thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone
1be5c7
From 10b3a7b56dc9b4c88e503c36c1b13d80bcb7b066 Mon Sep 17 00:00:00 2001
1be5c7
From: Jason Wang <jasowang@redhat.com>
1be5c7
Date: Tue, 8 Mar 2022 10:42:51 +0800
1be5c7
Subject: [PATCH 2/6] virtio-net: fix map leaking on error during receive
1be5c7
1be5c7
RH-Author: Jon Maloy <jmaloy@redhat.com>
1be5c7
RH-MergeRequest: 154: virtio-net: fix map leaking on error during receive
1be5c7
RH-Commit: [1/1] 7178b0cd5ce7c89fe476f2e199c9212c8b89327a (jmaloy/qemu-kvm)
1be5c7
RH-Bugzilla: 2063206
1be5c7
RH-Acked-by: Jason Wang <None>
1be5c7
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
1be5c7
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
1be5c7
1be5c7
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2063206
1be5c7
Upstream: Merged
1be5c7
CVE: CVE-2022-26353
1be5c7
1be5c7
commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
1be5c7
Author: Jason Wang <jasowang@redhat.com>
1be5c7
Date:   Tue Mar 8 10:42:51 2022 +0800
1be5c7
1be5c7
    virtio-net: fix map leaking on error during receive
1be5c7
1be5c7
    Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
1be5c7
    tries to fix the use after free of the sg by caching the virtqueue
1be5c7
    elements in an array and unmap them at once after receiving the
1be5c7
    packets, But it forgot to unmap the cached elements on error which
1be5c7
    will lead to leaking of mapping and other unexpected results.
1be5c7
1be5c7
    Fixing this by detaching the cached elements on error. This addresses
1be5c7
    CVE-2022-26353.
1be5c7
1be5c7
    Reported-by: Victor Tom <vv474172261@gmail.com>
1be5c7
    Cc: qemu-stable@nongnu.org
1be5c7
    Fixes: CVE-2022-26353
1be5c7
    Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
1be5c7
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
1be5c7
    Signed-off-by: Jason Wang <jasowang@redhat.com>
1be5c7
1be5c7
(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
1be5c7
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
1be5c7
---
1be5c7
 hw/net/virtio-net.c | 1 +
1be5c7
 1 file changed, 1 insertion(+)
1be5c7
1be5c7
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
1be5c7
index f2014d5ea0..e1f4748831 100644
1be5c7
--- a/hw/net/virtio-net.c
1be5c7
+++ b/hw/net/virtio-net.c
1be5c7
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
1be5c7
 
1be5c7
 err:
1be5c7
     for (j = 0; j < i; j++) {
1be5c7
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
1be5c7
         g_free(elems[j]);
1be5c7
     }
1be5c7
 
1be5c7
-- 
1be5c7
2.27.0
1be5c7