qemu/include/hw
Xuan Zhuo f47af0af0d virtio-net: fix for heap-buffer-overflow
Run shell script:

    cat << EOF | valgrind qemu-system-i386 -display none -machine accel=qtest, -m \
    512M -M q35 -nodefaults -device virtio-net,netdev=net0 -netdev \
    user,id=net0 -qtest stdio
    outl 0xcf8 0x80000810
    outl 0xcfc 0xc000
    outl 0xcf8 0x80000804
    outl 0xcfc 0x01
    outl 0xc00d 0x0200
    outl 0xcf8 0x80000890
    outb 0xcfc 0x4
    outl 0xcf8 0x80000889
    outl 0xcfc 0x1c000000
    outl 0xcf8 0x80000893
    outw 0xcfc 0x100
    EOF

Got:
    ==68666== Invalid read of size 8
    ==68666==    at 0x688536: virtio_net_queue_enable (virtio-net.c:575)
    ==68666==    by 0x6E31AE: memory_region_write_accessor (memory.c:492)
    ==68666==    by 0x6E098D: access_with_adjusted_size (memory.c:554)
    ==68666==    by 0x6E4DB3: memory_region_dispatch_write (memory.c:1521)
    ==68666==    by 0x6E31AE: memory_region_write_accessor (memory.c:492)
    ==68666==    by 0x6E098D: access_with_adjusted_size (memory.c:554)
    ==68666==    by 0x6E4DB3: memory_region_dispatch_write (memory.c:1521)
    ==68666==    by 0x6EBCD3: flatview_write_continue (physmem.c:2820)
    ==68666==    by 0x6EBFBF: flatview_write (physmem.c:2862)
    ==68666==    by 0x6EF5E7: address_space_write (physmem.c:2958)
    ==68666==    by 0x6DFDEC: cpu_outw (ioport.c:70)
    ==68666==    by 0x6F6DF0: qtest_process_command (qtest.c:480)
    ==68666==  Address 0x29087fe8 is 24 bytes after a block of size 416 in arena "client"

That is reported by Alexander Bulekov. https://gitlab.com/qemu-project/qemu/-/issues/1309

Here, the queue_index is the index of the cvq, but in some cases cvq
does not have the corresponding NetClientState, so overflow appears.

I add a check here, ignore illegal queue_index and cvq queue_index.

Note the queue_index is below the VIRTIO_QUEUE_MAX but greater or equal
than cvq index could hit this. Other devices are similar.

Fixes: 7f863302 ("virtio-net: support queue_enable")
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1309
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Message-Id: <20221110095739.130393-1-xuanzhuo@linux.alibaba.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2022-11-10 10:18:55 -05:00
..
acpi acpi: add get_dev_aml_func() helper 2022-11-07 14:08:17 -05:00
adc hw/adc/zynq-xadc: Use qemu_irq typedef 2022-05-19 16:19:02 +01:00
arm hw/arm/xlnx-zynqmp: Connect ZynqMP's USB controllers 2022-09-29 17:40:01 +01:00
audio introduce -audio as a replacement for -soundhw 2022-05-14 12:33:44 +02:00
block block: add missed block_acct_setup with new block device init procedure 2022-09-30 18:42:34 +02:00
char hw/riscv: spike: Allow using binary firmware as bios 2022-01-21 15:52:56 +10:00
core accel/qtest: Support qtest accelerator for Windows 2022-10-28 11:17:12 +02:00
cpu
cris
cxl hw/pci-bridge/cxl-upstream: Add a CDAT table access DOE 2022-11-07 13:12:19 -05:00
display xlnx_dp: Introduce a vblank signal 2022-06-08 19:38:47 +01:00
dma hw/dma/xlnx_csu_dma: Support starting a read transfer through a class method 2022-01-28 14:29:46 +00:00
firmware hw/smbios: add core_count2 to smbios table type 4 2022-11-07 14:08:17 -05:00
gpio hw/gpio: replace HWADDR_PRIx with PRIx64 2022-05-25 10:31:33 +02:00
hyperv hw/hyperv/vmbus: Remove unused vmbus_load/save_req() 2022-05-30 19:49:42 +02:00
i2c hw/i2c/aspeed: Fix old reg slave receive 2022-10-24 11:20:15 +02:00
i386 intel-iommu: PASID support 2022-11-07 14:08:17 -05:00
ide hw/ide/piix: Introduce TYPE_ macros for PIIX IDE controllers 2022-10-31 11:32:07 +01:00
input pckbd: remove legacy i8042_mm_init() function 2022-07-18 19:28:46 +01:00
intc hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
ipack ipack: Rename ipack_bus_new_inplace() to ipack_bus_init() 2021-09-30 13:42:10 +01:00
ipmi
isa hw/isa/vt82c686: Instantiate PM function in host device 2022-10-31 11:32:07 +01:00
kvm
loongarch hw/loongarch: Load FDT table into dram memory space 2022-11-04 17:07:40 +08:00
m68k hw/m68k/mcf: Add missing 'exec/hwaddr.h' header 2022-02-21 10:35:13 +01:00
mem acpi/nvdimm: Define trace events for NVDIMM and substitute nvdimm_debug() 2022-07-26 10:37:46 -04:00
mips hw/mips/bootloader: Allow bl_gen_jump_kernel to optionally set register 2022-10-31 11:32:45 +01:00
misc hw/ppc/mac.h: Rename to include/hw/nvram/mac_nvram.h 2022-10-31 18:48:23 +00:00
net Clean up decorations and whitespace around header guards 2022-05-11 16:50:32 +02:00
nubus Clean up header guards that don't match their file name 2022-05-11 16:49:06 +02:00
nvram mac_nvram: Use NVRAM_SIZE constant 2022-10-31 18:48:23 +00:00
openrisc hw/openrisc: Split re-usable boot time apis out to boot.c 2022-09-04 07:02:56 +01:00
pci intel-iommu: PASID support 2022-11-07 14:08:17 -05:00
pci-bridge pci/pci_expander_bridge: For CXL HB delay the HB register memory region setup. 2022-06-09 19:32:49 -04:00
pci-host hw/loongarch: Improve fdt for LoongArch virt machine 2022-11-04 17:07:40 +08:00
ppc ppc4xx_sdram: Move ppc4xx_sdram_banks() to ppc4xx_sdram.c 2022-10-28 13:15:23 -03:00
rdma qapi: introduce x-query-rdma QMP command 2021-11-02 15:55:14 +00:00
remote vfio-user: handle device interrupts 2022-06-15 16:43:42 +01:00
riscv hw/riscv: virt: Enable booting S-mode firmware from pflash 2022-10-14 14:29:50 +10:00
rtc goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
rx Clean up header guards that don't match their file name 2022-05-11 16:49:06 +02:00
s390x Revert "s390x/s390-virtio-ccw: add zpcii-disable machine property" 2022-11-08 10:10:57 +01:00
scsi include/hw/scsi/scsi.h: Remove unused scsi_legacy_handle_cmdline() prototype 2022-10-22 23:21:16 +02:00
sd hw/sd: add nuvoton MMC 2021-11-02 14:14:55 -04:00
sensor hw/sensor: Add IC_DEVICE_ID to ISL voltage regulators 2022-07-14 16:24:38 +02:00
sh4 hw/intc/sh_intc: Inline and drop sh_intc_source() function 2021-10-30 18:39:37 +02:00
southbridge hw/isa/piix3: Inline and remove piix3_create() 2022-06-11 11:44:50 +02:00
sparc
ssi aspeed/smc: Cache AspeedSMCClass 2022-10-24 11:20:15 +02:00
timer hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
tricore Clean up ill-advised or unusual header guards 2022-05-11 16:50:01 +02:00
usb hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
vfio vfio/common: Rename VFIOGuestIOMMU::iommu into ::iommu_mr 2022-05-06 09:06:51 -06:00
virtio virtio-net: fix for heap-buffer-overflow 2022-11-10 10:18:55 -05:00
watchdog Clean up header guards that don't match their file name 2022-05-11 16:49:06 +02:00
xen hw/i386/xen/xen-hvm: Inline xen_piix_pci_write_config_client() and remove it 2022-06-29 00:24:59 +02:00
xtensa
boards.h reset: allow registering handlers that aren't called by snapshot loading 2022-10-27 11:34:31 +01:00
clock.h host-utils: add 128-bit quotient support to divu128/divs128 2021-10-27 17:10:00 -07:00
elf_ops.h treewide: Remove the unnecessary space before semicolon 2022-10-24 13:41:10 +02:00
fw-path-provider.h
hotplug.h
hw.h compiler.h: replace QEMU_NORETURN with G_NORETURN 2022-04-21 17:03:51 +04:00
ide.h include/hw/ide: Unexport pci_piix3_xen_ide_unplug() 2022-06-09 14:47:42 +01:00
irq.h hw/core/irq: remove unused 'qemu_irq_split' function 2022-04-21 11:37:04 +01:00
loader-fit.h
loader.h hw/core/loader: return image sizes as ssize_t 2022-06-10 09:31:42 +10:00
nmi.h
or-irq.h
pcmcia.h
platform-bus.h
ptimer.h ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
qdev-clock.h
qdev-core.h misc: fix commonly doubled up words 2022-08-01 11:58:02 +02:00
qdev-dma.h
qdev-properties-system.h
qdev-properties.h qdev-properties: Add a new macro with bitmask check for uint64_t property 2022-05-14 12:32:41 +02:00
register.h hw/core/register: Add more 64-bit utilities 2021-09-01 11:59:12 +10:00
registerfields.h hw/registerfields: Add shared fields macros 2022-06-22 09:49:34 +02:00
resettable.h
stream.h
sysbus.h
usb.h hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
vmstate-if.h