thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone
0727d3
From 10b3a7b56dc9b4c88e503c36c1b13d80bcb7b066 Mon Sep 17 00:00:00 2001
0727d3
From: Jason Wang <jasowang@redhat.com>
0727d3
Date: Tue, 8 Mar 2022 10:42:51 +0800
0727d3
Subject: [PATCH 2/6] virtio-net: fix map leaking on error during receive
0727d3
0727d3
RH-Author: Jon Maloy <jmaloy@redhat.com>
0727d3
RH-MergeRequest: 154: virtio-net: fix map leaking on error during receive
0727d3
RH-Commit: [1/1] 7178b0cd5ce7c89fe476f2e199c9212c8b89327a (jmaloy/qemu-kvm)
0727d3
RH-Bugzilla: 2063206
0727d3
RH-Acked-by: Jason Wang <None>
0727d3
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
0727d3
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
0727d3
0727d3
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2063206
0727d3
Upstream: Merged
0727d3
CVE: CVE-2022-26353
0727d3
0727d3
commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
0727d3
Author: Jason Wang <jasowang@redhat.com>
0727d3
Date:   Tue Mar 8 10:42:51 2022 +0800
0727d3
0727d3
    virtio-net: fix map leaking on error during receive
0727d3
0727d3
    Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
0727d3
    tries to fix the use after free of the sg by caching the virtqueue
0727d3
    elements in an array and unmap them at once after receiving the
0727d3
    packets, But it forgot to unmap the cached elements on error which
0727d3
    will lead to leaking of mapping and other unexpected results.
0727d3
0727d3
    Fixing this by detaching the cached elements on error. This addresses
0727d3
    CVE-2022-26353.
0727d3
0727d3
    Reported-by: Victor Tom <vv474172261@gmail.com>
0727d3
    Cc: qemu-stable@nongnu.org
0727d3
    Fixes: CVE-2022-26353
0727d3
    Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
0727d3
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
0727d3
    Signed-off-by: Jason Wang <jasowang@redhat.com>
0727d3
0727d3
(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
0727d3
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
0727d3
---
0727d3
 hw/net/virtio-net.c | 1 +
0727d3
 1 file changed, 1 insertion(+)
0727d3
0727d3
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
0727d3
index f2014d5ea0..e1f4748831 100644
0727d3
--- a/hw/net/virtio-net.c
0727d3
+++ b/hw/net/virtio-net.c
0727d3
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
0727d3
 
0727d3
 err:
0727d3
     for (j = 0; j < i; j++) {
0727d3
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
0727d3
         g_free(elems[j]);
0727d3
     }
0727d3
 
0727d3
-- 
0727d3
2.27.0
0727d3