[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 45/91] hw/net/virtio-net.c: fix crash in iov_copy()
|
From: |
Michael S. Tsirkin |
|
Subject: |
[PULL 45/91] hw/net/virtio-net.c: fix crash in iov_copy() |
|
Date: |
Tue, 2 Jul 2024 10:09:15 -0400 |
From: Dmitry Frolov <frolov@swemel.ru>
A crash found while fuzzing device virtio-net-socket-check-used.
Assertion "offset == 0" in iov_copy() fails if less than guest_hdr_len bytes
were transmited.
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-Id: <20240613143529.602591-2-frolov@swemel.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/net/virtio-net.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 9c7e85caea..8f30972708 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -2735,6 +2735,10 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
*/
assert(n->host_hdr_len <= n->guest_hdr_len);
if (n->host_hdr_len != n->guest_hdr_len) {
+ if (iov_size(out_sg, out_num) < n->guest_hdr_len) {
+ virtio_error(vdev, "virtio-net header is invalid");
+ goto detach;
+ }
unsigned sg_num = iov_copy(sg, ARRAY_SIZE(sg),
out_sg, out_num,
0, n->host_hdr_len);
--
MST
- [PULL 31/91] hw/misc/pvpanic: centralize definition of supported events, (continued)
- [PULL 31/91] hw/misc/pvpanic: centralize definition of supported events, Michael S. Tsirkin, 2024/07/02
- [PULL 37/91] virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one(), Michael S. Tsirkin, 2024/07/02
- [PULL 38/91] hw/cxl: Fix read from bogus memory, Michael S. Tsirkin, 2024/07/02
- [PULL 34/91] pvpanic: Emit GUEST_PVSHUTDOWN QMP event on pvpanic shutdown signal, Michael S. Tsirkin, 2024/07/02
- [PULL 36/91] Revert "docs/specs/pvpanic: mark shutdown event as not implemented", Michael S. Tsirkin, 2024/07/02
- [PULL 40/91] vhost-user-test: don't set call fd -1 non-blocking, Michael S. Tsirkin, 2024/07/02
- [PULL 35/91] tests/qtest/pvpanic: add tests for pvshutdown event, Michael S. Tsirkin, 2024/07/02
- [PULL 39/91] virtio-pci: implement No_Soft_Reset bit, Michael S. Tsirkin, 2024/07/02
- [PULL 41/91] i386/apic: Add hint on boot failure because of disabling x2APIC, Michael S. Tsirkin, 2024/07/02
- [PULL 42/91] hw/virtio: Free vqs after vhost_dev_cleanup(), Michael S. Tsirkin, 2024/07/02
- [PULL 45/91] hw/net/virtio-net.c: fix crash in iov_copy(),
Michael S. Tsirkin <=
- [PULL 44/91] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests, Michael S. Tsirkin, 2024/07/02
- [PULL 43/91] virtio-iommu: add error check before assert, Michael S. Tsirkin, 2024/07/02
- [PULL 47/91] libvhost-user: set msg.msg_control to NULL when it is empty, Michael S. Tsirkin, 2024/07/02
- [PULL 48/91] libvhost-user: fail vu_message_write() if sendmsg() is failing, Michael S. Tsirkin, 2024/07/02
- [PULL 46/91] qapi: clarify that the default is backend dependent, Michael S. Tsirkin, 2024/07/02
- [PULL 50/91] vhost-user-server: do not set memory fd non-blocking, Michael S. Tsirkin, 2024/07/02
- [PULL 49/91] libvhost-user: mask F_INFLIGHT_SHMFD if memfd is not supported, Michael S. Tsirkin, 2024/07/02
- [PULL 51/91] contrib/vhost-user-blk: fix bind() using the right size of the address, Michael S. Tsirkin, 2024/07/02
- [PULL 52/91] contrib/vhost-user-*: use QEMU bswap helper functions, Michael S. Tsirkin, 2024/07/02
- [PULL 54/91] libvhost-user: enable it on any POSIX system, Michael S. Tsirkin, 2024/07/02