diff --git a/0285-fix-CVE-2024-7730.patch b/0285-fix-CVE-2024-7730.patch new file mode 100644 index 0000000000000000000000000000000000000000..f70125aaa79abea210c3a159381452556863fe2f --- /dev/null +++ b/0285-fix-CVE-2024-7730.patch @@ -0,0 +1,57 @@ +From 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 Mon Sep 17 00:00:00 2001 +From: Manos Pitsidianakis +Date: Mon, 8 Jul 2024 10:09:49 +0300 +Subject: [PATCH] virtio-snd: add max size bounds check in input cb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When reading input audio in the virtio-snd input callback, +virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit +the data buffer. This is because we use the buffer->size field as a +total-so-far accumulator instead of byte-size-left like in TX buffers. + +This triggers an out of bounds write if the size of the virtio queue +element is equal to virtio_snd_pcm_status, which makes the available +space for audio data zero. This commit adds a check for reaching the +maximum buffer size before attempting any writes. + +Reported-by: Zheyu Ma +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427 +Signed-off-by: Manos Pitsidianakis +Message-Id: +Reviewed-by: Philippe Mathieu-Daud茅 +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/audio/virtio-snd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index 5993f4f0407..e6432ac959a 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -1261,7 +1261,7 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + { + VirtIOSoundPCMStream *stream = data; + VirtIOSoundPCMBuffer *buffer; +- size_t size; ++ size_t size, max_size; + + WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { + while (!QSIMPLEQ_EMPTY(&stream->queue)) { +@@ -1275,7 +1275,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + continue; + } + ++ max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num); + for (;;) { ++ if (buffer->size >= max_size) { ++ return_rx_buffer(stream, buffer); ++ break; ++ } + size = AUD_read(stream->voice.in, + buffer->data + buffer->size, + MIN(available, (stream->params.period_bytes - +-- +GitLab diff --git a/qemu.spec b/qemu.spec index 13f07bff8ca89a55dd4c5cc38b2ff6b318b9a5fc..fbfd0f0f78cdc14ac92413dd1713b525ff8e68cb 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,4 +1,4 @@ -%define anolis_release 25 +%define anolis_release 26 %bcond_with check %global all_system_emu_support 0 @@ -567,6 +567,8 @@ Patch0281: 0281-hw-i386-pc-add-mem2-option-for-qemu.patch Patch0282: 0282-hw-misc-psp-support-tkm-use-mem2-memory.patch Patch0283: 0283-hw-misc-psp-Pin-the-hugepage-memory-specified-by-mem.patch Patch0284: 0284-fix-potential-use-after-free-with-dbus-shared-memory.patch +#https://gitlab.com/qemu-project/qemu/-/commit/98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 +Patch0285: 0285-fix-CVE-2024-7730.patch ExclusiveArch: x86_64 aarch64 loongarch64 @@ -2111,6 +2113,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Fri Dec 13 2024 yangxinyu - 2:8.2.0-26 +- fix CVE-2024-7730 + * Sat Nov 30 2024 Xianglai Li - 2:8.2.0-25 - Remove loongarch qemu's dependency on the seavgabios package.