Re: [Qemu-devel] [PATCH for-2.7 0/4] virtio-balloon: fix stats vq migration

[Michael S. Tsirkin]

On Mon, Aug 15, 2016 at 09:51:21PM +0200, Gaudenz Steinlin wrote:
> Stefan Hajnoczi <address@hidden> writes:
> 
> > Gaudenz Steinlin <address@hidden> reported that virtqueue_pop() terminates
> > QEMU because the virtqueue size is exceeded following the CVE-2016-5403 
> > fix.  I
> > have been unable to reproduce this or understand the root cause by code
> > inspection.  Along the way I did discover a few bugs in virtio-balloon and
> > virtio code.
> >
> > Please see the individual patches for details.
> >
> > Gaudenz: If you can reproduce the bug you reported, please try again with 
> > these
> > patches applied.
> 
> As mentioned in the original thread I only tested on QEMU 2.0.0 so far.
> I tried to apply your patches to this version, but did not succeed. I
> could not apply the first patch in the series because the code changed
> too much and with only the others applied QEMU failed to compile. I gave
> up at that point.
> 
> Does it make sense at all to test these patches on 2.0.0? Ubuntu
> reverted the problematic fix in their latest package update for trusty,
> so my immediate problem is "solved". Is there a chance to get a fix for
> CVE-2016-5403 that works on QEMU 2.0.0 without breaking migrations?
> 
> Best regards and thanks to all for the effort so far,
> Gaudenz

You will have to debug the failure I'm afraid.
Most likely inuse is incremented in pop but not
decremented.

Maybe you need

commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3
Author: Jason Wang <address@hidden>
Date:   Fri Sep 25 13:21:30 2015 +0800

    virtio-net: correctly drop truncated packets


It's hard to say.

-- 
MST