mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3b53bfd4c8
qemu/hw
History
Jason Wang 415f21c723 virtio-net: correctly copy vnet header when flushing TX 
When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
the size of the mergeable rx buffer header. Using
virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
instead.

Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
Cc: qemu-stable@nongnu.org
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Fixes: CVE-2023-6693
Fixes: e22f0603fb ("virtio-net: reference implementation of hash report")
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 2220e8189f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-01-26 16:20:07 +03:00
..
9pfs hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-09-11 10:53:50 +03:00
acpi hw/acpi/erst: Do not ignore Error* in realize handler 2023-12-20 19:11:10 +03:00
adc
alpha
arm
audio hw/audio/hda-codec: fix multiplication overflow 2023-12-20 19:11:10 +03:00
avr
block hw/pflash: implement update buffer for block writes 2024-01-20 17:41:47 +03:00
char hw/char/riscv_htif: Fix printing of console characters on big endian hosts 2023-09-13 12:21:22 +03:00
core machine: Add helpers to get cores/threads per socket 2023-09-11 10:53:50 +03:00
cpu
cris
cxl hw/cxl: Fix CFMW config memory leak 2023-09-25 23:43:49 +03:00
display ati-vga: Implement fallback for pixman routines 2023-11-07 20:23:38 +03:00
dma
gpio
hppa
hyperv
i2c hw/i2c/aspeed: Fix TXBUF transmission start position error 2023-09-11 10:53:51 +03:00
i386 amd_iommu: Fix APIC address check 2023-10-21 14:05:14 +03:00
ide hw/ide/ahci: fix legacy software reset 2023-11-22 14:25:06 +03:00
input lasips2: LASI PS/2 devices are not user-createable 2023-10-21 14:05:14 +03:00
intc hw/intc/arm_gicv3_cpuif: handle LPIs in in the list registers 2024-01-11 20:59:59 +03:00
ipack
ipmi
isa
loongarch
m68k
mem
microblaze
mips hw/mips/malta: Fix the malta machine on big endian hosts 2023-12-20 19:11:10 +03:00
misc hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() 2023-12-20 19:11:10 +03:00
net virtio-net: correctly copy vnet header when flushing TX 2024-01-26 16:20:07 +03:00
nios2
nubus
nvme hw/nvme: fix CRC64 for guard tag 2023-09-11 10:53:50 +03:00
nvram hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array 2023-12-20 19:11:10 +03:00
openrisc
pci msix: unset PCIDevice::msix_vector_poll_notifier in rollback 2023-12-20 19:11:10 +03:00
pci-bridge
pci-host raven: disable reentrancy detection for iomem 2023-09-11 10:53:50 +03:00
pcmcia
ppc hw/ppc: Always store the decrementer value 2023-09-25 23:43:49 +03:00
rdma hw/pvrdma: Protect against buggy or malicious guest driver 2023-10-21 14:05:14 +03:00
remote
riscv hw/riscv: virt: Fix riscv,pmu DT node path 2023-09-13 12:21:22 +03:00
rtc
rx
s390x s390x/ap: fix missing subsystem reset registration 2023-09-13 21:57:05 +03:00
scsi hw/scsi/esp-pci: set DMA_STAT_BCMBLT when BLAST command issued 2024-01-20 18:31:36 +03:00
sd hw/sd/sdhci: Block Size Register bits [14:12] is lost 2023-10-24 09:12:49 +03:00
sensor
sh4
smbios hw/smbios: Fix core count in type4 2023-09-11 10:53:50 +03:00
sparc
sparc64
ssi
timer
tpm hw/tpm: TIS on sysbus: Remove unsupport ppi command line option 2023-09-13 12:21:22 +03:00
tricore
usb net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-29 16:19:39 +03:00
vfio
virtio hw/virtio: Add VirtioPCIDeviceTypeInfo::instance_finalize field 2023-12-20 19:11:10 +03:00
watchdog
xen
xenpv
xtensa
Kconfig
meson.build