On 2/24/21 2:17 PM, Jason Wang wrote: > > On 2021/2/24 6:11 下午, Philippe Mathieu-Daudé wrote: >> On 2/24/21 6:53 AM, Jason Wang wrote: >>> Some NIC supports loopback mode and this is done by calling >>> nc->info->receive() directly which in fact suppresses the effort of >>> reentrancy check that is done in qemu_net_queue_send(). >>> >>> Unfortunately we can use qemu_net_queue_send() here since for loop >>> back there's no sender as peer, so this patch introduce a >>> qemu_receive_packet() which is used for implementing loopback mode >>> for a NIC with this check. >> IIUC the guest could trigger an infinite loop and brick the emulated >> device model. Likely exhausting the stack, so either SEGV by >> corruption or some ENOMEM? > > > Yes. > > >> >> Since this is guest triggerable, shouldn't we contact qemu-security@ >> list and ask for a CVE for this issue, so distributions can track >> the patches to backport in their stable releases? (it seems to be >> within the KVM devices boundary). > > > That's the plan. I discussed this with Prasad before and he promise to > ask CVE for this.
Good! We just need to be sure to amend the CVE number to the patches before committing them. > > But it's a knwon issue, the reentrant DMA which has been discussed > before[1], unfortuantely we don't make any progress. This patch can only > fix the NIC RX issue. > > Thanks > > [1] https://mail.gnu.org/archive/html/qemu-devel/2020-09/msg00906.html
