From 1e53bfd9dc8e82ae2b382a73805b725d2bd1ea44 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH 1/7] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). Fixes: CVE-2021-3930 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") Fixes: #546 Reported-by: Qiuhao Li Signed-off-by: Mauro Matteo Cascella Signed-off-by: Paolo Bonzini cherry-pick from: b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Signed-off-by: AlexChen --- ...i-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 432e6cc..ae5ed7a 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,4 +1,4 @@ -From 08438d7975713bbeed2dff8467bd4656b34221ad Mon Sep 17 00:00:00 2001 +From b1f0a316a30eb5c1ba87391af284ad926afa2c3c Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT @@ -22,21 +22,21 @@ Signed-off-by: AlexChen 1 file changed, 6 insertions(+) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index cd90cd780e..297efd5a72 100644 +index 93fdd913fe..9a67fc7dc6 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c -@@ -1082,6 +1082,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, +@@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; } -@@ -1423,6 +1424,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, +@@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index cd90cd780e..297efd5a72 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 -- Gitee From 4c42b8524c49d88ccca943788e97f11a0b961b05 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:32 +0800 Subject: [PATCH 2/7] spec: Update patch and changelog with !268 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands !268 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index a9bc9b2..a0821f0 100644 --- a/qemu.spec +++ b/qemu.spec @@ -348,6 +348,7 @@ Patch0335: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0336: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0337: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0338: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0339: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch BuildRequires: flex BuildRequires: bison @@ -745,6 +746,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Wed Apr 06 2022 yezengruan - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607) -- Gitee From c70ca30a0fdda617f69cc11765c30565246cb6c8 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: [PATCH 3/7] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Reviewed-by: Prasad J Pandit Signed-off-by: Marcel Apfelbaum cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4 Signed-off-by: yezengruan --- hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee3..48d2fd9 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. -- Gitee From 5514456494a0fddc235c149680f794db5a709d5b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: [PATCH 4/7] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534 Signed-off-by: yezengruan --- pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be3129..81c8278 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. -- Gitee From 024df9ac472f4b6050e90e5c52ddfcfc9511e4d5 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: [PATCH 5/7] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630115246.2178219-1-marcel@redhat.com> Tested-by: Yuval Shaia Reviewed-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Marcel Apfelbaum cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3 Signed-off-by: yezengruan --- pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b..e1de794 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 8a109d3a7a9d03d6b27e27b4a9c917df68aba453 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:40 +0800 Subject: [PATCH 6/7] spec: Update patch and changelog with !277 Fixes: CVE-2021-3582/CVE-2021-3607/CVE-2021-3608 !277 hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) pvrdma: Ensure correct input on ring init (CVE-2021-3607) pvrdma: Fix the ring init error flow (CVE-2021-3608) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index a0821f0..6e3eae7 100644 --- a/qemu.spec +++ b/qemu.spec @@ -349,6 +349,9 @@ Patch0336: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0337: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0338: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0339: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0340: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0341: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0342: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -746,6 +749,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + * Fri Apr 08 2022 Chen Qun - hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands -- Gitee From fec7bbc904d34ee3b72bdae6cfc65928f851e71e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:53 +0800 Subject: [PATCH 7/7] spec: Update release version with !268 !277 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 6e3eae7..5cdd9c6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 65 +Release: 66 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee