[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.3 109/116] hw/net/net_tx_pkt: Fix overrun in update_sctp_che
From: |
Michael Tokarev |
Subject: |
[Stable-8.2.3 109/116] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() |
Date: |
Thu, 18 Apr 2024 20:49:39 +0300 |
From: Philippe Mathieu-Daudé <philmd@linaro.org>
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
-device igb,netdev=net0 \
-netdev user,id=net0 \
-qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000403 0x1 0x02
writel 0xe0003808 0xffffffff
write 0xe000381a 0x1 0x5b
write 0xe000381b 0x1 0x00
EOF
Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c,
line 39.
#1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5
#2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum
qemu/hw/net/net_tx_pkt.c:144:9
#3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11
#4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10
#5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17
#6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9
#7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5
#8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9
Fixes: CVE-2024-3567
Cc: qemu-stable@nongnu.org
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20240410070459.49112-1-philmd@linaro.org>
(cherry picked from commit 83ddb3dbba2ee0f1767442ae6ee665058aeb1093)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 2134a18c4c..b7b1de816d 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt)
uint32_t csum = 0;
struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
+ if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
+ return false;
+ }
+
if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum,
sizeof(csum)) < sizeof(csum)) {
return false;
}
--
2.39.2
- [Stable-8.2.3 099/116] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs, (continued)
- [Stable-8.2.3 099/116] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 100/116] qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 101/116] hw/block/nand: Factor nand_load_iolen() method out, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 102/116] hw/block/nand: Have blk_load() take unsigned offset and return boolean, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 104/116] hw/misc/applesmc: Fix memory leak in reset() handler, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 103/116] hw/block/nand: Fix out-of-bound access in NAND block buffer, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 106/116] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 105/116] backends/cryptodev: Do not abort for invalid session ID, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 107/116] hw/net/lan9118: Fix overflow in MIL TX FIFO, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 108/116] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 109/116] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum(),
Michael Tokarev <=
- [Stable-8.2.3 110/116] hw/audio/virtio-snd: Remove unused assignment, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 111/116] linux-user/x86_64: Handle the vsyscall page in open_self_maps_{2, 4}, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 113/116] hw/isa/vt82c686: Keep track of PIRQ/PINT pins separately, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 112/116] virtio-pci: fix use of a released vector, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 114/116] hw/pci-host/ppc440_pcix: Do not expose a bridge device on PCI bus, Michael Tokarev, 2024/04/18
- [Stable-8.2.3 115/116] ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs., Michael Tokarev, 2024/04/18
- [Stable-8.2.3 116/116] ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS., Michael Tokarev, 2024/04/18