diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee316de5f6b6cfdb80de451da6ff232e51c7..52746db0be0b979eda8981578ec60b54af9e3af7 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ -From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 +From b5d95cb90dba247a0a9ca3bc77b23d78632085ee Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 1b0c29a4e6c4caf6a007e4875f24a6a9826430e8..ed880aa57304e8b79f1c7c4fa753d5a2defe572b 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,8 +1,8 @@ From ea914867ecf5d342a7919abeff4b73c4a6f26e03 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 -Subject: [PATCH 2/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE - SELECT commands +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). @@ -28,7 +28,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; @@ -36,7 +36,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index 93fdd913fe..9a67fc7dc6 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be31292ab46766606bb656c8d07cda5dc2438c1..d7a451a47dd968934fca150a748d58f40f3a0d6f 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ -From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 +From f393d5e5c1d54ff82eac24076f5a2f6f9412871f Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b6c9d1ad4e06e38d7d5e66c04d86e83784..0ea6a498e747d9bd532973e774f74e39b3390002 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ -From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 +From c07792a3e5decb249a952c5a4658f7cd23699eb2 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/qemu.spec b/qemu.spec index 51dd9af7106a797d3b168d40a1f8c7a94eb9690d..50b42547e2b6358c9a85f9fd52164fa2b08755b9 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 61 +Release: 62 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -313,6 +313,10 @@ Patch0300: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0301: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0302: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0303: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0304: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0305: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0306: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0307: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -710,6 +714,14 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + +* Fri Apr 08 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Wed Apr 06 2022 yezengruan - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607)