|
From: | Eric Blake |
Subject: | Re: [Qemu-devel] [PATCH V2 for 3.1 0/4] Fix possible OOB during queuing packets |
Date: | Thu, 29 Nov 2018 08:05:41 -0600 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 |
On 11/29/18 6:14 AM, Jason Wang wrote:
Hi: This series tries to fix a possible OOB during queueing packets through qemu_net_queue_append_iov(). This could happen when it tries to queue a packet whose size is larger than INT_MAX which may lead integer overflow. We've fixed similar issue in the past during qemu_net_queue_deliver_iov() by ignoring large packets there. Let's just move the check earlier to qemu_sendv_packet_async() and reduce the limitation to NET_BUFSIZE. A simple qtest were also added this. Please review.
How important is this for 3.1? We've missed -rc3. Is this CVE quality because of a guest being able to cause mayhem by intentionally getting into this condition (in which case, we need it, as well as a CVE assigned)? Is it pre-existing in 3.0 at which point waiting for 4.0 is no worse off than what we already are?
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
[Prev in Thread] | Current Thread | [Next in Thread] |