diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..a1862f1226 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gaurav Gupta <gauragup@cisco.com> | ||
3 | Date: Wed, 29 Mar 2023 14:36:16 -0700 | ||
4 | Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type: | ||
5 | text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the | ||
11 | device itself. This still allows DMA to MMIO regions of other devices | ||
12 | (e.g. doing P2P DMA to the controller memory buffer of another NVMe | ||
13 | device). | ||
14 | |||
15 | Fixes: CVE-2021-3929 | ||
16 | Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> | ||
17 | Reviewed-by: Keith Busch <kbusch@kernel.org> | ||
18 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
19 | Signed-off-by: Klaus Jensen <k.jensen@samsung.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | [https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385] | ||
23 | CVE: CVE-2021-3929 | ||
24 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
25 | Signed-off-by: Gaurav Gupta <gauragup@cisco.com> | ||
26 | --- | ||
27 | hw/block/nvme.c | 23 +++++++++++++++++++++++ | ||
28 | hw/block/nvme.h | 1 + | ||
29 | 2 files changed, 24 insertions(+) | ||
30 | |||
31 | diff --git a/hw/block/nvme.c b/hw/block/nvme.c | ||
32 | index bda446d..ae9b19f 100644 | ||
33 | --- a/hw/block/nvme.c | ||
34 | +++ b/hw/block/nvme.c | ||
35 | @@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) | ||
36 | return addr >= low && addr < hi; | ||
37 | } | ||
38 | |||
39 | +static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) | ||
40 | +{ | ||
41 | + hwaddr hi, lo; | ||
42 | + | ||
43 | + /* | ||
44 | + * The purpose of this check is to guard against invalid "local" access to | ||
45 | + * the iomem (i.e. controller registers). Thus, we check against the range | ||
46 | + * covered by the 'bar0' MemoryRegion since that is currently composed of | ||
47 | + * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, | ||
48 | + * that if the device model is ever changed to allow the CMB to be located | ||
49 | + * in BAR0 as well, then this must be changed. | ||
50 | + */ | ||
51 | + lo = n->bar0.addr; | ||
52 | + hi = lo + int128_get64(n->bar0.size); | ||
53 | + | ||
54 | + return addr >= lo && addr < hi; | ||
55 | +} | ||
56 | + | ||
57 | static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) | ||
58 | { | ||
59 | + | ||
60 | + if (nvme_addr_is_iomem(n, addr)) { | ||
61 | + return NVME_DATA_TRAS_ERROR; | ||
62 | + } | ||
63 | + | ||
64 | if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { | ||
65 | memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); | ||
66 | return 0; | ||
67 | diff --git a/hw/block/nvme.h b/hw/block/nvme.h | ||
68 | index 557194e..5a2b119 100644 | ||
69 | --- a/hw/block/nvme.h | ||
70 | +++ b/hw/block/nvme.h | ||
71 | @@ -59,6 +59,7 @@ typedef struct NvmeNamespace { | ||
72 | |||
73 | typedef struct NvmeCtrl { | ||
74 | PCIDevice parent_obj; | ||
75 | + MemoryRegion bar0; | ||
76 | MemoryRegion iomem; | ||
77 | MemoryRegion ctrl_mem; | ||
78 | NvmeBar bar; | ||
79 | -- | ||
80 | 1.8.3.1 | ||
81 | |||