[pve-devel] applied: [PATCH pve-qemu] patch for possible DOS in qemu network packet processing

Tue Aug 11 11:30:38 CEST 2020

On August 10, 2020 2:32 pm, Oguz Bektas wrote:
> fixes an assertion failure in qemu network packet processing, which can
> lead to DOS'ing the qemu process on the host. this affects 'e1000e' and
> 'vmxnet3' network devices.
> 
> patch is cherry-picked from the commit mentioned in the oss-security email.
> 
> more info on oss-security [0]
> 
> [0]: https://www.openwall.com/lists/oss-security/2020/08/10/1
> 
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  ...t-fix-assertion-failure-in-net_tx_pk.patch | 42 +++++++++++++++++++
>  debian/patches/series                         |  1 +
>  2 files changed, 43 insertions(+)
>  create mode 100644 debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
> 
> diff --git a/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
> new file mode 100644
> index 0000000..1b4b2c4
> --- /dev/null
> +++ b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
> @@ -0,0 +1,42 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell at redhat.com>
> +Date: Sat, 1 Aug 2020 18:42:38 +0200
> +Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
> + net_tx_pkt_add_raw_fragment()
> +
> +An assertion failure issue was found in the code that processes network packets
> +while adding data fragments into the packet context. It could be abused by a
> +malicious guest to abort the QEMU process on the host. This patch replaces the
> +affected assert() with a conditional statement, returning false if the current
> +data fragment exceeds max_raw_frags.
> +
> +Reported-by: Alexander Bulekov <alxndr at bu.edu>
> +Reported-by: Ziming Zhang <ezrakiez at gmail.com>
> +Reviewed-by: Dmitry Fleytman <dmitry.fleytman at gmail.com>
> +Signed-off-by: Mauro Matteo Cascella <mcascell at redhat.com>
> +Signed-off-by: Jason Wang <jasowang at redhat.com>
> +(cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8)
> +Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> +---
> + hw/net/net_tx_pkt.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
> +index 162f802dd7..54d4c3bbd0 100644
> +--- a/hw/net/net_tx_pkt.c
> ++++ b/hw/net/net_tx_pkt.c
> +@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
> +     hwaddr mapped_len = 0;
> +     struct iovec *ventry;
> +     assert(pkt);
> +-    assert(pkt->max_raw_frags > pkt->raw_frags);
> ++
> ++    if (pkt->raw_frags >= pkt->max_raw_frags) {
> ++        return false;
> ++    }
> + 
> +     if (!len) {
> +         return true;
> +-- 
> +2.20.1
> +
> diff --git a/debian/patches/series b/debian/patches/series
> index 00d2c7d..531c5b9 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1,4 +1,5 @@
>  extra/0001-hw-vfio-pci-quirks-Fix-broken-legacy-IGD-passthrough.patch
> +extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
>  pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch
>  pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
>  pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>