1 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..4765f24739
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
+From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+This addresses CVE-2021-3748.
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6]
+CVE: CVE-2021-3748
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 9179013ac..df1d30e2c 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+     VirtIONet *n = qemu_get_nic_opaque(nc);
+     VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+     VirtIODevice *vdev = VIRTIO_DEVICE(n);
+    VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
+    size_t lens[VIRTQUEUE_MAX_SIZE];
+     struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+     struct virtio_net_hdr_mrg_rxbuf mhdr;
+     unsigned mhdr_cnt = 0;
+-    size_t offset, i, guest_offset;
+    size_t offset, i, guest_offset, j;
+    ssize_t err;
+ 
+     if (!virtio_net_can_receive(nc)) {
+         return -1;
+@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ 
+         total = 0;
+ 
+        if (i == VIRTQUEUE_MAX_SIZE) {
+            virtio_error(vdev, "virtio-net unexpected long buffer chain");
+            err = size;
+            goto err;
+        }
+
+         elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+         if (!elem) {
+             if (i) {
+@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                              n->guest_hdr_len, n->host_hdr_len,
+                              vdev->guest_features);
+             }
+-            return -1;
+            err = -1;
+            goto err;
+         }
+ 
+         if (elem->in_num < 1) {
+@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                          "virtio-net receive queue contains no in buffers");
+             virtqueue_detach_element(q->rx_vq, elem, 0);
+             g_free(elem);
+-            return -1;
+            err = -1;
+            goto err;
+         }
+ 
+         sg = elem->in_sg;
+@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+         if (!n->mergeable_rx_bufs && offset < size) {
+             virtqueue_unpop(q->rx_vq, elem, total);
+             g_free(elem);
+-            return size;
+            err = size;
+            goto err;
+         }
+ 
+-        /* signal other side */
+-        virtqueue_fill(q->rx_vq, elem, total, i++);
+-        g_free(elem);
+        elems[i] = elem;
+        lens[i] = total;
+        i++;
+     }
+ 
+     if (mhdr_cnt) {
+@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                      &mhdr.num_buffers, sizeof mhdr.num_buffers);
+     }
+ 
+    for (j = 0; j < i; j++) {
+        /* signal other side */
+        virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
+        g_free(elems[j]);
+    }
+
+     virtqueue_flush(q->rx_vq, i);
+     virtio_notify(vdev, q->rx_vq);
+ 
+     return size;
+
+err:
+    for (j = 0; j < i; j++) {
+        g_free(elems[j]);
+    }
+
+    return err;
+ }
+ 
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+-- 
+2.31.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..4765f24739 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
	1	From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
	2	From: Jason Wang <jasowang@redhat.com>
	3	Date: Thu, 2 Sep 2021 13:44:12 +0800
	4	Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
	5
	6	When mergeable buffer is enabled, we try to set the num_buffers after
	7	the virtqueue elem has been unmapped. This will lead several issues,
	8	E.g a use after free when the descriptor has an address which belongs
	9	to the non direct access region. In this case we use bounce buffer
	10	that is allocated during address_space_map() and freed during
	11	address_space_unmap().
	12
	13	Fixing this by storing the elems temporarily in an array and delay the
	14	unmap after we set the the num_buffers.
	15
	16	This addresses CVE-2021-3748.
	17
	18	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	19	Fixes: fbe78f4f55c6 ("virtio-net support")
	20	Cc: qemu-stable@nongnu.org
	21	Signed-off-by: Jason Wang <jasowang@redhat.com>
	22
	23	Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6]
	24	CVE: CVE-2021-3748
	25
	26	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	27	---
	28	hw/net/virtio-net.c \| 39 ++++++++++++++++++++++++++++++++-------
	29	1 file changed, 32 insertions(+), 7 deletions(-)
	30
	31	diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
	32	index 9179013ac..df1d30e2c 100644
	33	--- a/hw/net/virtio-net.c
	34	+++ b/hw/net/virtio-net.c
	35	@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	36	VirtIONet *n = qemu_get_nic_opaque(nc);
	37	VirtIONetQueue *q = virtio_net_get_subqueue(nc);
	38	VirtIODevice *vdev = VIRTIO_DEVICE(n);
	39	+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
	40	+ size_t lens[VIRTQUEUE_MAX_SIZE];
	41	struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
	42	struct virtio_net_hdr_mrg_rxbuf mhdr;
	43	unsigned mhdr_cnt = 0;
	44	- size_t offset, i, guest_offset;
	45	+ size_t offset, i, guest_offset, j;
	46	+ ssize_t err;
	47
	48	if (!virtio_net_can_receive(nc)) {
	49	return -1;
	50	@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	51
	52	total = 0;
	53
	54	+ if (i == VIRTQUEUE_MAX_SIZE) {
	55	+ virtio_error(vdev, "virtio-net unexpected long buffer chain");
	56	+ err = size;
	57	+ goto err;
	58	+ }
	59	+
	60	elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
	61	if (!elem) {
	62	if (i) {
	63	@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	64	n->guest_hdr_len, n->host_hdr_len,
	65	vdev->guest_features);
	66	}
	67	- return -1;
	68	+ err = -1;
	69	+ goto err;
	70	}
	71
	72	if (elem->in_num < 1) {
	73	@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	74	"virtio-net receive queue contains no in buffers");
	75	virtqueue_detach_element(q->rx_vq, elem, 0);
	76	g_free(elem);
	77	- return -1;
	78	+ err = -1;
	79	+ goto err;
	80	}
	81
	82	sg = elem->in_sg;
	83	@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	84	if (!n->mergeable_rx_bufs && offset < size) {
	85	virtqueue_unpop(q->rx_vq, elem, total);
	86	g_free(elem);
	87	- return size;
	88	+ err = size;
	89	+ goto err;
	90	}
	91
	92	- /* signal other side */
	93	- virtqueue_fill(q->rx_vq, elem, total, i++);
	94	- g_free(elem);
	95	+ elems[i] = elem;
	96	+ lens[i] = total;
	97	+ i++;
	98	}
	99
	100	if (mhdr_cnt) {
	101	@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	102	&mhdr.num_buffers, sizeof mhdr.num_buffers);
	103	}
	104
	105	+ for (j = 0; j < i; j++) {
	106	+ /* signal other side */
	107	+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
	108	+ g_free(elems[j]);
	109	+ }
	110	+
	111	virtqueue_flush(q->rx_vq, i);
	112	virtio_notify(vdev, q->rx_vq);
	113
	114	return size;
	115	+
	116	+err:
	117	+ for (j = 0; j < i; j++) {
	118	+ g_free(elems[j]);
	119	+ }
	120	+
	121	+ return err;
	122	}
	123
	124	static ssize_t virtio_net_do_receive(NetClientState nc, const uint8_t buf,
	125	--
	126	2.31.1
	127