qemu: fix CVE-2023-42467

QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. References: https://nvd.nist.gov/vuln/detail/CVE-2023-42467 https://gitlab.com/qemu-project/qemu/-/issues/1813 (From OE-Core rev: 4925ac7120605d551e1b28196b4a4dab7bc72b66) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2023-10-04 11:19:31 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-10-11 03:54:46 -1000
commit: 30969f3e975b7a906f7e6eed1c4fa839072bc9aa (patch)
tree: 21e29b90352ffb8756edfa3330e200a8b6d95347 /meta
parent: ae2c4f104b4c5ed5d6e7fc138e34b75c44eb9d96 (diff)
download: poky-30969f3e975b7a906f7e6eed1c4fa839072bc9aa.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index cd17a11335..00decc57e5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2023-2861.patch \
           file://CVE-2023-3354.patch \
           file://CVE-2023-3180.patch \
+           file://CVE-2023-42467.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
new file mode 100644
index 0000000000..0ca93494f0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
@@ -0,0 +1,49 @@
+From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 4 Oct 2023 08:54:13 +0000
+Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
+ [CVE-2023-42467]
+We are doing things like
+    nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
+in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
+the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
+with a division by 0 exception. Thus disallow block sizes of 256
+bytes to avoid this situation.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
+CVE: 2023-42467
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Message-ID: <20230925091854.49198-1-thuth@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+CVE: CVE-2023-42467
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ hw/scsi/scsi-disk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e493c2881..915e0369c 100644
+--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
+@@ -1624,9 +1624,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
+          * Since the existing code only checks/updates bits 8-15 of the block
+          * size, restrict ourselves to the same requirement for now to ensure
+          * that a block size set by a block descriptor and then read back by
+-         * a subsequent SCSI command will be the same
+         * a subsequent SCSI command will be the same. Also disallow a block
+         * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
+          */
+-        if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
+        if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
+             s->qdev.blocksize = bs;
+             trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
+         }
+--
+2.40.0
author	Yogita Urade <yogita.urade@windriver.com>	2023-10-04 11:19:31 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-10-11 03:54:46 -1000
commit	30969f3e975b7a906f7e6eed1c4fa839072bc9aa (patch)
tree	21e29b90352ffb8756edfa3330e200a8b6d95347 /meta
parent	ae2c4f104b4c5ed5d6e7fc138e34b75c44eb9d96 (diff)
download	poky-30969f3e975b7a906f7e6eed1c4fa839072bc9aa.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index cd17a11335..00decc57e5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
42	file://CVE-2023-2861.patch \	42	file://CVE-2023-2861.patch \
43	file://CVE-2023-3354.patch \	43	file://CVE-2023-3354.patch \
44	file://CVE-2023-3180.patch \	44	file://CVE-2023-3180.patch \
		45	file://CVE-2023-42467.patch \
45	"	46	"
46	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	47	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
47		48


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch new file mode 100644 index 0000000000..0ca93494f0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
@@ -0,0 +1,49 @@
		1	From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001
		2	From: Thomas Huth <thuth@redhat.com>
		3	Date: Wed, 4 Oct 2023 08:54:13 +0000
		4	Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
		5	[CVE-2023-42467]
		6
		7	We are doing things like
		8
		9	nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
		10
		11	in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
		12	the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
		13	with a division by 0 exception. Thus disallow block sizes of 256
		14	bytes to avoid this situation.
		15
		16	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
		17	CVE: 2023-42467
		18	Signed-off-by: Thomas Huth <thuth@redhat.com>
		19	Message-ID: <20230925091854.49198-1-thuth@redhat.com>
		20	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		21
		22	CVE: CVE-2023-42467
		23
		24	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c]
		25
		26	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		27	---
		28	hw/scsi/scsi-disk.c \| 5 +++--
		29	1 file changed, 3 insertions(+), 2 deletions(-)
		30
		31	diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
		32	index e493c2881..915e0369c 100644
		33	--- a/hw/scsi/scsi-disk.c
		34	+++ b/hw/scsi/scsi-disk.c
		35	@@ -1624,9 +1624,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq r, uint8_t inbuf)
		36	* Since the existing code only checks/updates bits 8-15 of the block
		37	* size, restrict ourselves to the same requirement for now to ensure
		38	* that a block size set by a block descriptor and then read back by
		39	- * a subsequent SCSI command will be the same
		40	+ * a subsequent SCSI command will be the same. Also disallow a block
		41	+ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
		42	*/
		43	- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
		44	+ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
		45	s->qdev.blocksize = bs;
		46	trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
		47	}
		48	--
		49	2.40.0