Re: [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c

[Alexander Bulekov]

I sent a reproducer for the to the list some time ago, but never created
a Launchpad bug...
https://www.mail-archive.com/qemu-devel@nongnu.org/msg701930.html

Anyways.. I can confirm that I can't reproduce the issue with these
patches.

Minimized Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -nographic \
-display none -serial none -monitor none -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0xe10207e8 0x4 0x25ff13ff
write 0xe10200b8 0x7 0xe3055e411b0202
write 0xe1020100 0x5 0x5e411b0202
write 0xe1020110 0x4 0x1b0202e1
write 0xe1020118 0x4 0x06fff105
write 0xe1020128 0x7 0xf3055e411b0202
write 0xe1020402 0x2 0x5e41
write 0xe1020420 0x4 0x1b0202e1
write 0xe1020428 0x4 0x06ff6105
write 0xe1020438 0x1 0x63
write 0xe1020439 0x1 0x05
EOF

-Alex

On 200727 1908, Mauro Matteo Cascella wrote:
> An assertion failure issue was reported by Mr. Ziming Zhang (CC'd).
> It occurs in the code that processes network packets while adding data
> fragments into packet context. This flaw could potentially be abused by
> a malicious guest to abort the QEMU process on the host. This two patch
> series does a couple of things:
> 
> - introduces a new function in net_tx_pkt.{c,h} to check the maximum number
>   of data fragments
> - adds a check in both e1000e and vmxnet3 devices to skip the packet if the
>   current data fragment exceeds max_raw_frags, preventing
>   net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags
> 
> Mauro Matteo Cascella (2):
>   hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
>   hw/net: check max_raw_frags in e1000e and vmxnet3 devices
> 
>  hw/net/e1000e_core.c | 3 ++-
>  hw/net/net_tx_pkt.c  | 5 +++++
>  hw/net/net_tx_pkt.h  | 8 ++++++++
>  hw/net/vmxnet3.c     | 3 ++-
>  4 files changed, 17 insertions(+), 2 deletions(-)
> 
> -- 
> 2.26.2
> 
>