* [pve-devel] [PATCH pve-qemu] patch for possible DOS in qemu network packet processing
@ 2020-08-10 12:32 Oguz Bektas
2020-08-11 9:30 ` [pve-devel] applied: " Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Oguz Bektas @ 2020-08-10 12:32 UTC (permalink / raw)
To: pve-devel
fixes an assertion failure in qemu network packet processing, which can
lead to DOS'ing the qemu process on the host. this affects 'e1000e' and
'vmxnet3' network devices.
patch is cherry-picked from the commit mentioned in the oss-security email.
more info on oss-security [0]
[0]: https://www.openwall.com/lists/oss-security/2020/08/10/1
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
...t-fix-assertion-failure-in-net_tx_pk.patch | 42 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 43 insertions(+)
create mode 100644 debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
diff --git a/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
new file mode 100644
index 0000000..1b4b2c4
--- /dev/null
+++ b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Sat, 1 Aug 2020 18:42:38 +0200
+Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
+ net_tx_pkt_add_raw_fragment()
+
+An assertion failure issue was found in the code that processes network packets
+while adding data fragments into the packet context. It could be abused by a
+malicious guest to abort the QEMU process on the host. This patch replaces the
+affected assert() with a conditional statement, returning false if the current
+data fragment exceeds max_raw_frags.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8)
+Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
+---
+ hw/net/net_tx_pkt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index 162f802dd7..54d4c3bbd0 100644
+--- a/hw/net/net_tx_pkt.c
++++ b/hw/net/net_tx_pkt.c
+@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
+ hwaddr mapped_len = 0;
+ struct iovec *ventry;
+ assert(pkt);
+- assert(pkt->max_raw_frags > pkt->raw_frags);
++
++ if (pkt->raw_frags >= pkt->max_raw_frags) {
++ return false;
++ }
+
+ if (!len) {
+ return true;
+--
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 00d2c7d..531c5b9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
extra/0001-hw-vfio-pci-quirks-Fix-broken-legacy-IGD-passthrough.patch
+extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch
pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH pve-qemu] patch for possible DOS in qemu network packet processing
2020-08-10 12:32 [pve-devel] [PATCH pve-qemu] patch for possible DOS in qemu network packet processing Oguz Bektas
@ 2020-08-11 9:30 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2020-08-11 9:30 UTC (permalink / raw)
To: Proxmox VE development discussion
On August 10, 2020 2:32 pm, Oguz Bektas wrote:
> fixes an assertion failure in qemu network packet processing, which can
> lead to DOS'ing the qemu process on the host. this affects 'e1000e' and
> 'vmxnet3' network devices.
>
> patch is cherry-picked from the commit mentioned in the oss-security email.
>
> more info on oss-security [0]
>
> [0]: https://www.openwall.com/lists/oss-security/2020/08/10/1
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> ...t-fix-assertion-failure-in-net_tx_pk.patch | 42 +++++++++++++++++++
> debian/patches/series | 1 +
> 2 files changed, 43 insertions(+)
> create mode 100644 debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
>
> diff --git a/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
> new file mode 100644
> index 0000000..1b4b2c4
> --- /dev/null
> +++ b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
> @@ -0,0 +1,42 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell@redhat.com>
> +Date: Sat, 1 Aug 2020 18:42:38 +0200
> +Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
> + net_tx_pkt_add_raw_fragment()
> +
> +An assertion failure issue was found in the code that processes network packets
> +while adding data fragments into the packet context. It could be abused by a
> +malicious guest to abort the QEMU process on the host. This patch replaces the
> +affected assert() with a conditional statement, returning false if the current
> +data fragment exceeds max_raw_frags.
> +
> +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> +Reported-by: Ziming Zhang <ezrakiez@gmail.com>
> +Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> +Signed-off-by: Jason Wang <jasowang@redhat.com>
> +(cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8)
> +Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> +---
> + hw/net/net_tx_pkt.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
> +index 162f802dd7..54d4c3bbd0 100644
> +--- a/hw/net/net_tx_pkt.c
> ++++ b/hw/net/net_tx_pkt.c
> +@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
> + hwaddr mapped_len = 0;
> + struct iovec *ventry;
> + assert(pkt);
> +- assert(pkt->max_raw_frags > pkt->raw_frags);
> ++
> ++ if (pkt->raw_frags >= pkt->max_raw_frags) {
> ++ return false;
> ++ }
> +
> + if (!len) {
> + return true;
> +--
> +2.20.1
> +
> diff --git a/debian/patches/series b/debian/patches/series
> index 00d2c7d..531c5b9 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1,4 +1,5 @@
> extra/0001-hw-vfio-pci-quirks-Fix-broken-legacy-IGD-passthrough.patch
> +extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
> pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch
> pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
> pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
> --
> 2.20.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-08-11 9:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-10 12:32 [pve-devel] [PATCH pve-qemu] patch for possible DOS in qemu network packet processing Oguz Bektas
2020-08-11 9:30 ` [pve-devel] applied: " Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox