diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch | 73 |
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a6dc941624..a625809597 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
30 | file://mmap2.patch \ | 30 | file://mmap2.patch \ |
31 | file://determinism.patch \ | 31 | file://determinism.patch \ |
32 | file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \ | 32 | file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \ |
33 | file://CVE-2021-20203.patch \ | ||
33 | " | 34 | " |
34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 35 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
35 | 36 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch new file mode 100644 index 0000000000..269c6f1294 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
2 | |||
3 | While activating device in vmxnet3_acticate_device(), it does not | ||
4 | validate guest supplied configuration values against predefined | ||
5 | minimum - maximum limits. This may lead to integer overflow or | ||
6 | OOB access issues. Add checks to avoid it. | ||
7 | |||
8 | Fixes: CVE-2021-20203 | ||
9 | Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 | ||
10 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | |||
13 | Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] | ||
14 | CVE: CVE-2021-20203 | ||
15 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
16 | --- | ||
17 | hw/net/vmxnet3.c | 13 +++++++++++++ | ||
18 | 1 file changed, 13 insertions(+) | ||
19 | |||
20 | diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c | ||
21 | index eff299f629..4a910ca971 100644 | ||
22 | --- a/hw/net/vmxnet3.c | ||
23 | +++ b/hw/net/vmxnet3.c | ||
24 | @@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
25 | vmxnet3_setup_rx_filtering(s); | ||
26 | /* Cache fields from shared memory */ | ||
27 | s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); | ||
28 | + assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); | ||
29 | VMW_CFPRN("MTU is %u", s->mtu); | ||
30 | |||
31 | s->max_rx_frags = | ||
32 | @@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
33 | /* Read rings memory locations for TX queues */ | ||
34 | pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); | ||
35 | size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); | ||
36 | + if (size > VMXNET3_TX_RING_MAX_SIZE) { | ||
37 | + size = VMXNET3_TX_RING_MAX_SIZE; | ||
38 | + } | ||
39 | |||
40 | vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, | ||
41 | sizeof(struct Vmxnet3_TxDesc), false); | ||
42 | @@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
43 | /* TXC ring */ | ||
44 | pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); | ||
45 | size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); | ||
46 | + if (size > VMXNET3_TC_RING_MAX_SIZE) { | ||
47 | + size = VMXNET3_TC_RING_MAX_SIZE; | ||
48 | + } | ||
49 | vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, | ||
50 | sizeof(struct Vmxnet3_TxCompDesc), true); | ||
51 | VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); | ||
52 | @@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
53 | /* RX rings */ | ||
54 | pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); | ||
55 | size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); | ||
56 | + if (size > VMXNET3_RX_RING_MAX_SIZE) { | ||
57 | + size = VMXNET3_RX_RING_MAX_SIZE; | ||
58 | + } | ||
59 | vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, | ||
60 | sizeof(struct Vmxnet3_RxDesc), false); | ||
61 | VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", | ||
62 | @@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
63 | /* RXC ring */ | ||
64 | pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); | ||
65 | size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); | ||
66 | + if (size > VMXNET3_RC_RING_MAX_SIZE) { | ||
67 | + size = VMXNET3_RC_RING_MAX_SIZE; | ||
68 | + } | ||
69 | vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, | ||
70 | sizeof(struct Vmxnet3_RxCompDesc), true); | ||
71 | VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); | ||
72 | -- | ||
73 | 2.29.2 | ||