Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 1 | CVE: CVE-2022-26353 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 4d65ecbddd16f38a8cf23b3053ca5c3594f8d4a4 Mon Sep 17 00:00:00 2001 |
| 6 | From: Jason Wang <jasowang@redhat.com> |
| 7 | Date: Tue, 8 Mar 2022 10:42:51 +0800 |
| 8 | Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive |
| 9 | |
| 10 | Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") |
| 11 | tries to fix the use after free of the sg by caching the virtqueue |
| 12 | elements in an array and unmap them at once after receiving the |
| 13 | packets, But it forgot to unmap the cached elements on error which |
| 14 | will lead to leaking of mapping and other unexpected results. |
| 15 | |
| 16 | Fixing this by detaching the cached elements on error. This addresses |
| 17 | CVE-2022-26353. |
| 18 | |
| 19 | Reported-by: Victor Tom <vv474172261@gmail.com> |
| 20 | Cc: qemu-stable@nongnu.org |
| 21 | Fixes: CVE-2022-26353 |
| 22 | Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") |
| 23 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> |
| 24 | Signed-off-by: Jason Wang <jasowang@redhat.com> |
| 25 | --- |
| 26 | hw/net/virtio-net.c | 1 + |
| 27 | 1 file changed, 1 insertion(+) |
| 28 | |
| 29 | diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c |
| 30 | index f2014d5ea0..e1f4748831 100644 |
| 31 | --- a/hw/net/virtio-net.c |
| 32 | +++ b/hw/net/virtio-net.c |
| 33 | @@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, |
| 34 | |
| 35 | err: |
| 36 | for (j = 0; j < i; j++) { |
| 37 | + virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); |
| 38 | g_free(elems[j]); |
| 39 | } |
| 40 | |
| 41 | -- |
| 42 | 2.25.1 |
| 43 | |