@@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-3354.patch \
file://CVE-2023-3180.patch \
file://CVE-2021-3638.patch \
+ file://CVE-2023-1544.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
new file mode 100644
@@ -0,0 +1,70 @@
+From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Wed, 1 Mar 2023 16:29:26 +0200
+Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
+
+Guest driver allocates and initialize page tables to be used as a ring
+of descriptors for CQ and async events.
+The page table that represents the ring, along with the number of pages
+in the page table is passed to the device.
+Currently our device supports only one page table for a ring.
+
+Let's make sure that the number of page table entries the driver
+reports, do not exceeds the one page table size.
+
+CVE: CVE-2023-1544
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c]
+
+Reported-by: Soul Chen <soulchen8650@gmail.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Fixes: CVE-2023-1544
+Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087)
+Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 4fc6712025..55b338046e 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
+ dma_addr_t dir_addr, uint32_t num_pages)
+ {
+ uint64_t *dir, *tbl;
+- int rc = 0;
++ int max_pages, rc = 0;
+
+ if (!num_pages) {
+ rdma_error_report("Ring pages count must be strictly positive");
+ return -EINVAL;
+ }
+
++ /*
++ * Make sure we can satisfy the requested number of pages in a single
++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry
++ * is reserved for ring-state)
++ */
++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1;
++ if (num_pages > max_pages) {
++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n",
++ max_pages);
++ return -EINVAL;
++ }
++
+ dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+ if (!dir) {
+ rdma_error_report("Failed to map to page directory (ring %s)", name);
+ rc = -ENOMEM;
+ goto out;
+ }
++
++ /* We support only one page table for a ring */
+ tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE);
+ if (!tbl) {
+ rdma_error_report("Failed to map to page table (ring %s)", name);
+--
+2.35.6
+
Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 Type: Security Fix CVE: CVE-2023-1544 Score: 6.3 Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-1544.patch | 70 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch