diff --git a/0285-fix-CVE-2024-7730.patch b/0285-fix-CVE-2024-7730.patch new file mode 100644 index 0000000000000000000000000000000000000000..49b3902e9879da4235be9c200142e88471d42b8a --- /dev/null +++ b/0285-fix-CVE-2024-7730.patch @@ -0,0 +1,58 @@ +From 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 Mon Sep 17 00:00:00 2001 +From: Manos Pitsidianakis +Date: Mon, 8 Jul 2024 10:09:49 +0300 +Subject: [PATCH] virtio-snd: add max size bounds check in input cb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When reading input audio in the virtio-snd input callback, +virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit +the data buffer. This is because we use the buffer->size field as a +total-so-far accumulator instead of byte-size-left like in TX buffers. + +This triggers an out of bounds write if the size of the virtio queue +element is equal to virtio_snd_pcm_status, which makes the available +space for audio data zero. This commit adds a check for reaching the +maximum buffer size before attempting any writes. + +Reported-by: Zheyu Ma +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427 +Signed-off-by: Manos Pitsidianakis +Message-Id: +Reviewed-by: Philippe Mathieu-Daud茅 +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/audio/virtio-snd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index 5993f4f0407..e6432ac959a 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -1261,7 +1261,7 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + { + VirtIOSoundPCMStream *stream = data; + VirtIOSoundPCMBuffer *buffer; +- size_t size; ++ size_t size, max_size; + + WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { + while (!QSIMPLEQ_EMPTY(&stream->queue)) { +@@ -1275,7 +1275,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + continue; + } + ++ max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num); + for (;;) { ++ if (buffer->size >= max_size) { ++ return_rx_buffer(stream, buffer); ++ break; ++ } + size = AUD_read(stream->voice.in, + buffer->data + buffer->size, + MIN(available, (stream->params.period_bytes - +-- +GitLab + diff --git a/qemu.spec b/qemu.spec index 13f07bff8ca89a55dd4c5cc38b2ff6b318b9a5fc..1d6959d22c324bb42fc8c2b7a73b5ecdfc55be09 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,4 +1,4 @@ -%define anolis_release 25 +%define anolis_release 26 %bcond_with check %global all_system_emu_support 0 @@ -567,6 +567,7 @@ Patch0281: 0281-hw-i386-pc-add-mem2-option-for-qemu.patch Patch0282: 0282-hw-misc-psp-support-tkm-use-mem2-memory.patch Patch0283: 0283-hw-misc-psp-Pin-the-hugepage-memory-specified-by-mem.patch Patch0284: 0284-fix-potential-use-after-free-with-dbus-shared-memory.patch +Patch0285: 0285-fix-CVE-2024-7730.patch ExclusiveArch: x86_64 aarch64 loongarch64 @@ -2111,6 +2112,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Thu Dec 12 2024 mgb01105731 - 2:8.2.0-26 +- add patch to fix CVE-2024-7730 + * Sat Nov 30 2024 Xianglai Li - 2:8.2.0-25 - Remove loongarch qemu's dependency on the seavgabios package. @@ -2120,10 +2124,10 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ * Wed Nov 27 2024 mgb01105731 - 2:8.2.0-23 - Fix vm cannot boot on arm64 plateform -* Mon Nov 15 2024 Chang Gao - 2:8.2.0-22 +* Fri Nov 15 2024 Chang Gao - 2:8.2.0-22 - Disable other platform support when running on specified arch. -* Tue Nov 14 2024 Xuchun Shang - 2:8.2.0-21 +* Thu Nov 14 2024 Xuchun Shang - 2:8.2.0-21 - Update the src package and release for version 21 * Tue Oct 29 2024 Xuchun Shang - 2:8.2.0-20 @@ -2136,7 +2140,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ - Patch1054: 1054-virtio-net-Fix-network-stall-at-the-host-side-waitin.patch (Fix network stall at the host side waiting for kick) -* Mon Jun 20 2024 Wencheng Yang - 2:8.2.0-17 +* Thu Jun 20 2024 Wencheng Yang - 2:8.2.0-17 - Patch1053: 1053-target-i386-csv-Release-CSV3-shared-pages-after-unma.patch (Release CSV3 shared pages after unmapping DMA) @@ -2156,7 +2160,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ * Mon May 20 2024 Song Gao -2.8.2.0-13 - Fix system-loongarch64-core requires -* Tue Apr 19 2024 Yanjing Zhou - 2:8.2.0-12 +* Fri Apr 19 2024 Yanjing Zhou - 2:8.2.0-12 - Patch1049: 1049-target-i386-Add-Hygon-Dhyana-v3-CPU-model.patch - Patch1050: 1050-target-i386-Add-new-Hygon-Dharma-CPU-model.patch (Add Hygon Dhyana-v3 and Dharma CPU model) @@ -2277,11 +2281,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ Remove subpackage of virtiofsd since QEMU upstream deleted the C impl of virtiofsd entirely. The alternative is to rewrite it separately in rust. -* Sat Mar 06 2024 Liyang Han - 15:7.2.6-8 +* Wed Mar 06 2024 Liyang Han - 15:7.2.6-8 - Patch0046: 0046-target-i386-sev-Fix-incompatibility-between-SEV-and-.patch (Fix incompatibility between SEV and CSV on the GET_ID API) -* Wed Jan 22 2024 Liyang Han - 15:7.2.6-7 +* Mon Jan 22 2024 Liyang Han - 15:7.2.6-7 - Patch0045: 0045-anolis-target-i386-sev-Add-support-for-reuse-ASID-fo.patch (Support reuse ASID for CSV guests) @@ -2297,7 +2301,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ - Patch0043: 0043-anolis-csv-i386-add-support-to-migrate-the-incoming-.patch (Support CSV3 live migration) -* Tue Nov 22 2023 Liyang Han - 15:7.2.6-4 +* Wed Nov 22 2023 Liyang Han - 15:7.2.6-4 - Patch0010: 0010-doc-update-AMD-SEV-to-include-Live-migration-flow.patch - Patch0011: 0011-migration.json-add-AMD-SEV-specific-migration-parame.patch - Patch0012: 0012-confidential-guest-support-introduce-ConfidentialGue.patch