thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch

f79135
From d1a64781c4f7fa698a359ea078a98029f4f67c1b Mon Sep 17 00:00:00 2001
f79135
From: Jason Wang <jasowang@redhat.com>
f79135
Date: Tue, 8 Mar 2022 10:42:51 +0800
f79135
Subject: [PATCH 2/3] virtio-net: fix map leaking on error during receive
f79135
f79135
RH-Author: Jon Maloy <jmaloy@redhat.com>
f79135
RH-MergeRequest: 178: virtio-net: fix map leaking on error during receive
f79135
RH-Commit: [1/1] afdfa3198fcf815de59915136222f73711efd292 (jmaloy/qemu-kvm)
f79135
RH-Bugzilla: 2075635
f79135
RH-Acked-by: Jason Wang <jasowang@redhat.com>
f79135
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
f79135
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
f79135
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
f79135
f79135
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075635
f79135
Upstream: Merged
f79135
CVE: CVE-2022-26353
f79135
f79135
commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
f79135
Author: Jason Wang <jasowang@redhat.com>
f79135
Date:   Tue Mar 8 10:42:51 2022 +0800
f79135
f79135
    virtio-net: fix map leaking on error during receive
f79135
f79135
    Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
f79135
    tries to fix the use after free of the sg by caching the virtqueue
f79135
    elements in an array and unmap them at once after receiving the
f79135
    packets, But it forgot to unmap the cached elements on error which
f79135
    will lead to leaking of mapping and other unexpected results.
f79135
f79135
    Fixing this by detaching the cached elements on error. This addresses
f79135
    CVE-2022-26353.
f79135
f79135
    Reported-by: Victor Tom <vv474172261@gmail.com>
f79135
    Cc: qemu-stable@nongnu.org
f79135
    Fixes: CVE-2022-26353
f79135
    Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
f79135
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
f79135
    Signed-off-by: Jason Wang <jasowang@redhat.com>
f79135
f79135
(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
f79135
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
f79135
---
f79135
 hw/net/virtio-net.c | 1 +
f79135
 1 file changed, 1 insertion(+)
f79135
f79135
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
f79135
index f2014d5ea0..e1f4748831 100644
f79135
--- a/hw/net/virtio-net.c
f79135
+++ b/hw/net/virtio-net.c
f79135
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
f79135
 
f79135
 err:
f79135
     for (j = 0; j < i; j++) {
f79135
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
f79135
         g_free(elems[j]);
f79135
     }
f79135
 
f79135
-- 
f79135
2.31.1
f79135