[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL v2 45/88] hw/net/virtio-net.c: fix crash in iov_copy()
|
From: |
Michael S. Tsirkin |
|
Subject: |
[PULL v2 45/88] hw/net/virtio-net.c: fix crash in iov_copy() |
|
Date: |
Tue, 2 Jul 2024 16:18:08 -0400 |
From: Dmitry Frolov <frolov@swemel.ru>
A crash found while fuzzing device virtio-net-socket-check-used.
Assertion "offset == 0" in iov_copy() fails if less than guest_hdr_len bytes
were transmited.
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-Id: <20240613143529.602591-2-frolov@swemel.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/net/virtio-net.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 9c7e85caea..8f30972708 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -2735,6 +2735,10 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
*/
assert(n->host_hdr_len <= n->guest_hdr_len);
if (n->host_hdr_len != n->guest_hdr_len) {
+ if (iov_size(out_sg, out_num) < n->guest_hdr_len) {
+ virtio_error(vdev, "virtio-net header is invalid");
+ goto detach;
+ }
unsigned sg_num = iov_copy(sg, ARRAY_SIZE(sg),
out_sg, out_num,
0, n->host_hdr_len);
--
MST
- [PULL v2 42/88] hw/virtio: Free vqs after vhost_dev_cleanup(), (continued)
- [PULL v2 42/88] hw/virtio: Free vqs after vhost_dev_cleanup(), Michael S. Tsirkin, 2024/07/02
- [PULL v2 38/88] hw/cxl: Fix read from bogus memory, Michael S. Tsirkin, 2024/07/02
- [PULL v2 46/88] qapi: clarify that the default is backend dependent, Michael S. Tsirkin, 2024/07/02
- [PULL v2 50/88] vhost-user-server: do not set memory fd non-blocking, Michael S. Tsirkin, 2024/07/02
- [PULL v2 43/88] virtio-iommu: add error check before assert, Michael S. Tsirkin, 2024/07/02
- [PULL v2 44/88] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests, Michael S. Tsirkin, 2024/07/02
- [PULL v2 48/88] libvhost-user: fail vu_message_write() if sendmsg() is failing, Michael S. Tsirkin, 2024/07/02
- [PULL v2 47/88] libvhost-user: set msg.msg_control to NULL when it is empty, Michael S. Tsirkin, 2024/07/02
- [PULL v2 52/88] contrib/vhost-user-*: use QEMU bswap helper functions, Michael S. Tsirkin, 2024/07/02
- [PULL v2 49/88] libvhost-user: mask F_INFLIGHT_SHMFD if memfd is not supported, Michael S. Tsirkin, 2024/07/02
- [PULL v2 45/88] hw/net/virtio-net.c: fix crash in iov_copy(),
Michael S. Tsirkin <=
- [PULL v2 53/88] vhost-user: enable frontends on any POSIX system, Michael S. Tsirkin, 2024/07/02
- [PULL v2 54/88] libvhost-user: enable it on any POSIX system, Michael S. Tsirkin, 2024/07/02
- [PULL v2 55/88] contrib/vhost-user-blk: enable it on any POSIX system, Michael S. Tsirkin, 2024/07/02
- [PULL v2 57/88] tests/qtest/vhost-user-blk-test: use memory-backend-shm, Michael S. Tsirkin, 2024/07/02
- [PULL v2 51/88] contrib/vhost-user-blk: fix bind() using the right size of the address, Michael S. Tsirkin, 2024/07/02
- [PULL v2 56/88] hostmem: add a new memory backend based on POSIX shm_open(), Michael S. Tsirkin, 2024/07/02
- [PULL v2 58/88] tests/qtest/vhost-user-test: add a test case for memory-backend-shm, Michael S. Tsirkin, 2024/07/02
- [PULL v2 59/88] hw/virtio: Fix the de-initialization of vhost-user devices, Michael S. Tsirkin, 2024/07/02
- [PULL v2 60/88] hw/arm/virt-acpi-build: Drop local iort_node_offset, Michael S. Tsirkin, 2024/07/02
- [PULL v2 61/88] hw/i386/fw_cfg: Add etc/e820 to fw_cfg late, Michael S. Tsirkin, 2024/07/02