diff mbox series

qemu: Fix CVE-2023-40360

Message ID 20230827163809.3127870-1-raj.khem@gmail.com
State Accepted, archived
Commit 5b68ec70ecc9779146789cc635d8ab60928e9233
Headers show
Series qemu: Fix CVE-2023-40360 | expand

Commit Message

Khem Raj Aug. 27, 2023, 4:38 p.m. UTC 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 ...w-nvme-fix-null-pointer-access-in-di.patch | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch
diff mbox series

Patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 82a7b361b13..b98169c2433 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -28,6 +28,7 @@  SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
            file://0002-linux-user-Replace-use-of-lfs64-related-functions-an.patch \
            file://0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch \
+	   file://0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch \
            file://qemu-guest-agent.init \
            file://qemu-guest-agent.udev \
            "
diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch b/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch
new file mode 100644
index 00000000000..731b0281f43
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2023-40360-hw-nvme-fix-null-pointer-access-in-di.patch
@@ -0,0 +1,39 @@ 
+From 83dd3da9fac872fac9739b9dcb96232c93675824 Mon Sep 17 00:00:00 2001
+From: Klaus Jensen <k.jensen@samsung.com>
+Date: Tue, 8 Aug 2023 17:16:13 +0200
+Subject: [PATCH] CVE-2023-40360 hw/nvme: fix null pointer access in directive
+ receive
+
+nvme_directive_receive() does not check if an endurance group has been
+configured (set) prior to testing if flexible data placement is enabled
+or not.
+
+Fix this.
+
+CVE: CVE-2023-40360
+Upstream-Status: Backport [https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98]
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815
+Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
+Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+---
+ hw/nvme/ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 2097fb131..36a2846c3 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -6862,7 +6862,7 @@ static uint16_t nvme_directive_receive(NvmeCtrl *n, NvmeRequest *req)
+     case NVME_DIRECTIVE_IDENTIFY:
+         switch (doper) {
+         case NVME_DIRECTIVE_RETURN_PARAMS:
+-            if (ns->endgrp->fdp.enabled) {
++            if (ns->endgrp && ns->endgrp->fdp.enabled) {
+                 id.supported |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
+                 id.enabled |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
+                 id.persistent |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT;
+-- 
+2.42.0
+