patch for possible DOS in qemu network packet processing

fixes an assertion failure in qemu network packet processing, which can lead to DOS'ing the qemu process on the host. this affects 'e1000e' and 'vmxnet3' network devices. patch is cherry-picked from the commit mentioned in the oss-security email. more info on oss-security [0] [0]: https://www.openwall.com/lists/oss-security/2020/08/10/1 Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
2020-08-10 14:32:22 +02:00 · 2020-08-10 14:32:22 +02:00 · 95fd47ecb9
commit 95fd47ecb9
parent 41424ed9c8
2 changed files with 43 additions and 0 deletions
--- a/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
+++ b/debian/patches/extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Sat, 1 Aug 2020 18:42:38 +0200
+Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
+ net_tx_pkt_add_raw_fragment()
+
+An assertion failure issue was found in the code that processes network packets
+while adding data fragments into the packet context. It could be abused by a
+malicious guest to abort the QEMU process on the host. This patch replaces the
+affected assert() with a conditional statement, returning false if the current
+data fragment exceeds max_raw_frags.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8)
+Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
+---
+ hw/net/net_tx_pkt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index 162f802dd7..54d4c3bbd0 100644
+--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
+@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
+     hwaddr mapped_len = 0;
+     struct iovec *ventry;
+     assert(pkt);
+-    assert(pkt->max_raw_frags > pkt->raw_frags);
+
+    if (pkt->raw_frags >= pkt->max_raw_frags) {
+        return false;
+    }
+ 
+     if (!len) {
+         return true;
+-- 
+2.20.1
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,4 +1,5 @@
 extra/0001-hw-vfio-pci-quirks-Fix-broken-legacy-IGD-passthrough.patch
+extra/0002-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch
 pve/0001-PVE-Config-block-file-change-locking-default-to-off.patch
 pve/0002-PVE-Config-Adjust-network-script-path-to-etc-kvm.patch
 pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch