thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch

6443c2
From ba9806fd38f113deb452156fdc644407f061311c Mon Sep 17 00:00:00 2001
6443c2
From: Jason Wang <jasowang@redhat.com>
6443c2
Date: Tue, 8 Mar 2022 10:42:51 +0800
6443c2
Subject: [PATCH 06/11] virtio-net: fix map leaking on error during receive
6443c2
MIME-Version: 1.0
6443c2
Content-Type: text/plain; charset=UTF-8
6443c2
Content-Transfer-Encoding: 8bit
6443c2
6443c2
RH-Author: Jon Maloy <jmaloy@redhat.com>
6443c2
RH-MergeRequest: 165: virtio-net: fix map leaking on error during receive
6443c2
RH-Commit: [1/1] f0546c74a5bfd37de473703f6a7c6f8f29fb0831 (jmaloy/qemu-kvm)
6443c2
RH-Bugzilla: 2075637
6443c2
RH-Acked-by: Mauro Matteo Cascella <None>
6443c2
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
6443c2
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
6443c2
6443c2
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075637
6443c2
Upstream: Merged
6443c2
CVE: CVE-2022-26353
6443c2
6443c2
commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
6443c2
Author: Jason Wang <jasowang@redhat.com>
6443c2
Date:   Tue Mar 8 10:42:51 2022 +0800
6443c2
6443c2
    virtio-net: fix map leaking on error during receive
6443c2
6443c2
    Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
6443c2
    tries to fix the use after free of the sg by caching the virtqueue
6443c2
    elements in an array and unmap them at once after receiving the
6443c2
    packets, But it forgot to unmap the cached elements on error which
6443c2
    will lead to leaking of mapping and other unexpected results.
6443c2
6443c2
    Fixing this by detaching the cached elements on error. This addresses
6443c2
    CVE-2022-26353.
6443c2
6443c2
    Reported-by: Victor Tom <vv474172261@gmail.com>
6443c2
    Cc: qemu-stable@nongnu.org
6443c2
    Fixes: CVE-2022-26353
6443c2
    Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
6443c2
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
6443c2
    Signed-off-by: Jason Wang <jasowang@redhat.com>
6443c2
6443c2
(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
6443c2
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
6443c2
---
6443c2
 hw/net/virtio-net.c | 1 +
6443c2
 1 file changed, 1 insertion(+)
6443c2
6443c2
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
6443c2
index f2014d5ea0..e1f4748831 100644
6443c2
--- a/hw/net/virtio-net.c
6443c2
+++ b/hw/net/virtio-net.c
6443c2
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
6443c2
 
6443c2
 err:
6443c2
     for (j = 0; j < i; j++) {
6443c2
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
6443c2
         g_free(elems[j]);
6443c2
     }
6443c2
 
6443c2
-- 
6443c2
2.27.0
6443c2