mbox series

[V4,00/10] Detect reentrant RX casued by loopback

Message ID 20210305062638.6749-1-jasowang@redhat.com
Headers show
Series Detect reentrant RX casued by loopback | expand

Message

Jason Wang March 5, 2021, 6:26 a.m. UTC
Hi All:

Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
still need to fix the issues casued by loopback mode where the NIC
usually it via calling nc->info->receive() directly.

The fix is to introduce new network helper and check the
queue->delivering.

This series addresses CVE-2021-3416.

Thanks

Changes since V3:
- clarify CVE number in the commit log
- ident fix

Changes since V2:
- add more fixes from Alexander

Changes since V1:

- Fix dp8393x compiling
- Add rtl8139 fix
- Tweak the commit log
- Silent patchew warning

Alexander Bulekov (4):
  rtl8139: switch to use qemu_receive_packet() for loopback
  pcnet: switch to use qemu_receive_packet() for loopback
  cadence_gem: switch to use qemu_receive_packet() for loopback
  lan9118: switch to use qemu_receive_packet() for loopback

Jason Wang (6):
  net: introduce qemu_receive_packet()
  e1000: switch to use qemu_receive_packet() for loopback
  dp8393x: switch to use qemu_receive_packet() for loopback packet
  msf2-mac: switch to use qemu_receive_packet() for loopback
  sungem: switch to use qemu_receive_packet() for loopback
  tx_pkt: switch to use qemu_receive_packet_iov() for loopback

 hw/net/cadence_gem.c |  4 ++--
 hw/net/dp8393x.c     |  2 +-
 hw/net/e1000.c       |  2 +-
 hw/net/lan9118.c     |  2 +-
 hw/net/msf2-emac.c   |  2 +-
 hw/net/net_tx_pkt.c  |  2 +-
 hw/net/pcnet.c       |  2 +-
 hw/net/rtl8139.c     |  2 +-
 hw/net/sungem.c      |  2 +-
 include/net/net.h    |  5 +++++
 include/net/queue.h  |  8 ++++++++
 net/net.c            | 38 +++++++++++++++++++++++++++++++-------
 net/queue.c          | 22 ++++++++++++++++++++++
 13 files changed, 76 insertions(+), 17 deletions(-)

Comments

P J P March 5, 2021, 6:39 a.m. UTC | #1
Hello all,

Just to note:

* Let's use <qemu-security> list to review non-public/embargoed patch(es) only.

* If patch(es) is being reviewed publicly on <qemu-devel> list,
  CC'ing <qemu-security> list does not help much.


Thank you.
---
  -P J P
http://feedmug.com
Jason Wang March 5, 2021, 6:44 a.m. UTC | #2
On 2021/3/5 2:39 下午, P J P wrote:
> Hello all,
>
> Just to note:
>
> * Let's use <qemu-security> list to review non-public/embargoed patch(es) only.
>
> * If patch(es) is being reviewed publicly on <qemu-devel> list,
>    CC'ing <qemu-security> list does not help much.
>
>
> Thank you.
> ---
>    -P J P
> http://feedmug.com


I see.

Thanks
Philippe Mathieu-Daudé March 5, 2021, 9:38 a.m. UTC | #3
On 3/5/21 7:26 AM, Jason Wang wrote:
> Hi All:
> 
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
> 
> The fix is to introduce new network helper and check the
> queue->delivering.
> 
> This series addresses CVE-2021-3416.
> 
> Thanks
> 
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
> 
> Changes since V2:
> - add more fixes from Alexander
> 
> Changes since V1:
> 
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
> 
> Alexander Bulekov (4):
>   rtl8139: switch to use qemu_receive_packet() for loopback
>   pcnet: switch to use qemu_receive_packet() for loopback
>   cadence_gem: switch to use qemu_receive_packet() for loopback
>   lan9118: switch to use qemu_receive_packet() for loopback
> 
> Jason Wang (6):
>   net: introduce qemu_receive_packet()
>   e1000: switch to use qemu_receive_packet() for loopback
>   dp8393x: switch to use qemu_receive_packet() for loopback packet
>   msf2-mac: switch to use qemu_receive_packet() for loopback
>   sungem: switch to use qemu_receive_packet() for loopback
>   tx_pkt: switch to use qemu_receive_packet_iov() for loopback
> 
>  hw/net/cadence_gem.c |  4 ++--
>  hw/net/dp8393x.c     |  2 +-
>  hw/net/e1000.c       |  2 +-
>  hw/net/lan9118.c     |  2 +-
>  hw/net/msf2-emac.c   |  2 +-
>  hw/net/net_tx_pkt.c  |  2 +-
>  hw/net/pcnet.c       |  2 +-
>  hw/net/rtl8139.c     |  2 +-
>  hw/net/sungem.c      |  2 +-
>  include/net/net.h    |  5 +++++
>  include/net/queue.h  |  8 ++++++++
>  net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>  net/queue.c          | 22 ++++++++++++++++++++++
>  13 files changed, 76 insertions(+), 17 deletions(-)
> 

LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
when applying.
Jason Wang March 8, 2021, 3:26 a.m. UTC | #4
On 2021/3/5 5:38 下午, Philippe Mathieu-Daudé wrote:
> On 3/5/21 7:26 AM, Jason Wang wrote:
>> Hi All:
>>
>> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
>> still need to fix the issues casued by loopback mode where the NIC
>> usually it via calling nc->info->receive() directly.
>>
>> The fix is to introduce new network helper and check the
>> queue->delivering.
>>
>> This series addresses CVE-2021-3416.
>>
>> Thanks
>>
>> Changes since V3:
>> - clarify CVE number in the commit log
>> - ident fix
>>
>> Changes since V2:
>> - add more fixes from Alexander
>>
>> Changes since V1:
>>
>> - Fix dp8393x compiling
>> - Add rtl8139 fix
>> - Tweak the commit log
>> - Silent patchew warning
>>
>> Alexander Bulekov (4):
>>    rtl8139: switch to use qemu_receive_packet() for loopback
>>    pcnet: switch to use qemu_receive_packet() for loopback
>>    cadence_gem: switch to use qemu_receive_packet() for loopback
>>    lan9118: switch to use qemu_receive_packet() for loopback
>>
>> Jason Wang (6):
>>    net: introduce qemu_receive_packet()
>>    e1000: switch to use qemu_receive_packet() for loopback
>>    dp8393x: switch to use qemu_receive_packet() for loopback packet
>>    msf2-mac: switch to use qemu_receive_packet() for loopback
>>    sungem: switch to use qemu_receive_packet() for loopback
>>    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>>
>>   hw/net/cadence_gem.c |  4 ++--
>>   hw/net/dp8393x.c     |  2 +-
>>   hw/net/e1000.c       |  2 +-
>>   hw/net/lan9118.c     |  2 +-
>>   hw/net/msf2-emac.c   |  2 +-
>>   hw/net/net_tx_pkt.c  |  2 +-
>>   hw/net/pcnet.c       |  2 +-
>>   hw/net/rtl8139.c     |  2 +-
>>   hw/net/sungem.c      |  2 +-
>>   include/net/net.h    |  5 +++++
>>   include/net/queue.h  |  8 ++++++++
>>   net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>>   net/queue.c          | 22 ++++++++++++++++++++++
>>   13 files changed, 76 insertions(+), 17 deletions(-)
>>
> LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
> when applying.


Yes, will do.

Thanks


>
Jason Wang March 8, 2021, 3:55 a.m. UTC | #5
On 2021/3/5 2:26 下午, Jason Wang wrote:
> Hi All:
>
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
>
> The fix is to introduce new network helper and check the
> queue->delivering.
>
> This series addresses CVE-2021-3416.
>
> Thanks


So, I've queued this series with stable cced.

Thanks


>
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
>
> Changes since V2:
> - add more fixes from Alexander
>
> Changes since V1:
>
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
>
> Alexander Bulekov (4):
>    rtl8139: switch to use qemu_receive_packet() for loopback
>    pcnet: switch to use qemu_receive_packet() for loopback
>    cadence_gem: switch to use qemu_receive_packet() for loopback
>    lan9118: switch to use qemu_receive_packet() for loopback
>
> Jason Wang (6):
>    net: introduce qemu_receive_packet()
>    e1000: switch to use qemu_receive_packet() for loopback
>    dp8393x: switch to use qemu_receive_packet() for loopback packet
>    msf2-mac: switch to use qemu_receive_packet() for loopback
>    sungem: switch to use qemu_receive_packet() for loopback
>    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>
>   hw/net/cadence_gem.c |  4 ++--
>   hw/net/dp8393x.c     |  2 +-
>   hw/net/e1000.c       |  2 +-
>   hw/net/lan9118.c     |  2 +-
>   hw/net/msf2-emac.c   |  2 +-
>   hw/net/net_tx_pkt.c  |  2 +-
>   hw/net/pcnet.c       |  2 +-
>   hw/net/rtl8139.c     |  2 +-
>   hw/net/sungem.c      |  2 +-
>   include/net/net.h    |  5 +++++
>   include/net/queue.h  |  8 ++++++++
>   net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>   net/queue.c          | 22 ++++++++++++++++++++++
>   13 files changed, 76 insertions(+), 17 deletions(-)
>