From bcfbe9c5ceb457ac70d3c5ec25d140bf7d73e728 Mon Sep 17 00:00:00 2001 From: yangxinyu Date: Tue, 26 Aug 2025 11:07:09 +0800 Subject: [PATCH] [CVE] fix cve-2024-3567 to #bug21905 fix cve-2024-3567 Project: TC2024080204 Signed-off-by:yangxinyu --- 0481-qemu-cve-2024-3567.patch | 67 +++++++++++++++++++++++++++++++++++ qemu.spec | 8 ++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0481-qemu-cve-2024-3567.patch diff --git a/0481-qemu-cve-2024-3567.patch b/0481-qemu-cve-2024-3567.patch new file mode 100644 index 0000000..adc7a3a --- /dev/null +++ b/0481-qemu-cve-2024-3567.patch @@ -0,0 +1,67 @@ +From 83ddb3dbba2ee0f1767442ae6ee665058aeb1093 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Tue, 9 Apr 2024 19:54:05 +0200 +Subject: [PATCH] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a fragmented packet size is too short, do not try to +calculate its checksum. + +Reproduced using: + + $ cat << EOF | qemu-system-i386 -display none -nodefaults \ + -machine q35,accel=qtest -m 32M \ + -device igb,netdev=net0 \ + -netdev user,id=net0 \ + -qtest stdio + outl 0xcf8 0x80000810 + outl 0xcfc 0xe0000000 + outl 0xcf8 0x80000804 + outw 0xcfc 0x06 + write 0xe0000403 0x1 0x02 + writel 0xe0003808 0xffffffff + write 0xe000381a 0x1 0x5b + write 0xe000381b 0x1 0x00 + EOF + Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. + #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 + #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 + #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 + #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 + #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 + #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 + #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 + #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 + +Fixes: CVE-2024-3567 +Cc: qemu-stable@nongnu.org +Reported-by: Zheyu Ma +Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Akihiko Odaki +Acked-by: Jason Wang +Message-Id: <20240410070459.49112-1-philmd@linaro.org> +--- + hw/net/net_tx_pkt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 2134a18c4c9..b7b1de816dc 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt) + uint32_t csum = 0; + struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG; + ++ if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) { ++ return false; ++ } ++ + if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) { + return false; + } +-- +GitLab diff --git a/qemu.spec b/qemu.spec index a0f6888..f0e71cc 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,4 +1,4 @@ -%define anolis_release 32 +%define anolis_release 33 %bcond_with check %global all_system_emu_support 0 @@ -767,6 +767,9 @@ Patch0478: 0478-hw-net-net-tx-pkt-fix-overrun-in-update-sctp-checksu.patch Patch0479: 0479-util-iov-do-not-assert-offset-is-in-iov.patch Patch0480: 0480-revert-hw-net-net-tx-pkt-fix-overrun-in-update-sctp-.patch +#https://gitlab.com/qemu-project/qemu/-/commit/83ddb3dbba2ee0f1767442ae6ee665058aeb1093 +Patch0481: 0481-qemu-cve-2024-3567.patch + ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 BuildRequires: meson >= %{meson_version} @@ -2330,6 +2333,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Tue Aug 26 2025 yangxinyu - 2:8.2.0-33 +-fix cve-2024-3567 + * Fri Aug 15 2025 wh02252983 - 2:8.2.0-32 - meson: move subdirs to "Collect sources" section - meson: always probe u2f and canokey if the option is enabled -- Gitee