From fde4e5271163b31ca130b3c0bd95d6abb3d551d1 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Fri, 14 May 2021 10:21:33 +0800 Subject: [PATCH 1/8] e1000: switch to use qemu_receive_packet() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/e1000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index a023ceb27c..a99aa3ccc3 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) NetClientState *nc = qemu_get_queue(s->nic); if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { - nc->info->receive(nc, buf, size); + qemu_receive_packet(nc, buf, size); } else { qemu_send_packet(nc, buf, size); } -- Gitee From 5c33d9e4efd024c257044c4e52002623483d47fd Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Fri, 14 May 2021 10:24:53 +0800 Subject: [PATCH 2/8] dp8393x: switch to use qemu_receive_packet() for loopback packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jiajie Li --- hw/net/dp8393x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c index bdb0b3b2c2..a64da76bf3 100644 --- a/hw/net/dp8393x.c +++ b/hw/net/dp8393x.c @@ -459,7 +459,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; if (nc->info->can_receive(nc)) { s->loopback_packet = 1; - nc->info->receive(nc, s->tx_buffer, tx_len); + qemu_receive_packet(nc, s->tx_buffer, tx_len); } } else { /* Transmit packet */ -- Gitee From 0910de3e18abf24e5188000ec0a94ea041808fb3 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Fri, 14 May 2021 10:30:23 +0800 Subject: [PATCH 3/8] sungem: switch to use qemu_receive_packet() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Reviewed-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Alistair Francis Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/sungem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/sungem.c b/hw/net/sungem.c index 89bcf749d1..37b62f62b8 100644 --- a/hw/net/sungem.c +++ b/hw/net/sungem.c @@ -303,7 +303,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, NetClientState *nc = qemu_get_queue(s->nic); if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { - nc->info->receive(nc, buf, size); + qemu_receive_packet(nc, buf, size); } else { qemu_send_packet(nc, buf, size); } -- Gitee From b5e34f46735340ae33635c450a7a5feb3b9da021 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Fri, 14 May 2021 10:32:24 +0800 Subject: [PATCH 4/8] tx_pkt: switch to use qemu_receive_packet_iov() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_receive_iov() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/net_tx_pkt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 54d4c3bbd0..646cdfaf4d 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, NetClientState *nc, const struct iovec *iov, int iov_cnt) { if (pkt->is_loopback) { - nc->info->receive_iov(nc, iov, iov_cnt); + qemu_receive_packet_iov(nc, iov, iov_cnt); } else { qemu_sendv_packet(nc, iov, iov_cnt); } -- Gitee From 5b8d124871ad266ef8765261fe180f1582a42264 Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 14 May 2021 10:35:11 +0800 Subject: [PATCH 5/8] rtl8139: switch to use qemu_receive_packet() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/rtl8139.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c index 09273171e5..79584fbb17 100644 --- a/hw/net/rtl8139.c +++ b/hw/net/rtl8139.c @@ -1792,7 +1792,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, } DPRINTF("+++ transmit loopback mode\n"); - rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); + qemu_receive_packet(qemu_get_queue(s->nic), buf, size); if (iov) { g_free(buf2); -- Gitee From 80bad3244dc67f498b2154adff9d6b1abb6227e3 Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 14 May 2021 10:37:29 +0800 Subject: [PATCH 6/8] pcnet: switch to use qemu_receive_packet() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/pcnet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 16683091c9..9e8d267536 100644 --- a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1249,7 +1249,7 @@ txagain: if (BCR_SWSTYLE(s) == 1) add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; - pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); + qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); s->looptest = 0; } else { if (s->nic) { -- Gitee From 3f11e56176ce42c4cb86790a3007d0e722bdfc5f Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 14 May 2021 10:39:58 +0800 Subject: [PATCH 7/8] cadence_gem: switch to use qemu_receive_packet() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Alexander Bulekov Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/cadence_gem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c index d412085884..52205f36be 100644 --- a/hw/net/cadence_gem.c +++ b/hw/net/cadence_gem.c @@ -1221,8 +1221,8 @@ static void gem_transmit(CadenceGEMState *s) /* Send the packet somewhere */ if (s->phy_loop || (s->regs[GEM_NWCTRL] & GEM_NWCTRL_LOCALLOOP)) { - gem_receive(qemu_get_queue(s->nic), tx_packet, - total_bytes); + qemu_receive_packet(qemu_get_queue(s->nic), tx_packet, + total_bytes); } else { qemu_send_packet(qemu_get_queue(s->nic), tx_packet, total_bytes); -- Gitee From 3353e9a108afa1a89ee01b8abeefa9237b7402e2 Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 14 May 2021 10:41:41 +0800 Subject: [PATCH 8/8] lan9118: switch to use qemu_receive_packet() for loopback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang Signed-off-by: Jiajie Li --- hw/net/lan9118.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c index f6120be219..f1a1d2351e 100644 --- a/hw/net/lan9118.c +++ b/hw/net/lan9118.c @@ -662,7 +662,7 @@ static void do_tx_packet(lan9118_state *s) /* FIXME: Honor TX disable, and allow queueing of packets. */ if (s->phy_control & 0x4000) { /* This assumes the receive routine doesn't touch the VLANClient. */ - lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); } else { qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); } -- Gitee