qemu: fix CVE-2021-3608

Source: http://git.yoctoproject.org/cgit/poky.git MR: 112749 Type: Security Fix Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=f5e77d70e2eb35751f5bad5572b6eb8a3ab14422 ChangeID: 4496341da3af9126c9c67170e1a2cce929c29828 Description: (From OE-Core rev: 5e05ee8ff363eac84edec568039b86bcd716c6ce) (From OE-Core rev: f8d34ef74dafcf14e07f9322254465d03490bd60) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f5e77d70e2eb35751f5bad5572b6eb8a3ab14422) [Refreshed patch] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2021-08-24 11:18:31 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-01 16:27:09 +0100
commit: 6bcc4029d4eac98632050c7a16cd81cbc54ba45e (patch)
tree: fecb1555e3d30113548e4d19dbb68ce78c10db88 /meta
parent: 4d8b5c4d70db2e193044874382e78294ba289bd7 (diff)
download: poky-6bcc4029d4eac98632050c7a16cd81cbc54ba45e.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6066418a7b..c8c170dda0 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -83,6 +83,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3527-2.patch \
           file://CVE-2021-3582.patch \
           file://CVE-2021-3607.patch \
+           file://CVE-2021-3608.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
new file mode 100644
index 0000000000..7055ec3d23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
@@ -0,0 +1,40 @@
+From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:52:46 +0300
+Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Do not unmap uninitialized dma addresses.
+Fixes: CVE-2021-3608
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+CVE: CVE-2021-3608
+Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
+===================================================================
+--- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c
+++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
+     atomic_set(&ring->ring_state->cons_head, 0);
+     */
+     ring->npages = npages;
+-    ring->pages = g_malloc(npages * sizeof(void *));
+    ring->pages = g_malloc0(npages * sizeof(void *));
+ 
+     for (i = 0; i < npages; i++) {
+         if (!tbl[i]) {
author	Sakib Sajal <sakib.sajal@windriver.com>	2021-08-24 11:18:31 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-01 16:27:09 +0100
commit	6bcc4029d4eac98632050c7a16cd81cbc54ba45e (patch)
tree	fecb1555e3d30113548e4d19dbb68ce78c10db88 /meta
parent	4d8b5c4d70db2e193044874382e78294ba289bd7 (diff)
download	poky-6bcc4029d4eac98632050c7a16cd81cbc54ba45e.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6066418a7b..c8c170dda0 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -83,6 +83,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
83	file://CVE-2021-3527-2.patch \	83	file://CVE-2021-3527-2.patch \
84	file://CVE-2021-3582.patch \	84	file://CVE-2021-3582.patch \
85	file://CVE-2021-3607.patch \	85	file://CVE-2021-3607.patch \
		86	file://CVE-2021-3608.patch \
86	"	87	"
87	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	88	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
88		89


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch new file mode 100644 index 0000000000..7055ec3d23 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
@@ -0,0 +1,40 @@
		1	From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
		2	From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
		3	Date: Wed, 30 Jun 2021 14:52:46 +0300
		4	Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Do not unmap uninitialized dma addresses.
		10
		11	Fixes: CVE-2021-3608
		12	Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
		13	Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
		14	Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
		15	Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
		16	Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
		17	Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
		18	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		19	Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
		20
		21	CVE: CVE-2021-3608
		22	Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
		23	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		24	---
		25	hw/rdma/vmw/pvrdma_dev_ring.c \| 2 +-
		26	1 file changed, 1 insertion(+), 1 deletion(-)
		27
		28	Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
		29	===================================================================
		30	--- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c
		31	+++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
		32	@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
		33	atomic_set(&ring->ring_state->cons_head, 0);
		34	*/
		35	ring->npages = npages;
		36	- ring->pages = g_malloc(npages * sizeof(void *));
		37	+ ring->pages = g_malloc0(npages * sizeof(void *));
		38
		39	for (i = 0; i < npages; i++) {
		40	if (!tbl[i]) {