Bug 781920

Summary: rtl8139: prevent unlimited send buffer allocated for guest descriptors.
Product: Red Hat Enterprise Linux 6 Reporter: jason wang <jasowang>
Component: qemu-kvmAssignee: jason wang <jasowang>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: acathrow, bsarathy, chayang, juzhang, minovotn, mkenneth, tburke, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.251.el6 Doc Type: Bug Fix
Doc Text:
Cause: Reallocating TX buffer without LS bit set could allow driver to allocate unlimited memory. Consequence: Evil guest driver would cause qemu to realloc the unlimited buffer to transmission which would finally lead qemu abort with glib error. Fix: Limit the transmission buffer size to 64K to prevent guest allocate unlimited transmission buffer. Result: Qemu would truncate the packet greater than 64K and would not quit for evil guest driver.
 Story Points: ---
Clone Of:
: 781922 (view as bug list) Environment:
Last Closed: 2012-06-20 11:38:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 781922    

Description jason wang 2012-01-16 05:22:54 UTC 
Description of problem:

When current tx descriptor is not the last segment (LS bit is not set in the TX descriptor), rtl8139 may realloc the buffer and try to make it fit for accommodating the new data. This guest triggered behavior make it possible for guest to let qemu to allocate unlimited size of buffer which may lead qemu terminated because glib fails to allocate the required size of buffer:

GLib-ERROR **: gmem.c:176: failed to allocate 18446744071562067968 bytes

Need to limit the buffer size and not sure whether this can lead security issues.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. use qtest or hack the guest driver to preprare a unterminated chain of tx descriptors with 0XFFFF as its length and without LS bit set.
2.
3.
  
Actual results:
qemu-kvm terminated with glib error.

Expected results:
qemu-kvm should not terminate.

Additional info:
Comment 5 Chao Yang 2012-04-09 08:48:10 UTC 
Hi Jason,
 Can you offer QE an efficient method to reproduce&verify this bug? Thanks in advance.
Comment 9 Chao Yang 2012-04-19 02:40:21 UTC 
Thanks Jason for your reproducer.

--- I have reproduced this bug with qemu-kvm-0.12.1.2-2.209.el6.x86_64 by:
1. download the build offered above, upgrade guest kernel to this one.
2. configure host bridge ip address to 192.168.1.3/24
3. boot a guest with rtl8139
4. in guest, configure its ip address to 192.168.1.5/24 by:
# ifconfig eth1 down
# ifconfig eth1 192.168.1.5/24
# ifconfig eth1 up
5. run the script:
while true; do ping -S 65535 -f -b 192.168.1.255 -c 100 & sleep 1; pkill ping;
done

Actual Result:
Finally, qemu-kvm quitted on:
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff6bfc700 (LWP 28727)]
0x0000003b89432885 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003b89432885 in raise () from /lib64/libc.so.6
#1  0x0000003b89434065 in abort () from /lib64/libc.so.6
#2  0x000000000047ba04 in oom_check (ptr=0x7fff1800a010, size=18446744071562067968) at qemu-malloc.c:31
#3  qemu_realloc (ptr=0x7fff1800a010, size=18446744071562067968) at qemu-malloc.c:75
#4  0x0000000000435f88 in rtl8139_cplus_transmit_one (opaque=<value optimized out>, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/rtl8139.c:2058
#5  rtl8139_cplus_transmit (opaque=<value optimized out>, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/rtl8139.c:2393
#6  rtl8139_io_writeb (opaque=<value optimized out>, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/rtl8139.c:2742
#7  0x00000000004efb8c in cpu_physical_memory_rw (addr=<value optimized out>, buf=<value optimized out>, len=1, is_write=1) at /usr/src/debug/qemu-kvm-0.12.1.2/exec.c:3512
#8  0x000000000042c96c in handle_mmio (env=0x1097430) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:895
#9  kvm_run (env=0x1097430) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1047
#10 0x000000000042cc59 in kvm_cpu_exec (env=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1730
#11 0x000000000042da9e in kvm_main_loop_cpu (_env=0x1097430) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1991
#12 ap_main_loop (_env=0x1097430) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#13 0x0000003b89c077f1 in start_thread () from /lib64/libpthread.so.0
#14 0x0000003b894e570d in clone () from /lib64/libc.so.6

--- Verified this bug with qemu-kvm-0.12.1.2-2.277.el6.x86_64 using the same steps above.
Over 24 hours elapsed, no qemu-kvm quit happened.

--- Conclusion:
Basing on above, this issue has been fixed.
Comment 12 Michal Novotny 2012-05-04 09:47:49 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reallocating TX buffer without LS bit set could allow driver to allocate unlimited memory.

Consequence:
[NEEDINFO: Jason, could you please add info there? Thanks!]

Fix:
[NEEDINFO: Jason, could you please add info there? Thanks!]

Result:
[NEEDINFO: Jason, could you please add info there? Thanks!]
Comment 13 jason wang 2012-05-04 10:02:38 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -2,10 +2,10 @@
 Reallocating TX buffer without LS bit set could allow driver to allocate unlimited memory.
 
 Consequence:
-[NEEDINFO: Jason, could you please add info there? Thanks!]
+Evil guest driver would cause qemu to realloc the unlimited buffer to transmission which would finally lead qemu abort with glib error.
 
 Fix:
-[NEEDINFO: Jason, could you please add info there? Thanks!]
+Limit the transmission buffer size to 64K to prevent guest allocate unlimited transmission buffer.
 
 Result:
-[NEEDINFO: Jason, could you please add info there? Thanks!]+Qemu would truncate the packet greater than 64K and would not quit for evil guest driver.
Comment 14 errata-xmlrpc 2012-06-20 11:38:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html