Hello Dmitry, all
A memory leakage issue was reported by Mr Qinghao Tang, CC'd here.
In that, the Qemu VMXNET3 paravirtual device emulator does not check if the
device is already active, before activating it. This leads to host memory
leakage via calls to vmxnet_tx_pkt_init(), which calls g_malloc0().
===
static void vmxnet3_activate_device(VMXNET3State *s)
{
...
/* Preallocate TX packet wrapper */
VMW_CFPRN("Max TX fragments is %u", s->max_tx_frags);
vmxnet_tx_pkt_init(&s->tx_pkt, s->max_tx_frags, s->peer_has_vhdr);
...
}
===
A malicious guest driver could use this flaw to leak excessive memory on the
host, eventually killing the Qemu process.
Please see attached herein is a proposed (tested)patch which fixes this issue.
Please let me know if it's okay or requires any changes.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
From 70f5e638d6f85a87b6bdeb90585f81b4616d31ef Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <p...@fedoraproject.org>
Date: Wed, 2 Dec 2015 17:28:06 +0530
Subject: net: vmxnet3: avoid multiple activations of device
Vmxnet3 device emulator does not check if the device is active
before activating it, resulting in memory leakage on the host.
Added a check to verify device state and avoid memory leakage.
Reported-by: Qinghao Tang <luodalon...@gmail.com>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
hw/net/vmxnet3.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 071feeb..7b727b3 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1425,6 +1425,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
return;
}
+ /* Verify if device is active */
+ if (s->device_active) {
+ VMW_CFPRN("Vmxnet3 device is active");
+ return;
+ }
+
vmxnet3_adjust_by_guest_type(s);
vmxnet3_update_features(s);
vmxnet3_update_pm_state(s);
--
2.4.3
