On 2/24/21 6:53 AM, Jason Wang wrote: > Some NIC supports loopback mode and this is done by calling > nc->info->receive() directly which in fact suppresses the effort of > reentrancy check that is done in qemu_net_queue_send(). > > Unfortunately we can use qemu_net_queue_send() here since for loop > back there's no sender as peer, so this patch introduce a > qemu_receive_packet() which is used for implementing loopback mode > for a NIC with this check.
IIUC the guest could trigger an infinite loop and brick the emulated device model. Likely exhausting the stack, so either SEGV by corruption or some ENOMEM? Since this is guest triggerable, shouldn't we contact qemu-security@ list and ask for a CVE for this issue, so distributions can track the patches to backport in their stable releases? (it seems to be within the KVM devices boundary). > > NIC that supports loopback mode will be converted to this helper. > > Signed-off-by: Jason Wang <jasow...@redhat.com> > --- > include/net/net.h | 5 +++++ > include/net/queue.h | 8 ++++++++ > net/net.c | 38 +++++++++++++++++++++++++++++++------- > net/queue.c | 22 ++++++++++++++++++++++ > 4 files changed, 66 insertions(+), 7 deletions(-)
