Overview

File 0416-virtio-net-handle-virtio_net_receiv.patch of Package qemu.20756

From: Greg Kurz <groug@kaod.org>
Date: Fri, 30 Sep 2016 17:13:24 +0200
Subject: virtio-net: handle virtio_net_receive() errors

Git-commit: ba10b9c0038e201d7ea28a9e3908928439ff7fa4
References: bsc#1189938 CVE-2021-3748

All these errors are caused by a buggy guest: let's switch the device to
the broken state instead of terminating QEMU. Also we detach the element
from the virtqueue and free it.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[JRZ: tweaked patch to bring the min. necessary]
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
 hw/net/virtio-net.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index a00a4e40b23600fdd305539e85d6..35adef80a9416f26de63b3119c3b 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1122,21 +1122,23 @@ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf, size_t
 
         elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
         if (!elem) {
-            if (i == 0)
-                return -1;
-            error_report("virtio-net unexpected empty queue: "
-                         "i %zd mergeable %d offset %zd, size %zd, "
-                         "guest hdr len %zd, host hdr len %zd "
-                         "guest features 0x%" PRIx64,
-                         i, n->mergeable_rx_bufs, offset, size,
-                         n->guest_hdr_len, n->host_hdr_len,
-                         vdev->guest_features);
-            exit(1);
+            if (i) {
+                error_report(vdev, "virtio-net unexpected empty queue: "
+                             "i %zd mergeable %d offset %zd, size %zd, "
+                             "guest hdr len %zd, host hdr len %zd "
+                             "guest features 0x%" PRIx64,
+                             i, n->mergeable_rx_bufs, offset, size,
+                             n->guest_hdr_len, n->host_hdr_len,
+                             vdev->guest_features);
+            }
+            return -1;
         }
 
         if (elem->in_num < 1) {
-            error_report("virtio-net receive queue contains no in buffers");
-            exit(1);
+            error_report(vdev,
+                         "virtio-net receive queue contains no in buffers");
+            g_free(elem);
+            return -1;
         }
 
         sg = elem->in_sg;
openSUSE Build Service is sponsored by
Places