[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL v3 45/85] hw/net/virtio-net.c: fix crash in iov_copy()
|
From: |
Michael S. Tsirkin |
|
Subject: |
[PULL v3 45/85] hw/net/virtio-net.c: fix crash in iov_copy() |
|
Date: |
Wed, 3 Jul 2024 18:47:45 -0400 |
From: Dmitry Frolov <frolov@swemel.ru>
A crash found while fuzzing device virtio-net-socket-check-used.
Assertion "offset == 0" in iov_copy() fails if less than guest_hdr_len bytes
were transmited.
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-Id: <20240613143529.602591-2-frolov@swemel.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/net/virtio-net.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 9c7e85caea..8f30972708 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -2735,6 +2735,10 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
*/
assert(n->host_hdr_len <= n->guest_hdr_len);
if (n->host_hdr_len != n->guest_hdr_len) {
+ if (iov_size(out_sg, out_num) < n->guest_hdr_len) {
+ virtio_error(vdev, "virtio-net header is invalid");
+ goto detach;
+ }
unsigned sg_num = iov_copy(sg, ARRAY_SIZE(sg),
out_sg, out_num,
0, n->host_hdr_len);
--
MST
- [PULL v3 34/85] pvpanic: Emit GUEST_PVSHUTDOWN QMP event on pvpanic shutdown signal, (continued)
- [PULL v3 34/85] pvpanic: Emit GUEST_PVSHUTDOWN QMP event on pvpanic shutdown signal, Michael S. Tsirkin, 2024/07/03
- [PULL v3 36/85] Revert "docs/specs/pvpanic: mark shutdown event as not implemented", Michael S. Tsirkin, 2024/07/03
- [PULL v3 37/85] virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 38/85] hw/cxl: Fix read from bogus memory, Michael S. Tsirkin, 2024/07/03
- [PULL v3 39/85] virtio-pci: implement No_Soft_Reset bit, Michael S. Tsirkin, 2024/07/03
- [PULL v3 40/85] vhost-user-test: no set non-blocking for cal fd less than 0., Michael S. Tsirkin, 2024/07/03
- [PULL v3 41/85] i386/apic: Add hint on boot failure because of disabling x2APIC, Michael S. Tsirkin, 2024/07/03
- [PULL v3 42/85] hw/virtio: Free vqs after vhost_dev_cleanup(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 43/85] virtio-iommu: add error check before assert, Michael S. Tsirkin, 2024/07/03
- [PULL v3 44/85] vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests, Michael S. Tsirkin, 2024/07/03
- [PULL v3 45/85] hw/net/virtio-net.c: fix crash in iov_copy(),
Michael S. Tsirkin <=
- [PULL v3 46/85] qapi: clarify that the default is backend dependent, Michael S. Tsirkin, 2024/07/03
- [PULL v3 47/85] libvhost-user: set msg.msg_control to NULL when it is empty, Michael S. Tsirkin, 2024/07/03
- [PULL v3 48/85] libvhost-user: fail vu_message_write() if sendmsg() is failing, Michael S. Tsirkin, 2024/07/03
- [PULL v3 49/85] libvhost-user: mask F_INFLIGHT_SHMFD if memfd is not supported, Michael S. Tsirkin, 2024/07/03
- [PULL v3 50/85] vhost-user-server: do not set memory fd non-blocking, Michael S. Tsirkin, 2024/07/03
- [PULL v3 51/85] contrib/vhost-user-blk: fix bind() using the right size of the address, Michael S. Tsirkin, 2024/07/03
- [PULL v3 53/85] hostmem: add a new memory backend based on POSIX shm_open(), Michael S. Tsirkin, 2024/07/03
- [PULL v3 52/85] contrib/vhost-user-*: use QEMU bswap helper functions, Michael S. Tsirkin, 2024/07/03