diff options
author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-12 11:01:51 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-13 22:23:49 +0100 |
commit | 674ec880c8fdd0a58aee4548f5f379ad0f7f292d (patch) | |
tree | 74cc18099c291d12c024887cb682ca1ae7abc327 /meta/recipes-devtools | |
parent | f82b7bf988d912c7c413790c28e03b2b9f7a51cc (diff) | |
download | poky-674ec880c8fdd0a58aee4548f5f379ad0f7f292d.tar.gz |
qemu: Add fix for CVE-2022-1050
Add a fix queued upstream for the issue in this CVE:
"""
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This might happen on purpose (malicious guest) or because some other
guest/host address mapping.
We need to protect againts such case.
"""
(From OE-Core rev: 1b8513c1abdcd6430f9311efd04d785488f79d7d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/pvrdma.patch | 45 |
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 9f2fa4322e..4e94c4b2bf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -32,6 +32,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
32 | file://0001-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \ | 32 | file://0001-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \ |
33 | file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ | 33 | file://0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch \ |
34 | file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ | 34 | file://0002-virtio-net-fix-map-leaking-on-error-during-receive.patch \ |
35 | file://pvrdma.patch \ | ||
35 | " | 36 | " |
36 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 37 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
37 | 38 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/pvrdma.patch b/meta/recipes-devtools/qemu/qemu/pvrdma.patch new file mode 100644 index 0000000000..7b0335b1dc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/pvrdma.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | hw/pvrdma: Protect against buggy or malicious guest driver | ||
2 | |||
3 | Guest driver might execute HW commands when shared buffers are not yet | ||
4 | allocated. | ||
5 | This might happen on purpose (malicious guest) or because some other | ||
6 | guest/host address mapping. | ||
7 | We need to protect againts such case. | ||
8 | |||
9 | Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
10 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
11 | |||
12 | CVE: CVE-2022-1050 | ||
13 | Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] | ||
14 | |||
15 | Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c | ||
16 | =================================================================== | ||
17 | --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c | ||
18 | +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c | ||
19 | @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) | ||
20 | |||
21 | dsr_info = &dev->dsr_info; | ||
22 | |||
23 | + if (!dsr_info->dsr) { | ||
24 | + /* Buggy or malicious guest driver */ | ||
25 | + rdma_error_report("Exec command without dsr, req or rsp buffers"); | ||
26 | + goto out; | ||
27 | + } | ||
28 | + | ||
29 | if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / | ||
30 | sizeof(struct cmd_handler)) { | ||
31 | rdma_error_report("Unsupported command"); | ||
32 | Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c | ||
33 | =================================================================== | ||
34 | --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c | ||
35 | +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c | ||
36 | @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev | ||
37 | { | ||
38 | struct pvrdma_device_shared_region *dsr; | ||
39 | |||
40 | - if (dev->dsr_info.dsr == NULL) { | ||
41 | + if (!dev->dsr_info.dsr) { | ||
42 | + /* Buggy or malicious guest driver */ | ||
43 | rdma_error_report("Can't initialized DSR"); | ||
44 | return; | ||
45 | } | ||