From ceec5172bb57d4d453c55e7774b663af99a8f624 Mon Sep 17 00:00:00 2001 From: Shaokun Wei Date: Wed, 17 Apr 2024 16:07:59 +0800 Subject: [PATCH] QEMU update to version 8.2.0-9: hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() Signed-off-by: Shaokun Wei --- ...errun-in-update-update_sctp_checksum.patch | 67 +++++++++++++++++++ qemu.spec | 6 +- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 fix-overrun-in-update-update_sctp_checksum.patch diff --git a/fix-overrun-in-update-update_sctp_checksum.patch b/fix-overrun-in-update-update_sctp_checksum.patch new file mode 100644 index 00000000..c327a30e --- /dev/null +++ b/fix-overrun-in-update-update_sctp_checksum.patch @@ -0,0 +1,67 @@ +From 83ddb3dbba2ee0f1767442ae6ee665058aeb1093 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Tue, 9 Apr 2024 19:54:05 +0200 +Subject: [PATCH] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a fragmented packet size is too short, do not try to +calculate its checksum. + +Reproduced using: + + $ cat << EOF | qemu-system-i386 -display none -nodefaults \ + -machine q35,accel=qtest -m 32M \ + -device igb,netdev=net0 \ + -netdev user,id=net0 \ + -qtest stdio + outl 0xcf8 0x80000810 + outl 0xcfc 0xe0000000 + outl 0xcf8 0x80000804 + outw 0xcfc 0x06 + write 0xe0000403 0x1 0x02 + writel 0xe0003808 0xffffffff + write 0xe000381a 0x1 0x5b + write 0xe000381b 0x1 0x00 + EOF + Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. + #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 + #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 + #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 + #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 + #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 + #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 + #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 + #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 + +Fixes: CVE-2024-3567 +Cc: qemu-stable@nongnu.org +Reported-by: Zheyu Ma +Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 +Signed-off-by: Philippe Mathieu-Daud茅 +Reviewed-by: Akihiko Odaki +Acked-by: Jason Wang +Message-Id: <20240410070459.49112-1-philmd@linaro.org> +--- + hw/net/net_tx_pkt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 2134a18c4c9..b7b1de816dc 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt) + uint32_t csum = 0; + struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG; + ++ if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) { ++ return false; ++ } ++ + if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) { + return false; + } +-- +GitLab diff --git a/qemu.spec b/qemu.spec index 1d271897..e3c59c09 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 8 +Release: 9 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -239,6 +239,7 @@ Patch0222: coro-support-live-patch-for-libcare.patch Patch0223: arm-virt-Use-separate-filed-to-identify-cpu-hotplug-.patch Patch0224: arm-virt-Use-max_cpus-to-calculate-redist1_count.patch Patch0225: include-ui-rect.h-fix-qemu_rect_init-mis-assignment.patch +Patch0226: fix-overrun-in-update-update_sctp_checksum.patch BuildRequires: flex BuildRequires: gcc @@ -836,6 +837,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Apr 17 2024 Shaokun Wei - 11:8.2.0-9 +- hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() + * Wed Apr 17 2024 Jiabo Feng - 11:8.2.0-8 - include/ui/rect.h: fix qemu_rect_init() mis-assignment -- Gitee