
     /* Let filters handle the packet first */
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9