summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorRoss Burton <ross@burtonini.com>2022-03-28 11:46:39 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-03-29 15:59:29 +0100
commit362c829ba1931f91de4def5169570df525f4317d (patch)
treec1d33b2e16614b7ac611c9b30b887eed13f76095 /meta/recipes-devtools/qemu
parentee6f9706de10e69908e1618e16e9655be24e0e40 (diff)
downloadpoky-362c829ba1931f91de4def5169570df525f4317d.tar.gz
qemu: backport fixes for CVE-2022-26353 and CVE-2022-26354
(From OE-Core rev: 73d3cb8cf089b66292c305973d85e14324f2022c) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/0002-virtio-net-fix-map-leaking-on-error-during-receive.patch43
3 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e9d2dae040..9f2fa4322e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -30,6 +30,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
30 file://0001-acpi-tpm-Add-missing-device-identification-objects.patch \ 30 file://0001-acpi-tpm-Add-missing-device-identification-objects.patch \
31 file://0001-ppc-Include-asm-ptrace.h-for-pt_regs-struct-definiti.patch \ 31 file://0001-ppc-Include-asm-ptrace.h-for-pt_regs-struct-definiti.patch \
32 file://0001-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \ 32 file://0001-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \
33 file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \
34 file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \
33 " 35 "
34UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 36UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
35 37
diff --git a/meta/recipes-devtools/qemu/qemu/0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/meta/recipes-devtools/qemu/qemu/0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
new file mode 100644
index 0000000000..dcea9040c7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
@@ -0,0 +1,60 @@
1CVE: CVE-2022-26354
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 0190d651a73463dc2b8f170b29326d1f38140a04 Mon Sep 17 00:00:00 2001
6From: Stefano Garzarella <sgarzare@redhat.com>
7Date: Mon, 28 Feb 2022 10:50:58 +0100
8Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error
9
10In vhost_vsock_common_send_transport_reset(), if an element popped from
11the virtqueue is invalid, we should call virtqueue_detach_element() to
12detach it from the virtqueue before freeing its memory.
13
14Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
15Fixes: CVE-2022-26354
16Cc: qemu-stable@nongnu.org
17Reported-by: VictorV <vv474172261@gmail.com>
18Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
19Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
20Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
21Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
22Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
23---
24 hw/virtio/vhost-vsock-common.c | 10 +++++++---
25 1 file changed, 7 insertions(+), 3 deletions(-)
26
27diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
28index 3f3771274e..ed706681ac 100644
29--- a/hw/virtio/vhost-vsock-common.c
30+++ b/hw/virtio/vhost-vsock-common.c
31@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
32 if (elem->out_num) {
33 error_report("invalid vhost-vsock event virtqueue element with "
34 "out buffers");
35- goto out;
36+ goto err;
37 }
38
39 if (iov_from_buf(elem->in_sg, elem->in_num, 0,
40 &event, sizeof(event)) != sizeof(event)) {
41 error_report("vhost-vsock event virtqueue element is too short");
42- goto out;
43+ goto err;
44 }
45
46 virtqueue_push(vq, elem, sizeof(event));
47 virtio_notify(VIRTIO_DEVICE(vvc), vq);
48
49-out:
50+ g_free(elem);
51+ return;
52+
53+err:
54+ virtqueue_detach_element(vq, elem, 0);
55 g_free(elem);
56 }
57
58--
592.25.1
60
diff --git a/meta/recipes-devtools/qemu/qemu/0002-virtio-net-fix-map-leaking-on-error-during-receive.patch b/meta/recipes-devtools/qemu/qemu/0002-virtio-net-fix-map-leaking-on-error-during-receive.patch
new file mode 100644
index 0000000000..59ccfdd03c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-virtio-net-fix-map-leaking-on-error-during-receive.patch
@@ -0,0 +1,43 @@
1CVE: CVE-2022-26353
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 4d65ecbddd16f38a8cf23b3053ca5c3594f8d4a4 Mon Sep 17 00:00:00 2001
6From: Jason Wang <jasowang@redhat.com>
7Date: Tue, 8 Mar 2022 10:42:51 +0800
8Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive
9
10Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
11tries to fix the use after free of the sg by caching the virtqueue
12elements in an array and unmap them at once after receiving the
13packets, But it forgot to unmap the cached elements on error which
14will lead to leaking of mapping and other unexpected results.
15
16Fixing this by detaching the cached elements on error. This addresses
17CVE-2022-26353.
18
19Reported-by: Victor Tom <vv474172261@gmail.com>
20Cc: qemu-stable@nongnu.org
21Fixes: CVE-2022-26353
22Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
23Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
24Signed-off-by: Jason Wang <jasowang@redhat.com>
25---
26 hw/net/virtio-net.c | 1 +
27 1 file changed, 1 insertion(+)
28
29diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
30index f2014d5ea0..e1f4748831 100644
31--- a/hw/net/virtio-net.c
32+++ b/hw/net/virtio-net.c
33@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
34
35 err:
36 for (j = 0; j < i; j++) {
37+ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
38 g_free(elems[j]);
39 }
40
41--
422.25.1
43