qemu: fix CVE-2021-3929

Backport patch to fix CVE-2021-3929. (From OE-Core rev: 3be3101ab1be2be58b6f27a28ca8e1ade3aff853) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2022-08-10 10:11:56 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-08-23 15:22:52 +0100
commit: 73080b3372da2783c327378a3c1d668f0300b79f (patch)
tree: 47f5aa859cf8449622b1d61d789a1f708407066d
parent: 66575e31b76894e217350350307b30d3684ba4fa (diff)
download: poky-73080b3372da2783c327378a3c1d668f0300b79f.tar.gz
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index dd30313fdd..53bad5c453 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2022-35414.patch \
           file://CVE-2021-3507_1.patch \
           file://CVE-2021-3507_2.patch \
+           file://CVE-2021-3929.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
new file mode 100644
index 0000000000..7555e5bc40
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
@@ -0,0 +1,70 @@
+From 12daeafc9868c1ebe482d580494f9e6d3d5c260f Mon Sep 17 00:00:00 2001
+From: Klaus Jensen <k.jensen@samsung.com>
+Date: Fri, 17 Dec 2021 10:44:01 +0100
+Subject: [PATCH] hw/nvme: fix CVE-2021-3929
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
+device itself. This still allows DMA to MMIO regions of other devices
+(e.g. doing P2P DMA to the controller memory buffer of another NVMe
+device).
+Fixes: CVE-2021-3929
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+Upstream-Status: Backport [736b01642d85be832385063f278fe7cd4ffb5221]
+CVE: CVE-2021-3929
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/nvme/ctrl.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 5f573c417..eda52c6ac 100644
+--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
+@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr)
+     return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba);
+ }
+ 
+static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
+{
+    hwaddr hi, lo;
+
+    /*
+     * The purpose of this check is to guard against invalid "local" access to
+     * the iomem (i.e. controller registers). Thus, we check against the range
+     * covered by the 'bar0' MemoryRegion since that is currently composed of
+     * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
+     * that if the device model is ever changed to allow the CMB to be located
+     * in BAR0 as well, then this must be changed.
+     */
+    lo = n->bar0.addr;
+    hi = lo + int128_get64(n->bar0.size);
+
+    return addr >= lo && addr < hi;
+}
+
+ static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
+ {
+     hwaddr hi = addr + size - 1;
+@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len)
+ 
+     trace_pci_nvme_map_addr(addr, len);
+ 
+    if (nvme_addr_is_iomem(n, addr)) {
+        return NVME_DATA_TRAS_ERROR;
+    }
+
+     if (nvme_addr_is_cmb(n, addr)) {
+         cmb = true;
+     } else if (nvme_addr_is_pmr(n, addr)) {
+-- 
+2.33.0
author	Sakib Sajal <sakib.sajal@windriver.com>	2022-08-10 10:11:56 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-08-23 15:22:52 +0100
commit	73080b3372da2783c327378a3c1d668f0300b79f (patch)
tree	47f5aa859cf8449622b1d61d789a1f708407066d
parent	66575e31b76894e217350350307b30d3684ba4fa (diff)
download	poky-73080b3372da2783c327378a3c1d668f0300b79f.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index dd30313fdd..53bad5c453 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
38	file://CVE-2022-35414.patch \	38	file://CVE-2022-35414.patch \
39	file://CVE-2021-3507_1.patch \	39	file://CVE-2021-3507_1.patch \
40	file://CVE-2021-3507_2.patch \	40	file://CVE-2021-3507_2.patch \
		41	file://CVE-2021-3929.patch \
41	"	42	"
42	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	43	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
43		44


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..7555e5bc40 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
@@ -0,0 +1,70 @@
		1	From 12daeafc9868c1ebe482d580494f9e6d3d5c260f Mon Sep 17 00:00:00 2001
		2	From: Klaus Jensen <k.jensen@samsung.com>
		3	Date: Fri, 17 Dec 2021 10:44:01 +0100
		4	Subject: [PATCH] hw/nvme: fix CVE-2021-3929
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
		10	device itself. This still allows DMA to MMIO regions of other devices
		11	(e.g. doing P2P DMA to the controller memory buffer of another NVMe
		12	device).
		13
		14	Fixes: CVE-2021-3929
		15	Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
		16	Reviewed-by: Keith Busch <kbusch@kernel.org>
		17	Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		18	Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
		19
		20	Upstream-Status: Backport [736b01642d85be832385063f278fe7cd4ffb5221]
		21	CVE: CVE-2021-3929
		22
		23	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		24	---
		25	hw/nvme/ctrl.c \| 22 ++++++++++++++++++++++
		26	1 file changed, 22 insertions(+)
		27
		28	diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
		29	index 5f573c417..eda52c6ac 100644
		30	--- a/hw/nvme/ctrl.c
		31	+++ b/hw/nvme/ctrl.c
		32	@@ -357,6 +357,24 @@ static inline void nvme_addr_to_pmr(NvmeCtrl n, hwaddr addr)
		33	return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba);
		34	}
		35
		36	+static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
		37	+{
		38	+ hwaddr hi, lo;
		39	+
		40	+ /*
		41	+ * The purpose of this check is to guard against invalid "local" access to
		42	+ * the iomem (i.e. controller registers). Thus, we check against the range
		43	+ * covered by the 'bar0' MemoryRegion since that is currently composed of
		44	+ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
		45	+ * that if the device model is ever changed to allow the CMB to be located
		46	+ * in BAR0 as well, then this must be changed.
		47	+ */
		48	+ lo = n->bar0.addr;
		49	+ hi = lo + int128_get64(n->bar0.size);
		50	+
		51	+ return addr >= lo && addr < hi;
		52	+}
		53	+
		54	static int nvme_addr_read(NvmeCtrl n, hwaddr addr, void buf, int size)
		55	{
		56	hwaddr hi = addr + size - 1;
		57	@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl n, NvmeSg sg, hwaddr addr, size_t len)
		58
		59	trace_pci_nvme_map_addr(addr, len);
		60
		61	+ if (nvme_addr_is_iomem(n, addr)) {
		62	+ return NVME_DATA_TRAS_ERROR;
		63	+ }
		64	+
		65	if (nvme_addr_is_cmb(n, addr)) {
		66	cmb = true;
		67	} else if (nvme_addr_is_pmr(n, addr)) {
		68	--
		69	2.33.0
		70