+++ This bug was initially created as a clone of Bug #781920 +++ Description of problem: When current tx descriptor is not the last segment (LS bit is not set in the TX descriptor), rtl8139 may realloc the buffer and try to make it fit for accommodating the new data. This guest triggered behavior make it possible for guest to let qemu to allocate unlimited size of buffer which may lead qemu terminated because glib fails to allocate the required size of buffer: GLib-ERROR **: gmem.c:176: failed to allocate 18446744071562067968 bytes Need to limit the buffer size and not sure whether this can lead security issues. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. use qtest or hack the guest driver to preprare a unterminated chain of tx descriptors with 0XFFFF as its length and without LS bit set. 2. 3. Actual results: qemu-kvm terminated with glib error. Expected results: qemu-kvm should not terminate. Additional info:
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Created attachment 599095 [details] 781922-reproducer--for-guest-kernel.patch Reproduce method: 1. apply attached reproducer patch to guest kernel. 2. boot up guest with rtl8139 nic (use virbr0 bridge, its ip is 192.168.122.1) 3. config a static ip to guest ip (eg. 192.168.122.3) 4. flood ping insider guest for i in `seq 1 100`;do ping -S 65535 -f -b 192.168.122.255 & done
reproduce on kvm-83-256.el5 with steps in comment4: guest kernel build with the reproducer patch: https://brewweb.devel.redhat.com/taskinfo?taskID=4645856 after step 4, kvm core dump in tens of seconds: Program received signal SIGABRT, Aborted. [Switching to Thread 0x41401940 (LWP 4065)] 0x0000003304a30265 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) bt #0 0x0000003304a30265 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x0000003304a31d10 in abort () at abort.c:88 #2 0x0000000000462496 in oom_check (ptr=0xfb5) at qemu-malloc.c:30 #3 0x0000000000422574 in rtl8139_cplus_transmit_one (opaque=0xe9d6d0, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/rtl8139.c:2011 #4 rtl8139_cplus_transmit (opaque=0xe9d6d0, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/rtl8139.c:2332 #5 rtl8139_io_writeb (opaque=0xe9d6d0, addr=<value optimized out>, val=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/rtl8139.c:2681 #6 0x00000000004a4491 in cpu_physical_memory_rw (addr=3288338649, buf=0x2aaaaaab4028 "@", len=1, is_write=1) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/exec.c:3027 #7 0x0000000000500da8 in kvm_mmio_write (opaque=<value optimized out>, addr=4021, data=0xfe1 <Address 0xfe1 out of bounds>, len=0) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:712 #8 0x000000000052ca75 in handle_mmio (kvm=0xdc17e0, kvm_run=0x2aaaaaab4000) at libkvm.c:874 #9 0x000000000052cfb1 in kvm_run (kvm=0xdc17e0, vcpu=0, env=0xe4bdd0) at libkvm.c:1009 #10 0x0000000000501579 in kvm_cpu_exec (env=0x6) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:206 #11 0x0000000000501803 in kvm_main_loop_cpu (_env=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:402 #12 ap_main_loop (_env=<value optimized out>) at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:443 #13 0x000000330520677d in start_thread (arg=<value optimized out>) at pthread_create.c:301 #14 0x0000003304ad49ad in clone () from /lib64/libc.so.6 verified on kvm-83-257.el5, no kvm core dump with the same steps for a tens of minutes testing.
Moving to VERIFIED as per Comment #8
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0007.html