thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch

4841a6
From 10b3a7b56dc9b4c88e503c36c1b13d80bcb7b066 Mon Sep 17 00:00:00 2001
6443c2
From: Jason Wang <jasowang@redhat.com>
6443c2
Date: Tue, 8 Mar 2022 10:42:51 +0800
4841a6
Subject: [PATCH 2/6] virtio-net: fix map leaking on error during receive
6443c2
6443c2
RH-Author: Jon Maloy <jmaloy@redhat.com>
4841a6
RH-MergeRequest: 154: virtio-net: fix map leaking on error during receive
4841a6
RH-Commit: [1/1] 7178b0cd5ce7c89fe476f2e199c9212c8b89327a (jmaloy/qemu-kvm)
4841a6
RH-Bugzilla: 2063206
4841a6
RH-Acked-by: Jason Wang <None>
4841a6
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
4841a6
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
6443c2
4841a6
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2063206
6443c2
Upstream: Merged
6443c2
CVE: CVE-2022-26353
6443c2
6443c2
commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
6443c2
Author: Jason Wang <jasowang@redhat.com>
6443c2
Date:   Tue Mar 8 10:42:51 2022 +0800
6443c2
6443c2
    virtio-net: fix map leaking on error during receive
6443c2
6443c2
    Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
6443c2
    tries to fix the use after free of the sg by caching the virtqueue
6443c2
    elements in an array and unmap them at once after receiving the
6443c2
    packets, But it forgot to unmap the cached elements on error which
6443c2
    will lead to leaking of mapping and other unexpected results.
6443c2
6443c2
    Fixing this by detaching the cached elements on error. This addresses
6443c2
    CVE-2022-26353.
6443c2
6443c2
    Reported-by: Victor Tom <vv474172261@gmail.com>
6443c2
    Cc: qemu-stable@nongnu.org
6443c2
    Fixes: CVE-2022-26353
6443c2
    Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
6443c2
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
6443c2
    Signed-off-by: Jason Wang <jasowang@redhat.com>
6443c2
6443c2
(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
6443c2
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
6443c2
---
6443c2
 hw/net/virtio-net.c | 1 +
6443c2
 1 file changed, 1 insertion(+)
6443c2
6443c2
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
6443c2
index f2014d5ea0..e1f4748831 100644
6443c2
--- a/hw/net/virtio-net.c
6443c2
+++ b/hw/net/virtio-net.c
6443c2
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
6443c2
 
6443c2
 err:
6443c2
     for (j = 0; j < i; j++) {
6443c2
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
6443c2
         g_free(elems[j]);
6443c2
     }
6443c2
 
6443c2
-- 
6443c2
2.27.0
6443c2