diff options
| author | Niranjan Pradhan <nirpradh@cisco.com> | 2023-11-16 21:20:00 -0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-11-28 05:00:32 -1000 |
| commit | 24646e55b255acd38fb8f78ffec2e406a0b2c449 (patch) | |
| tree | f56e71df326231d1847baf88954c7adb109179cb | |
| parent | f9527fb2ac6291ed0e0399fcc410c6718c23c410 (diff) | |
| download | poky-24646e55b255acd38fb8f78ffec2e406a0b2c449.tar.gz | |
qemu 6.2.0: Fix CVE-2023-1544
Upstream Repository: https://gitlab.com/qemu-project/qemu.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544
Type: Security Fix
CVE: CVE-2023-1544
Score: 6.3
Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c
(From OE-Core rev: d019fcc99c542d49be6e1615a5c75f88f8ff5a52)
Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch | 70 |
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 83bd5d7e67..c8e4e2e6f3 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 101 | file://CVE-2023-3354.patch \ | 101 | file://CVE-2023-3354.patch \ |
| 102 | file://CVE-2023-3180.patch \ | 102 | file://CVE-2023-3180.patch \ |
| 103 | file://CVE-2021-3638.patch \ | 103 | file://CVE-2021-3638.patch \ |
| 104 | file://CVE-2023-1544.patch \ | ||
| 104 | " | 105 | " |
| 105 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 106 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 106 | 107 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch new file mode 100644 index 0000000000..b4781e1c18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch | |||
| @@ -0,0 +1,70 @@ | |||
| 1 | From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
| 3 | Date: Wed, 1 Mar 2023 16:29:26 +0200 | ||
| 4 | Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver | ||
| 5 | |||
| 6 | Guest driver allocates and initialize page tables to be used as a ring | ||
| 7 | of descriptors for CQ and async events. | ||
| 8 | The page table that represents the ring, along with the number of pages | ||
| 9 | in the page table is passed to the device. | ||
| 10 | Currently our device supports only one page table for a ring. | ||
| 11 | |||
| 12 | Let's make sure that the number of page table entries the driver | ||
| 13 | reports, do not exceeds the one page table size. | ||
| 14 | |||
| 15 | CVE: CVE-2023-1544 | ||
| 16 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c] | ||
| 17 | |||
| 18 | Reported-by: Soul Chen <soulchen8650@gmail.com> | ||
| 19 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
| 20 | Fixes: CVE-2023-1544 | ||
| 21 | Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> | ||
| 22 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
| 23 | (cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087) | ||
| 24 | Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> | ||
| 25 | --- | ||
| 26 | hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- | ||
| 27 | 1 file changed, 15 insertions(+), 1 deletion(-) | ||
| 28 | |||
| 29 | diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c | ||
| 30 | index 4fc6712025..55b338046e 100644 | ||
| 31 | --- a/hw/rdma/vmw/pvrdma_main.c | ||
| 32 | +++ b/hw/rdma/vmw/pvrdma_main.c | ||
| 33 | @@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, | ||
| 34 | dma_addr_t dir_addr, uint32_t num_pages) | ||
| 35 | { | ||
| 36 | uint64_t *dir, *tbl; | ||
| 37 | - int rc = 0; | ||
| 38 | + int max_pages, rc = 0; | ||
| 39 | |||
| 40 | if (!num_pages) { | ||
| 41 | rdma_error_report("Ring pages count must be strictly positive"); | ||
| 42 | return -EINVAL; | ||
| 43 | } | ||
| 44 | |||
| 45 | + /* | ||
| 46 | + * Make sure we can satisfy the requested number of pages in a single | ||
| 47 | + * TARGET_PAGE_SIZE sized page table (taking into account that first entry | ||
| 48 | + * is reserved for ring-state) | ||
| 49 | + */ | ||
| 50 | + max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; | ||
| 51 | + if (num_pages > max_pages) { | ||
| 52 | + rdma_error_report("Maximum pages on a single directory must not exceed %d\n", | ||
| 53 | + max_pages); | ||
| 54 | + return -EINVAL; | ||
| 55 | + } | ||
| 56 | + | ||
| 57 | dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); | ||
| 58 | if (!dir) { | ||
| 59 | rdma_error_report("Failed to map to page directory (ring %s)", name); | ||
| 60 | rc = -ENOMEM; | ||
| 61 | goto out; | ||
| 62 | } | ||
| 63 | + | ||
| 64 | + /* We support only one page table for a ring */ | ||
| 65 | tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); | ||
| 66 | if (!tbl) { | ||
| 67 | rdma_error_report("Failed to map to page table (ring %s)", name); | ||
| 68 | -- | ||
| 69 | 2.35.6 | ||
| 70 | |||
