| Message ID | 20231117045955.2183952-1-nirpradh@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [OE-core,kirkstone] qemu 6.2.0: Fix CVE-2023-1544 | expand |
Wrong mailing list. Please try openembedded-core@lists.openembedded.org br, Armin On 11/16/23 11:59 PM, Niranjan Pradhan via lists.openembedded.org wrote: > Upstream Repository: https://gitlab.com/qemu-project/qemu.git > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 > Type: Security Fix > CVE: CVE-2023-1544 > Score: 6.3 > Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c > > Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 1 + > .../qemu/qemu/CVE-2023-1544.patch | 70 +++++++++++++++++++ > 2 files changed, 71 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index 83bd5d7e67..c8e4e2e6f3 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2023-3354.patch \ > file://CVE-2023-3180.patch \ > file://CVE-2021-3638.patch \ > + file://CVE-2023-1544.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch > new file mode 100644 > index 0000000000..b4781e1c18 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch > @@ -0,0 +1,70 @@ > +From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001 > +From: Yuval Shaia <yuval.shaia.ml@gmail.com> > +Date: Wed, 1 Mar 2023 16:29:26 +0200 > +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver > + > +Guest driver allocates and initialize page tables to be used as a ring > +of descriptors for CQ and async events. > +The page table that represents the ring, along with the number of pages > +in the page table is passed to the device. > +Currently our device supports only one page table for a ring. > + > +Let's make sure that the number of page table entries the driver > +reports, do not exceeds the one page table size. > + > +CVE: CVE-2023-1544 > +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c] > + > +Reported-by: Soul Chen <soulchen8650@gmail.com> > +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> > +Fixes: CVE-2023-1544 > +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> > +Signed-off-by: Thomas Huth <thuth@redhat.com> > +(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087) > +Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> > +--- > + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- > + 1 file changed, 15 insertions(+), 1 deletion(-) > + > +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c > +index 4fc6712025..55b338046e 100644 > +--- a/hw/rdma/vmw/pvrdma_main.c > ++++ b/hw/rdma/vmw/pvrdma_main.c > +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, > + dma_addr_t dir_addr, uint32_t num_pages) > + { > + uint64_t *dir, *tbl; > +- int rc = 0; > ++ int max_pages, rc = 0; > + > + if (!num_pages) { > + rdma_error_report("Ring pages count must be strictly positive"); > + return -EINVAL; > + } > + > ++ /* > ++ * Make sure we can satisfy the requested number of pages in a single > ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry > ++ * is reserved for ring-state) > ++ */ > ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; > ++ if (num_pages > max_pages) { > ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", > ++ max_pages); > ++ return -EINVAL; > ++ } > ++ > + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); > + if (!dir) { > + rdma_error_report("Failed to map to page directory (ring %s)", name); > + rc = -ENOMEM; > + goto out; > + } > ++ > ++ /* We support only one page table for a ring */ > + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); > + if (!tbl) { > + rdma_error_report("Failed to map to page table (ring %s)", name); > +-- > +2.35.6 > + > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#106847): https://lists.openembedded.org/g/openembedded-devel/message/106847 > Mute This Topic: https://lists.openembedded.org/mt/102642225/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 83bd5d7e67..c8e4e2e6f3 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ file://CVE-2021-3638.patch \ + file://CVE-2023-1544.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch new file mode 100644 index 0000000000..b4781e1c18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch @@ -0,0 +1,70 @@ +From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia <yuval.shaia.ml@gmail.com> +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +CVE: CVE-2023-1544 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c] + +Reported-by: Soul Chen <soulchen8650@gmail.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087) +Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 4fc6712025..55b338046e 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.35.6 +
Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 Type: Security Fix CVE: CVE-2023-1544 Score: 6.3 Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-1544.patch | 70 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch