From patchwork Thu Apr 18 17:49:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789820
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp696012wrm;
 Thu, 18 Apr 2024 10:54:24 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCU14C1brRvareNuS/BEiDMBnoT5iucnBq0M+SPxyNZV7WTmwGvmBNDzeBvLmW8qksumTWkQ0AnM5I3Iz9Gk2lFq
X-Google-Smtp-Source: AGHT+IE7Xmu5ChrqeLWwOmC8WdjBRrJDSbSbL2J9A14Wy5WBnEjlqVSIemMd8LMcIKyErLqwUjDy
X-Received: by 2002:a05:6808:4387:b0:3c7:3d8f:7ef1 with SMTP id
 dz7-20020a056808438700b003c73d8f7ef1mr2408154oib.17.1713462864333;
 Thu, 18 Apr 2024 10:54:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713462864; cv=none;
 d=google.com; s=arc-20160816;
 b=szY96M4PQ5A3pge01ZtnCGifBGVEa4qwQ/hDYYdvODit/k9cjO+dWktCv+/e8xI62K
 g/f/Vifa2661QqtnZ4Yizy6yHP+UwrkBF0gfLuUbHJh3NoZYUg9kD7Nl7+vMEa99yicv
 ZFNctbcsV3PHaK9JZVAWH+5t+DuhRERpHAnT1qd6Y9S8LapD3Y5XLJ6Eq7i69iuusShd
 U2gm1vf2Jd26SXtzFJWnEGA8lvOGtO/3tPGEn6O8lByz6hRuqWN4fCUGWllPwDDs3mIr
 7BgWiGI8aGEVLCEqzz3LBabl7BrXdh/SuUdMR9vb6Py5zIQPFjNXfwvRQIp1BdVW9INa
 yMRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=b/FzRsoDQglyeVcXK/A4pRGwH7S3edEGDOgcNWid65Y=;
 fh=10ZgXUeGM9SH2AA17LufuF+GeYuDCHv+pUd6g6aMDJo=;
 b=J5YrgAujJ3rS0/BvnbOu2G8nIfpL/hslZ9BXqNGagyjbtrn2nA0vzIedlReRE9Cp7G
 6/hKoo5tD4kf+YK6IyxtpLzlIugLIhB4/KEXiXXjhMizG2WlCdcTr4WN01zV1Vd9oei5
 96jhz76rJjm75aT8ufL5WHSqCvcnIlMABKqHSJarJTPWnVxYjCCXt4BIHWJ4y03IFAdo
 d2syu7bjnfTzkuR9vl3HV9/ZJ5iSvQJpEIsDgdZrz4lGqPD3cSqMK7j3D3+eFT88nBJ/
 TNyjcQt9hALKhQQs6rCtfZuECnGiQeCfmV2khhh+5GPkw+WyFhRSucoZf2sDfJwt7tPS
 CKRQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 o17-20020a05620a22d100b0078f0cbcf4dasi1798575qki.335.2024.04.18.10.54.24
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 10:54:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxVvQ-0003Nw-96; Thu, 18 Apr 2024 13:51:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxVvB-0002s3-VS; Thu, 18 Apr 2024 13:51:43 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxVv9-0007gi-WB; Thu, 18 Apr 2024 13:51:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A0A825FD76;
 Thu, 18 Apr 2024 20:50:04 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id DE7F2B9350;
 Thu, 18 Apr 2024 20:50:01 +0300 (MSK)
Received: (nullmailer pid 947869 invoked by uid 1000);
 Thu, 18 Apr 2024 17:49:55 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Zheyu Ma <zheyuma97@gmail.com>, Akihiko Odaki <akihiko.odaki@daynix.com>,
 Jason Wang <jasowang@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-8.2.3 109/116] hw/net/net_tx_pkt: Fix overrun in
 update_sctp_checksum()
Date: Thu, 18 Apr 2024 20:49:39 +0300
Message-Id: <20240418174955.947730-22-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-8.2.3-20240418204921@cover.tls.msk.ru>
References: <qemu-stable-8.2.3-20240418204921@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

If a fragmented packet size is too short, do not try to
calculate its checksum.

Reproduced using:

  $ cat << EOF | qemu-system-i386 -display none -nodefaults \
                                  -machine q35,accel=qtest -m 32M \
                                  -device igb,netdev=net0 \
                                  -netdev user,id=net0 \
                                  -qtest stdio
  outl 0xcf8 0x80000810
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000403 0x1 0x02
  writel 0xe0003808 0xffffffff
  write 0xe000381a 0x1 0x5b
  write 0xe000381b 0x1 0x00
  EOF
  Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39.
  #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5
  #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9
  #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11
  #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10
  #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17
  #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9
  #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5
  #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9

Fixes: CVE-2024-3567
Cc: qemu-stable@nongnu.org
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20240410070459.49112-1-philmd@linaro.org>
(cherry picked from commit 83ddb3dbba2ee0f1767442ae6ee665058aeb1093)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 2134a18c4c..b7b1de816d 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt)
     uint32_t csum = 0;
     struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
 
+    if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
+        return false;
+    }
+
     if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) {
         return false;
     }