Bug 781922 - rtl8139: prevernt unlimited buffer allocated for guest descriptors.
Summary: rtl8139: prevernt unlimited buffer allocated for guest descriptors.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kvm
Version: 5.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Amos Kong
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 781920
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-16 05:27 UTC by jason wang
Modified: 2015-05-25 00:06 UTC (History)
11 users (show)

Fixed In Version: kvm-83-257.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 781920
Environment:
Last Closed: 2013-01-08 06:59:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
781922-reproducer--for-guest-kernel.patch (1.20 KB, patch)
2012-07-19 08:50 UTC, Amos Kong 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0007 0 normal SHIPPED_LIVE kvm bug fix update 2013-01-07 15:30:17 UTC

Description jason wang 2012-01-16 05:27:02 UTC 
+++ This bug was initially created as a clone of Bug #781920 +++

Description of problem:

When current tx descriptor is not the last segment (LS bit is not set in the TX descriptor), rtl8139 may realloc the buffer and try to make it fit for accommodating the new data. This guest triggered behavior make it possible for guest to let qemu to allocate unlimited size of buffer which may lead qemu terminated because glib fails to allocate the required size of buffer:

GLib-ERROR **: gmem.c:176: failed to allocate 18446744071562067968 bytes

Need to limit the buffer size and not sure whether this can lead security issues.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. use qtest or hack the guest driver to preprare a unterminated chain of tx descriptors with 0XFFFF as its length and without LS bit set.
2.
3.
  
Actual results:
qemu-kvm terminated with glib error.

Expected results:
qemu-kvm should not terminate.

Additional info:
Comment 1 RHEL Program Management 2012-04-02 10:53:03 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 4 Amos Kong 2012-07-19 08:50:22 UTC 
Created attachment 599095 [details]
781922-reproducer--for-guest-kernel.patch

Reproduce method:

1. apply attached reproducer patch to guest kernel.
2. boot up guest with rtl8139 nic (use virbr0 bridge, its ip is 192.168.122.1)
3. config a static ip to guest ip (eg. 192.168.122.3)
4. flood ping insider guest
   for i in `seq 1 100`;do ping -S 65535 -f -b 192.168.122.255 & done
Comment 8 Shaolong Hu 2012-07-25 09:53:39 UTC 
reproduce on kvm-83-256.el5 with steps in comment4:

guest kernel build with the reproducer patch:
https://brewweb.devel.redhat.com/taskinfo?taskID=4645856

after step 4, kvm core dump in tens of seconds:

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x41401940 (LWP 4065)]
0x0000003304a30265 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x0000003304a30265 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003304a31d10 in abort () at abort.c:88
#2  0x0000000000462496 in oom_check (ptr=0xfb5) at qemu-malloc.c:30
#3  0x0000000000422574 in rtl8139_cplus_transmit_one (opaque=0xe9d6d0, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/rtl8139.c:2011
#4  rtl8139_cplus_transmit (opaque=0xe9d6d0, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/rtl8139.c:2332
#5  rtl8139_io_writeb (opaque=0xe9d6d0, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/rtl8139.c:2681
#6  0x00000000004a4491 in cpu_physical_memory_rw (addr=3288338649, buf=0x2aaaaaab4028 "@", len=1, is_write=1) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/exec.c:3027
#7  0x0000000000500da8 in kvm_mmio_write (opaque=<value optimized out>, addr=4021, data=0xfe1 <Address 0xfe1 out of bounds>, len=0) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:712
#8  0x000000000052ca75 in handle_mmio (kvm=0xdc17e0, kvm_run=0x2aaaaaab4000) at libkvm.c:874
#9  0x000000000052cfb1 in kvm_run (kvm=0xdc17e0, vcpu=0, env=0xe4bdd0) at libkvm.c:1009
#10 0x0000000000501579 in kvm_cpu_exec (env=0x6) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:206
#11 0x0000000000501803 in kvm_main_loop_cpu (_env=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:402
#12 ap_main_loop (_env=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:443
#13 0x000000330520677d in start_thread (arg=<value optimized out>) at pthread_create.c:301
#14 0x0000003304ad49ad in clone () from /lib64/libc.so.6


verified on kvm-83-257.el5, no kvm core dump with the same steps for a tens of minutes testing.
Comment 9 Chao Yang 2012-07-26 02:42:25 UTC 
Moving to VERIFIED as per Comment #8
Comment 11 errata-xmlrpc 2013-01-08 06:59:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0007.html
Note You need to log in before you can comment on or make changes to this bug.