qemu-e2k/hw/net
Philippe Mathieu-Daudé 83ddb3dbba hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()
If a fragmented packet size is too short, do not try to
calculate its checksum.

Reproduced using:

  $ cat << EOF | qemu-system-i386 -display none -nodefaults \
                                  -machine q35,accel=qtest -m 32M \
                                  -device igb,netdev=net0 \
                                  -netdev user,id=net0 \
                                  -qtest stdio
  outl 0xcf8 0x80000810
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000403 0x1 0x02
  writel 0xe0003808 0xffffffff
  write 0xe000381a 0x1 0x5b
  write 0xe000381b 0x1 0x00
  EOF
  Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39.
  #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5
  #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9
  #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11
  #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10
  #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17
  #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9
  #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5
  #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9

Fixes: CVE-2024-3567
Cc: qemu-stable@nongnu.org
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20240410070459.49112-1-philmd@linaro.org>
2024-04-10 10:43:54 +02:00
..
can hw/net/can/sja1000: fix bug for single acceptance filter and standard frame 2024-01-05 16:20:15 +01:00
fsl_etsec net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-21 15:42:34 +08:00
rocker net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-21 15:42:34 +08:00
allwinner_emac.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
allwinner-sun8i-emac.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
cadence_gem.c hw/net: cadence_gem: Fix MDIO_OP_xxx values 2024-01-05 22:28:54 +03:00
dp8393x.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
e1000_common.h e1000: Split header files 2023-03-10 15:35:38 +08:00
e1000_regs.h hw/net: spelling fixes 2023-09-20 07:54:34 +03:00
e1000.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
e1000e_core.c e1000e: fix link state on resume 2024-03-12 19:28:32 +08:00
e1000e_core.h e1000e: fix link state on resume 2024-03-12 19:28:32 +08:00
e1000e.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
e1000x_common.c e1000x: Take CRC into consideration for size check 2023-05-23 15:20:15 +08:00
e1000x_common.h e1000x: Share more Rx filtering logic 2023-05-23 15:20:15 +08:00
e1000x_regs.h hw/net: spelling fixes 2023-09-20 07:54:34 +03:00
eepro100.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
etraxfs_eth.c hw/net/etraxfs-eth: use qemu_configure_nic_device() 2024-02-02 16:23:47 +00:00
ftgmac100.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
i82596.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
i82596.h hw/net: Make NetCanReceive() return a boolean 2020-03-31 21:14:35 +08:00
igb_common.h igb: Add a VF reset handler 2023-11-13 15:33:37 +08:00
igb_core.c igb: fix link state on resume 2024-03-12 19:28:31 +08:00
igb_core.h igb: fix link state on resume 2024-03-12 19:28:31 +08:00
igb_regs.h hw/net: spelling fixes 2023-09-20 07:54:34 +03:00
igb.c hw/pci: Always call pcie_sriov_pf_reset() 2024-03-12 17:56:55 -04:00
igbvf.c igb: Add Function Level Reset to PF and VF 2023-11-13 15:33:37 +08:00
imx_fec.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
Kconfig kconfig: Add PCIe devices to s390x machines 2023-07-14 11:10:57 +02:00
lan9118.c hw/net/lan9118: Fix overflow in MIL TX FIFO 2024-04-10 09:09:34 +02:00
lance.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
lasi_i82596.c hw/net/lasi_i82596: use qemu_create_nic_device() 2024-02-02 16:23:47 +00:00
mcf_fec.c net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-21 15:42:34 +08:00
meson.build target/arm: fix exception syndrome for AArch32 bkpt insn 2024-02-02 18:56:32 +00:00
mipsnet.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
msf2-emac.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
mv88w8618_eth.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
ne2000-isa.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
ne2000-pci.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
ne2000.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
ne2000.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
net_rx_pkt.c igb: Strip the second VLAN tag for extended VLAN 2023-05-23 15:20:15 +08:00
net_rx_pkt.h igb: Strip the second VLAN tag for extended VLAN 2023-05-23 15:20:15 +08:00
net_tx_pkt.c hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() 2024-04-10 10:43:54 +02:00
net_tx_pkt.h igb: Implement Tx SCTP CSO 2023-05-23 15:20:15 +08:00
npcm7xx_emc.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
npcm_gmac.c hw/net: GMAC Tx Implementation 2024-02-02 13:51:59 +00:00
opencores_eth.c net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-21 15:42:34 +08:00
pcnet-pci.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
pcnet.c Avoid unaligned fetch in ladr_match() 2024-03-12 19:28:32 +08:00
pcnet.h net: Replace TAB indentations with spaces 2022-11-11 09:39:03 +01:00
rtl8139.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
smc91c111.c hw/net/smc91c111: use qemu_configure_nic_device() 2024-02-02 16:23:47 +00:00
spapr_llan.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
stellaris_enet.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
sungem.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
sunhme.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
trace-events hw/net: GMAC Tx Implementation 2024-02-02 13:51:59 +00:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tulip.c hw/net/tulip: add chip status register values 2024-02-11 13:20:23 +01:00
tulip.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vhost_net-stub.c virtio-net: add support for configure interrupt 2023-01-08 01:54:22 -05:00
vhost_net.c vdpa-dev: Fix initialisation order to restore VDUSE compatibility 2024-03-26 14:21:26 +01:00
virtio-net.c Revert "hw/virtio: Add support for VDPA network simulation devices" 2024-04-09 02:30:18 -04:00
vmware_utils.h hw/net/vmxnet3: Fix code to work on big endian hosts, too 2017-11-20 11:08:00 +08:00
vmxnet3_defs.h include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
vmxnet3.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
vmxnet3.h hw/net: spelling fixes 2023-09-20 07:54:34 +03:00
vmxnet_debug.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
xen_nic.c hw/net/xen_nic: Fix missing ERRP_GUARD() for error_prepend() 2024-03-09 18:51:45 +01:00
xgmac.c hw/net: Constify VMState 2023-12-30 07:38:06 +11:00
xilinx_axienet.c net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-21 15:42:34 +08:00
xilinx_ethlite.c net: Provide MemReentrancyGuard * to qemu_new_nic() 2023-11-21 15:42:34 +08:00