1 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
new file mode 100644
index 0000000000..a1862f1226
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
@@ -0,0 +1,81 @@
+From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001
+From: Gaurav Gupta <gauragup@cisco.com>
+Date: Wed, 29 Mar 2023 14:36:16 -0700
+Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type:
+ text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
+device itself. This still allows DMA to MMIO regions of other devices
+(e.g. doing P2P DMA to the controller memory buffer of another NVMe
+device).
+Fixes: CVE-2021-3929
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+Upstream-Status: Backport
+[https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385]
+CVE: CVE-2021-3929
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
+---
+ hw/block/nvme.c | 23 +++++++++++++++++++++++
+ hw/block/nvme.h |  1 +
+ 2 files changed, 24 insertions(+)
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index bda446d..ae9b19f 100644
+--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
+@@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
+     return addr >= low && addr < hi;
+ }
+ 
+static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
+{
+    hwaddr hi, lo;
+
+    /*
+     * The purpose of this check is to guard against invalid "local" access to
+     * the iomem (i.e. controller registers). Thus, we check against the range
+     * covered by the 'bar0' MemoryRegion since that is currently composed of
+     * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
+     * that if the device model is ever changed to allow the CMB to be located
+     * in BAR0 as well, then this must be changed.
+     */
+    lo = n->bar0.addr;
+    hi = lo + int128_get64(n->bar0.size);
+
+    return addr >= lo && addr < hi;
+}
+
+ static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
+ {
+
+    if (nvme_addr_is_iomem(n, addr)) {
+       return NVME_DATA_TRAS_ERROR;
+    }
+
+     if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
+         memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
+         return 0;
+diff --git a/hw/block/nvme.h b/hw/block/nvme.h
+index 557194e..5a2b119 100644
+--- a/hw/block/nvme.h
+++ b/hw/block/nvme.h
+@@ -59,6 +59,7 @@ typedef struct NvmeNamespace {
+ 
+ typedef struct NvmeCtrl {
+     PCIDevice    parent_obj;
+    MemoryRegion bar0;
+     MemoryRegion iomem;
+     MemoryRegion ctrl_mem;
+     NvmeBar      bar;
+-- 
+1.8.3.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..a1862f1226 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
@@ -0,0 +1,81 @@
	1	From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001
	2	From: Gaurav Gupta <gauragup@cisco.com>
	3	Date: Wed, 29 Mar 2023 14:36:16 -0700
	4	Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type:
	5	text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
	11	device itself. This still allows DMA to MMIO regions of other devices
	12	(e.g. doing P2P DMA to the controller memory buffer of another NVMe
	13	device).
	14
	15	Fixes: CVE-2021-3929
	16	Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
	17	Reviewed-by: Keith Busch <kbusch@kernel.org>
	18	Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
	19	Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
	20
	21	Upstream-Status: Backport
	22	[https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385]
	23	CVE: CVE-2021-3929
	24	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
	25	Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
	26	---
	27	hw/block/nvme.c \| 23 +++++++++++++++++++++++
	28	hw/block/nvme.h \| 1 +
	29	2 files changed, 24 insertions(+)
	30
	31	diff --git a/hw/block/nvme.c b/hw/block/nvme.c
	32	index bda446d..ae9b19f 100644
	33	--- a/hw/block/nvme.c
	34	+++ b/hw/block/nvme.c
	35	@@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
	36	return addr >= low && addr < hi;
	37	}
	38
	39	+static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
	40	+{
	41	+ hwaddr hi, lo;
	42	+
	43	+ /*
	44	+ * The purpose of this check is to guard against invalid "local" access to
	45	+ * the iomem (i.e. controller registers). Thus, we check against the range
	46	+ * covered by the 'bar0' MemoryRegion since that is currently composed of
	47	+ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
	48	+ * that if the device model is ever changed to allow the CMB to be located
	49	+ * in BAR0 as well, then this must be changed.
	50	+ */
	51	+ lo = n->bar0.addr;
	52	+ hi = lo + int128_get64(n->bar0.size);
	53	+
	54	+ return addr >= lo && addr < hi;
	55	+}
	56	+
	57	static int nvme_addr_read(NvmeCtrl n, hwaddr addr, void buf, int size)
	58	{
	59	+
	60	+ if (nvme_addr_is_iomem(n, addr)) {
	61	+ return NVME_DATA_TRAS_ERROR;
	62	+ }
	63	+
	64	if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
	65	memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
	66	return 0;
	67	diff --git a/hw/block/nvme.h b/hw/block/nvme.h
	68	index 557194e..5a2b119 100644
	69	--- a/hw/block/nvme.h
	70	+++ b/hw/block/nvme.h
	71	@@ -59,6 +59,7 @@ typedef struct NvmeNamespace {
	72
	73	typedef struct NvmeCtrl {
	74	PCIDevice parent_obj;
	75	+ MemoryRegion bar0;
	76	MemoryRegion iomem;
	77	MemoryRegion ctrl_mem;
	78	NvmeBar bar;
	79	--
	80	1.8.3.1
	81