qemu: Fix CVE-2023-40360

(From OE-Core rev: 5b68ec70ecc9779146789cc635d8ab60928e9233) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khem Raj <raj.khem@gmail.com> 2023-08-27 09:38:09 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-08-30 09:56:13 +0100
commit: ca098d172823a01e7b1a0d105304a4731c8cd321 (patch)
tree: 44e223362f010cafc2d6bf112980b29ff3719cde /meta/recipes-devtools/qemu
parent: b59fa412bd8ee74f4acc12f45c8730cb7d11b58c (diff)
download: poky-ca098d172823a01e7b1a0d105304a4731c8cd321.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 82a7b361b1..b98169c243 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -28,6 +28,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
           file://0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch \
           file://0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch \
+           file://0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch \
           file://qemu-guest-agent.init \
           file://qemu-guest-agent.udev \
           "
diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch b/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch
new file mode 100644
index 0000000000..731b0281f4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch
@@ -0,0 +1,39 @@
+From 83dd3da9fac872fac9739b9dcb96232c93675824 Mon Sep 17 00:00:00 2001
+From: Klaus Jensen <k.jensen@samsung.com>
+Date: Tue, 8 Aug 2023 17:16:13 +0200
+Subject: [PATCH] CVE-2023-40360 hw/nvme: fix null pointer access in directive
+ receive
+nvme_directive_receive() does not check if an endurance group has been
+configured (set) prior to testing if flexible data placement is enabled
+or not.
+Fix this.
+CVE: CVE-2023-40360
+Upstream-Status: Backport [https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98]
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
+Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
+Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+---
+ hw/nvme/ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 2097fb131..36a2846c3 100644
+--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
+@@ -6862,7 +6862,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n, NvmeRequest *req)
+     case NVME_DIRECTIVE_IDENTIFY:
+         switch (doper) {
+         case NVME_DIRECTIVE_RETURN_PARAMS:
+-            if (ns->endgrp->fdp.enabled) {
+            if (ns->endgrp && ns->endgrp->fdp.enabled) {
+                 id.supported |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
+                 id.enabled |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
+                 id.persistent |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
+-- 
+2.42.0
author	Khem Raj <raj.khem@gmail.com>	2023-08-27 09:38:09 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-08-30 09:56:13 +0100
commit	ca098d172823a01e7b1a0d105304a4731c8cd321 (patch)
tree	44e223362f010cafc2d6bf112980b29ff3719cde /meta/recipes-devtools/qemu
parent	b59fa412bd8ee74f4acc12f45c8730cb7d11b58c (diff)
download	poky-ca098d172823a01e7b1a0d105304a4731c8cd321.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 82a7b361b1..b98169c243 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -28,6 +28,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
28	file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \	28	file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
29	file://0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch \	29	file://0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch \
30	file://0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch \	30	file://0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch \
		31	file://0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch \
31	file://qemu-guest-agent.init \	32	file://qemu-guest-agent.init \
32	file://qemu-guest-agent.udev \	33	file://qemu-guest-agent.udev \
33	"	34	"


diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch b/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch new file mode 100644 index 0000000000..731b0281f4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch
@@ -0,0 +1,39 @@
		1	From 83dd3da9fac872fac9739b9dcb96232c93675824 Mon Sep 17 00:00:00 2001
		2	From: Klaus Jensen <k.jensen@samsung.com>
		3	Date: Tue, 8 Aug 2023 17:16:13 +0200
		4	Subject: [PATCH] CVE-2023-40360 hw/nvme: fix null pointer access in directive
		5	receive
		6
		7	nvme_directive_receive() does not check if an endurance group has been
		8	configured (set) prior to testing if flexible data placement is enabled
		9	or not.
		10
		11	Fix this.
		12
		13	CVE: CVE-2023-40360
		14	Upstream-Status: Backport [https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98]
		15	Cc: qemu-stable@nongnu.org
		16	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
		17	Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
		18	Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com>
		19	Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
		20	---
		21	hw/nvme/ctrl.c \| 2 +-
		22	1 file changed, 1 insertion(+), 1 deletion(-)
		23
		24	diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
		25	index 2097fb131..36a2846c3 100644
		26	--- a/hw/nvme/ctrl.c
		27	+++ b/hw/nvme/ctrl.c
		28	@@ -6862,7 +6862,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl n, NvmeRequest req)
		29	case NVME_DIRECTIVE_IDENTIFY:
		30	switch (doper) {
		31	case NVME_DIRECTIVE_RETURN_PARAMS:
		32	- if (ns->endgrp->fdp.enabled) {
		33	+ if (ns->endgrp && ns->endgrp->fdp.enabled) {
		34	id.supported \|= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
		35	id.enabled \|= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
		36	id.persistent \|= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
		37	--
		38	2.42.0
		39