From ad2227f9a2eea9c66ea7d164cd695a300faa8f8f Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 9 Mar 2021 17:37:20 +0800 Subject: [PATCH 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203) fix CVE-2021-20203 #I3A34O While activating device in vmxnet3_acticate_device(), it does not validate guest supplied configuration values against predefined minimum - maximum limits. This may lead to integer overflow or OOB access issues. Add checks to avoid it. Fixes: CVE-2021-20203 Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 Reported-by: Gaoning Pan Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- ...date-configuration-values-during-act.patch | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 net-vmxnet3-validate-configuration-values-during-act.patch diff --git a/net-vmxnet3-validate-configuration-values-during-act.patch b/net-vmxnet3-validate-configuration-values-during-act.patch new file mode 100644 index 0000000..8d62dc1 --- /dev/null +++ b/net-vmxnet3-validate-configuration-values-during-act.patch @@ -0,0 +1,79 @@ +From 281a70c0251695d5cba2314b43eace9c6bc98f9d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 9 Mar 2021 17:37:20 +0800 +Subject: [PATCH] net: vmxnet3: validate configuration values during activate + (CVE-2021-20203) + +fix CVE-2021-20203 #I3A34O + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/net/vmxnet3.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 10d01d0058..ecc4f5bcf0 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1418,6 +1418,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1471,7 +1472,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); +- ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); + VMXNET3_RING_DUMP(VMW_CFPRN, "TX", i, &s->txq_descr[i].tx_ring); +@@ -1481,6 +1484,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1522,6 +1528,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1531,6 +1540,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.27.0 + -- Gitee From 91aea8949695cae360f100075ec21887ba4256b9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 18 Mar 2021 22:02:10 +0800 Subject: [PATCH 2/3] spec: Update patch and changelog with !85 fix CVE-2021-20203 #I3A34O !85 net: vmxnet3: validate configuration values during activate (CVE-2021-20203) Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index c35f251..8d9c3c7 100644 --- a/qemu.spec +++ b/qemu.spec @@ -238,6 +238,7 @@ Patch0225: ati-use-vga_read_byte-in-ati_cursor_define.patch Patch0226: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch Patch0227: msix-add-valid.accepts-methods-to-check-address.patch Patch0228: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch +Patch0229: net-vmxnet3-validate-configuration-values-during-act.patch BuildRequires: flex BuildRequires: bison @@ -583,6 +584,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Mar 18 2021 Chen Qun +- net: vmxnet3: validate configuration values during activate (CVE-2021-20203) + * Fri Feb 26 2021 Huawei Technologies Co., Ltd - ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end -- Gitee From 975b491b36225f776bae82f68e055ddfd92c2a14 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 18 Mar 2021 22:02:22 +0800 Subject: [PATCH 3/3] spec: Update release version with !85 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 8d9c3c7..16893cf 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 36 +Release: 37 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee