From af774513f7d646badfdb5b686650254f7f08af6b Mon Sep 17 00:00:00 2001 From: Bin Meng Date: Wed, 17 Mar 2021 14:26:27 +0800 Subject: [PATCH 01/13] net: eth: Add a helper to pad a short Ethernet frame MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a helper to pad a short Ethernet frame to the minimum required length, which can be used by backends' code. Signed-off-by: Bin Meng Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- include/net/eth.h | 17 +++++++++++++++++ net/eth.c | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/include/net/eth.h b/include/net/eth.h index 0671be6916..7767ae880e 100644 --- a/include/net/eth.h +++ b/include/net/eth.h @@ -31,6 +31,7 @@ #define ETH_ALEN 6 #define ETH_HLEN 14 +#define ETH_ZLEN 60 /* Min. octets in frame without FCS */ struct eth_header { uint8_t h_dest[ETH_ALEN]; /* destination eth addr */ @@ -422,4 +423,20 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int pkt_frags, size_t ip6hdr_off, eth_ip6_hdr_info *info); +/** + * eth_pad_short_frame - pad a short frame to the minimum Ethernet frame length + * + * If the Ethernet frame size is shorter than 60 bytes, it will be padded to + * 60 bytes at the address @padded_pkt. + * + * @padded_pkt: buffer address to hold the padded frame + * @padded_buflen: pointer holding length of @padded_pkt. If the frame is + * padded, the length will be updated to the padded one. + * @pkt: address to hold the original Ethernet frame + * @pkt_size: size of the original Ethernet frame + * @return true if the frame is padded, otherwise false + */ +bool eth_pad_short_frame(uint8_t *padded_pkt, size_t *padded_buflen, + const void *pkt, size_t pkt_size); + #endif diff --git a/net/eth.c b/net/eth.c index 1e0821c5f8..f913e4396f 100644 --- a/net/eth.c +++ b/net/eth.c @@ -548,3 +548,20 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int pkt_frags, info->l4proto = ext_hdr.ip6r_nxt; return true; } + +bool eth_pad_short_frame(uint8_t *padded_pkt, size_t *padded_buflen, + const void *pkt, size_t pkt_size) +{ + assert(padded_buflen && *padded_buflen >= ETH_ZLEN); + + if (pkt_size >= ETH_ZLEN) { + return false; + } + + /* pad to minimum Ethernet frame length */ + memcpy(padded_pkt, pkt, pkt_size); + memset(&padded_pkt[pkt_size], 0, ETH_ZLEN - pkt_size); + *padded_buflen = ETH_ZLEN; + + return true; +} From 935344bed6769d6bcb74c6d992818929a6ccb35b Mon Sep 17 00:00:00 2001 From: Bin Meng Date: Wed, 17 Mar 2021 14:26:28 +0800 Subject: [PATCH 02/13] net: Add a 'do_not_pad" to NetClientState MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds a flag in NetClientState, so that a net client can tell its peer that the packets do not need to be padded to the minimum size of an Ethernet frame (60 bytes) before sending to it. Signed-off-by: Bin Meng Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- include/net/net.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/net/net.h b/include/net/net.h index a02949f6db..3559f3ca19 100644 --- a/include/net/net.h +++ b/include/net/net.h @@ -103,6 +103,7 @@ struct NetClientState { int vring_enable; int vnet_hdr_len; bool is_netdev; + bool do_not_pad; /* do not pad to the minimum ethernet frame length */ QTAILQ_HEAD(, NetFilterState) filters; }; From 969e50b61a285b0cc8dea6d4d2ade3f758d5ecc7 Mon Sep 17 00:00:00 2001 From: Bin Meng Date: Wed, 17 Mar 2021 14:26:29 +0800 Subject: [PATCH 03/13] net: Pad short frames to minimum size before sending from SLiRP/TAP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The minimum Ethernet frame length is 60 bytes. For short frames with smaller length like ARP packets (only 42 bytes), on a real world NIC it can choose either padding its length to the minimum required 60 bytes, or sending it out directly to the wire. Such behavior can be hardcoded or controled by a register bit. Similarly on the receive path, NICs can choose either dropping such short frames directly or handing them over to software to handle. On the other hand, for the network backends like SLiRP/TAP, they don't expose a way to control the short frame behavior. As of today they just send/receive data from/to the other end connected to them, which means any sized packet is acceptable. So they can send and receive short frames without any problem. It is observed that ARP packets sent from SLiRP/TAP are 42 bytes, and SLiRP/TAP just send these ARP packets to the other end which might be a NIC model that does not allow short frames to pass through. To provide better compatibility, for packets sent from QEMU network backends like SLiRP/TAP, we change to pad short frames before sending it out to the other end, if the other end does not forbid it via the nc->do_not_pad flag. This ensures a backend as an Ethernet sender does not violate the spec. But with this change, the behavior of dropping short frames from SLiRP/TAP interfaces in the NIC model cannot be emulated because it always receives a packet that is spec complaint. The capability of sending short frames from NIC models is still supported and short frames can still pass through SLiRP/TAP. This commit should be able to fix the issue as reported with some NIC models before, that ARP requests get dropped, preventing the guest from becoming visible on the network. It was workarounded in these NIC models on the receive path, that when a short frame is received, it is padded up to 60 bytes. The following 2 commits seem to be the one to workaround this issue in e1000 and vmxenet3 before, and should probably be reverted. commit 78aeb23eded2 ("e1000: Pad short frames to minimum size (60 bytes)") commit 40a87c6c9b11 ("vmxnet3: Pad short frames to minimum size (60 bytes)") Signed-off-by: Bin Meng Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/slirp.c | 10 ++++++++++ net/tap-win32.c | 10 ++++++++++ net/tap.c | 10 ++++++++++ 3 files changed, 30 insertions(+) diff --git a/net/slirp.c b/net/slirp.c index 9454a673d6..a9fdc7a08f 100644 --- a/net/slirp.c +++ b/net/slirp.c @@ -31,6 +31,7 @@ #include #include #endif +#include "net/eth.h" #include "net/net.h" #include "clients.h" #include "hub.h" @@ -115,6 +116,15 @@ static ssize_t net_slirp_send_packet(const void *pkt, size_t pkt_len, void *opaque) { SlirpState *s = opaque; + uint8_t min_pkt[ETH_ZLEN]; + size_t min_pktsz = sizeof(min_pkt); + + if (!s->nc.peer->do_not_pad) { + if (eth_pad_short_frame(min_pkt, &min_pktsz, pkt, pkt_len)) { + pkt = min_pkt; + pkt_len = min_pktsz; + } + } return qemu_send_packet(&s->nc, pkt, pkt_len); } diff --git a/net/tap-win32.c b/net/tap-win32.c index 21e451107b..d7c2a8759c 100644 --- a/net/tap-win32.c +++ b/net/tap-win32.c @@ -31,6 +31,7 @@ #include "qemu-common.h" #include "clients.h" /* net_init_tap */ +#include "net/eth.h" #include "net/net.h" #include "net/tap.h" /* tap_has_ufo, ... */ #include "qemu/error-report.h" @@ -688,9 +689,18 @@ static void tap_win32_send(void *opaque) uint8_t *buf; int max_size = 4096; int size; + uint8_t min_pkt[ETH_ZLEN]; + size_t min_pktsz = sizeof(min_pkt); size = tap_win32_read(s->handle, &buf, max_size); if (size > 0) { + if (!s->nc.peer->do_not_pad) { + if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) { + buf = min_pkt; + size = min_pktsz; + } + } + qemu_send_packet(&s->nc, buf, size); tap_win32_free_buffer(s->handle, buf); } diff --git a/net/tap.c b/net/tap.c index 12a08d54fe..d6d8456188 100644 --- a/net/tap.c +++ b/net/tap.c @@ -32,6 +32,7 @@ #include #include +#include "net/eth.h" #include "net/net.h" #include "clients.h" #include "monitor/monitor.h" @@ -189,6 +190,8 @@ static void tap_send(void *opaque) while (true) { uint8_t *buf = s->buf; + uint8_t min_pkt[ETH_ZLEN]; + size_t min_pktsz = sizeof(min_pkt); size = tap_read_packet(s->fd, s->buf, sizeof(s->buf)); if (size <= 0) { @@ -200,6 +203,13 @@ static void tap_send(void *opaque) size -= s->host_vnet_hdr_len; } + if (!s->nc.peer->do_not_pad) { + if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) { + buf = min_pkt; + size = min_pktsz; + } + } + size = qemu_send_packet_async(&s->nc, buf, size, tap_send_completed); if (size == 0) { tap_read_poll(s, false); From d4c6293041ee7941191a91e4ca2d2af4b0959599 Mon Sep 17 00:00:00 2001 From: Bin Meng Date: Wed, 17 Mar 2021 14:26:30 +0800 Subject: [PATCH 04/13] hw/net: virtio-net: Initialize nc->do_not_pad to true For virtio-net, there is no need to pad the Ethernet frame size to 60 bytes before sending to it. Signed-off-by: Bin Meng Signed-off-by: Jason Wang --- hw/net/virtio-net.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index 96a3cc8357..66b9ff4511 100644 --- a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -3314,6 +3314,10 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp) object_get_typename(OBJECT(dev)), dev->id, n); } + for (i = 0; i < n->max_queues; i++) { + n->nic->ncs[i].do_not_pad = true; + } + peer_test_vnet_hdr(n); if (peer_has_vnet_hdr(n)) { for (i = 0; i < n->max_queues; i++) { From 9162ed664926fe6e8dfa2f43e152ab088b5369ed Mon Sep 17 00:00:00 2001 From: Lukas Straub Date: Thu, 18 Mar 2021 12:11:51 +0800 Subject: [PATCH 05/13] net/colo-compare.c: Fix memory leak for non-tcp packet Additional to removing the packet from the secondary queue, we also need to free it. Signed-off-by: Lukas Straub Signed-off-by: Zhang Chen Reviewed-by: Zhang Chen Signed-off-by: Jason Wang --- net/colo-compare.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/colo-compare.c b/net/colo-compare.c index 84db4978ac..2e819ffedb 100644 --- a/net/colo-compare.c +++ b/net/colo-compare.c @@ -690,6 +690,7 @@ static void colo_compare_packet(CompareState *s, Connection *conn, if (result) { colo_release_primary_pkt(s, pkt); + packet_destroy(result->data, NULL); g_queue_remove(&conn->secondary_list, result->data); } else { /* From 739128e43b6da3d0a48ec8551d94909dc5a8f3bc Mon Sep 17 00:00:00 2001 From: Lukas Straub Date: Thu, 18 Mar 2021 12:11:52 +0800 Subject: [PATCH 06/13] net/colo-compare.c: Optimize removal of secondary packet g_queue_remove needs to look up the list entry first, but we already have it as result and can remove it directly with g_queue_delete_link. Signed-off-by: Lukas Straub Signed-off-by: Zhang Chen Reviewed-by: Zhang Chen Signed-off-by: Jason Wang --- net/colo-compare.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/colo-compare.c b/net/colo-compare.c index 2e819ffedb..9d1ad99941 100644 --- a/net/colo-compare.c +++ b/net/colo-compare.c @@ -691,7 +691,7 @@ static void colo_compare_packet(CompareState *s, Connection *conn, if (result) { colo_release_primary_pkt(s, pkt); packet_destroy(result->data, NULL); - g_queue_remove(&conn->secondary_list, result->data); + g_queue_delete_link(&conn->secondary_list, result); } else { /* * If one packet arrive late, the secondary_list or From b565b44ec202fbe52a017273319db83f067fe574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:17 +0100 Subject: [PATCH 07/13] net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The in6_address comes after the ip6_ext_hdr_routing header, not after the ip6_ext_hdr one. Fix the offset. Cc: qemu-stable@nongnu.org Reported-by: Stefano Garzarella Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality") Reviewed-by: Miroslav Rezanina Reviewed-by: Stefano Garzarella Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/eth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/eth.c b/net/eth.c index f913e4396f..c8babfa682 100644 --- a/net/eth.c +++ b/net/eth.c @@ -419,7 +419,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, } bytes_read = iov_to_buf(pkt, pkt_frags, - rthdr_offset + sizeof(*ext_hdr), + rthdr_offset + sizeof(*rthdr), dst_addr, sizeof(*dst_addr)); return bytes_read == sizeof(*dst_addr); From 38462440ca22a8ead2ec1e98ef3c45e264fa6f60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:18 +0100 Subject: [PATCH 08/13] net/eth: Simplify _eth_get_rss_ex_dst_addr() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The length field is already contained in the ip6_ext_hdr structure. Check it direcly in eth_parse_ipv6_hdr() before calling _eth_get_rss_ex_dst_addr(), which gets a bit simplified. Reviewed-by: Miroslav Rezanina Reviewed-by: Stefano Garzarella Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/eth.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/eth.c b/net/eth.c index c8babfa682..06badd123b 100644 --- a/net/eth.c +++ b/net/eth.c @@ -407,9 +407,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, { struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr; - if ((rthdr->rtype == 2) && - (rthdr->len == sizeof(struct in6_address) / 8) && - (rthdr->segleft == 1)) { + if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { size_t input_size = iov_size(pkt, pkt_frags); size_t bytes_read; @@ -528,10 +526,12 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int pkt_frags, } if (curr_ext_hdr_type == IP6_ROUTING) { - info->rss_ex_dst_valid = - _eth_get_rss_ex_dst_addr(pkt, pkt_frags, - ip6hdr_off + info->full_hdr_len, - &ext_hdr, &info->rss_ex_dst); + if (ext_hdr.ip6r_len == sizeof(struct in6_address) / 8) { + info->rss_ex_dst_valid = + _eth_get_rss_ex_dst_addr(pkt, pkt_frags, + ip6hdr_off + info->full_hdr_len, + &ext_hdr, &info->rss_ex_dst); + } } else if (curr_ext_hdr_type == IP6_DESTINATON) { info->rss_ex_src_valid = _eth_get_rss_ex_src_addr(pkt, pkt_frags, From dbd8d3f959e5ba9b1804a5c99c7f8af42d96809b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:19 +0100 Subject: [PATCH 09/13] net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 'offset' argument represents the offset to the ip6_ext_hdr header, rename it as 'ext_hdr_offset'. Reviewed-by: Stefano Garzarella Reviewed-by: Miroslav Rezanina Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/eth.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/eth.c b/net/eth.c index 06badd123b..5eb05bddb9 100644 --- a/net/eth.c +++ b/net/eth.c @@ -401,7 +401,7 @@ eth_is_ip6_extension_header_type(uint8_t hdr_type) static bool _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, - size_t rthdr_offset, + size_t ext_hdr_offset, struct ip6_ext_hdr *ext_hdr, struct in6_address *dst_addr) { @@ -412,12 +412,12 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, size_t input_size = iov_size(pkt, pkt_frags); size_t bytes_read; - if (input_size < rthdr_offset + sizeof(*ext_hdr)) { + if (input_size < ext_hdr_offset + sizeof(*ext_hdr)) { return false; } bytes_read = iov_to_buf(pkt, pkt_frags, - rthdr_offset + sizeof(*rthdr), + ext_hdr_offset + sizeof(*rthdr), dst_addr, sizeof(*dst_addr)); return bytes_read == sizeof(*dst_addr); From 6f10f77dcdbc151217d19229d9aeeb93c9c1c408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:20 +0100 Subject: [PATCH 10/13] net/eth: Check size earlier in _eth_get_rss_ex_dst_addr() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Stefano Garzarella Reviewed-by: Miroslav Rezanina Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/eth.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/net/eth.c b/net/eth.c index 5eb05bddb9..087aa71a02 100644 --- a/net/eth.c +++ b/net/eth.c @@ -406,16 +406,14 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, struct in6_address *dst_addr) { struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr; + size_t input_size = iov_size(pkt, pkt_frags); + size_t bytes_read; + + if (input_size < ext_hdr_offset + sizeof(*ext_hdr)) { + return false; + } if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { - - size_t input_size = iov_size(pkt, pkt_frags); - size_t bytes_read; - - if (input_size < ext_hdr_offset + sizeof(*ext_hdr)) { - return false; - } - bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(*rthdr), dst_addr, sizeof(*dst_addr)); From ef763586c943815eb0836c54c207ce8572e176a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:21 +0100 Subject: [PATCH 11/13] net/eth: Check iovec has enough data earlier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We want to check fields from ip6_ext_hdr_routing structure and if correct read the full in6_address. Let's directly check if our iovec contains enough data for everything, else return early. Suggested-by: Stefano Garzarella Reviewed-by: Miroslav Rezanina Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/eth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/eth.c b/net/eth.c index 087aa71a02..6db943d4b3 100644 --- a/net/eth.c +++ b/net/eth.c @@ -409,7 +409,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, size_t input_size = iov_size(pkt, pkt_frags); size_t bytes_read; - if (input_size < ext_hdr_offset + sizeof(*ext_hdr)) { + if (input_size < ext_hdr_offset + sizeof(*rthdr) + sizeof(*dst_addr)) { return false; } From 7d6a4f123e00c9dbd40867ae1a650a4fd0bc4a3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:22 +0100 Subject: [PATCH 12/13] net/eth: Read ip6_ext_hdr_routing buffer before accessing it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We can't know the caller read enough data in the memory pointed by ext_hdr to cast it as a ip6_ext_hdr_routing. Declare rt_hdr on the stack and fill it again from the iovec. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported by QEMU fuzzer: $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \ -accel qtest -monitor none \ -serial none -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0x25 0x1 0x86 write 0x26 0x1 0xdd write 0x4f 0x1 0x2b write 0xe1020030 0x4 0x190002e1 write 0xe102003a 0x2 0x0807 write 0xe1020048 0x4 0x12077cdd write 0xe1020400 0x4 0xba077cdd write 0xe1020420 0x4 0x190002e1 write 0xe1020428 0x4 0x3509d807 write 0xe1020438 0x1 0xe2 EOF ================================================================= ==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818 READ of size 1 at 0x7ffdef904902 thread T0 #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17 #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17 #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14 #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9 #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29 #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9 #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9 #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9 #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5 Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486 This frame has 1 object(s): [32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr Shadow bytes around the buggy address: 0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Stack left redzone: f1 Stack right redzone: f3 ==2859770==ABORTING Add the corresponding qtest case with the fuzzer reproducer. FWIW GCC 11 similarly reported: net/eth.c: In function 'eth_parse_ipv6_hdr': net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds] 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { | ~~~~~^~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds] 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { | ~~~~~^~~~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1879531 Reported-by: Alexander Bulekov Reported-by: Miroslav Rezanina Reviewed-by: Stefano Garzarella Reviewed-by: Miroslav Rezanina Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality") Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- MAINTAINERS | 1 + net/eth.c | 13 +++++---- tests/qtest/fuzz-e1000e-test.c | 53 ++++++++++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 4 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 tests/qtest/fuzz-e1000e-test.c diff --git a/MAINTAINERS b/MAINTAINERS index 25fc49d1dc..9147e9a429 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2027,6 +2027,7 @@ e1000e M: Dmitry Fleytman S: Maintained F: hw/net/e1000e* +F: tests/qtest/fuzz-e1000e-test.c eepro100 M: Stefan Weil diff --git a/net/eth.c b/net/eth.c index 6db943d4b3..b2704fbf2d 100644 --- a/net/eth.c +++ b/net/eth.c @@ -405,17 +405,20 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, struct ip6_ext_hdr *ext_hdr, struct in6_address *dst_addr) { - struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr; + struct ip6_ext_hdr_routing rt_hdr; size_t input_size = iov_size(pkt, pkt_frags); size_t bytes_read; - if (input_size < ext_hdr_offset + sizeof(*rthdr) + sizeof(*dst_addr)) { + if (input_size < ext_hdr_offset + sizeof(rt_hdr) + sizeof(*dst_addr)) { return false; } - if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { - bytes_read = iov_to_buf(pkt, pkt_frags, - ext_hdr_offset + sizeof(*rthdr), + bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset, + &rt_hdr, sizeof(rt_hdr)); + assert(bytes_read == sizeof(rt_hdr)); + + if ((rt_hdr.rtype == 2) && (rt_hdr.segleft == 1)) { + bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(rt_hdr), dst_addr, sizeof(*dst_addr)); return bytes_read == sizeof(*dst_addr); diff --git a/tests/qtest/fuzz-e1000e-test.c b/tests/qtest/fuzz-e1000e-test.c new file mode 100644 index 0000000000..66229e6096 --- /dev/null +++ b/tests/qtest/fuzz-e1000e-test.c @@ -0,0 +1,53 @@ +/* + * QTest testcase for e1000e device generated by fuzzer + * + * Copyright (c) 2021 Red Hat, Inc. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * https://bugs.launchpad.net/qemu/+bug/1879531 + */ +static void test_lp1879531_eth_get_rss_ex_dst_addr(void) +{ + QTestState *s; + + s = qtest_init("-nographic -monitor none -serial none -M pc-q35-5.0"); + + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xe1020000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x7); + qtest_writeb(s, 0x25, 0x86); + qtest_writeb(s, 0x26, 0xdd); + qtest_writeb(s, 0x4f, 0x2b); + + qtest_writel(s, 0xe1020030, 0x190002e1); + qtest_writew(s, 0xe102003a, 0x0807); + qtest_writel(s, 0xe1020048, 0x12077cdd); + qtest_writel(s, 0xe1020400, 0xba077cdd); + qtest_writel(s, 0xe1020420, 0x190002e1); + qtest_writel(s, 0xe1020428, 0x3509d807); + qtest_writeb(s, 0xe1020438, 0xe2); + qtest_writeb(s, 0x4f, 0x2b); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { + qtest_add_func("fuzz/test_lp1879531_eth_get_rss_ex_dst_addr", + test_lp1879531_eth_get_rss_ex_dst_addr); + } + + return g_test_run(); +} diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 9731606c31..902cfef7cb 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -67,6 +67,7 @@ qtests_i386 = \ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-test'] : []) + \ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test'] : []) + \ (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : []) + \ + (config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ? ['fuzz-e1000e-test'] : []) + \ qtests_pci + \ ['fdc-test', 'ide-test', From c7274b5ef43614dd133daec1e2018f71d8744088 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 10 Mar 2021 19:31:23 +0100 Subject: [PATCH 13/13] net/eth: Add an assert() and invert if() statement to simplify code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To simplify the function body, invert the if() statement, returning earlier. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. Reviewed-by: Stefano Garzarella Reviewed-by: Miroslav Rezanina Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Jason Wang --- net/eth.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/net/eth.c b/net/eth.c index b2704fbf2d..fe876d1a55 100644 --- a/net/eth.c +++ b/net/eth.c @@ -416,15 +416,14 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset, &rt_hdr, sizeof(rt_hdr)); assert(bytes_read == sizeof(rt_hdr)); - - if ((rt_hdr.rtype == 2) && (rt_hdr.segleft == 1)) { - bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(rt_hdr), - dst_addr, sizeof(*dst_addr)); - - return bytes_read == sizeof(*dst_addr); + if ((rt_hdr.rtype != 2) || (rt_hdr.segleft != 1)) { + return false; } + bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset + sizeof(rt_hdr), + dst_addr, sizeof(*dst_addr)); + assert(bytes_read == sizeof(*dst_addr)); - return false; + return true; } static bool