From e1f81d4318581d290f6a75e8f68e72ad8b8a43e4 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH 1/7] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). Fixes: CVE-2021-3930 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") Fixes: #546 Reported-by: Qiuhao Li Signed-off-by: Mauro Matteo Cascella Signed-off-by: Paolo Bonzini cherry-pick from: b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Signed-off-by: AlexChen --- ...-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 1b0c29a..ed880aa 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,8 +1,8 @@ From ea914867ecf5d342a7919abeff4b73c4a6f26e03 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 -Subject: [PATCH 2/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE - SELECT commands +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). @@ -28,7 +28,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; @@ -36,7 +36,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index 93fdd913fe..9a67fc7dc6 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 -- Gitee From c0d83ea7a3fa6fe1b4126a794a2a234f5e11c33c Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:35 +0800 Subject: [PATCH 2/7] spec: Update patch and changelog with !269 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands !269 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 51dd9af..7d50270 100644 --- a/qemu.spec +++ b/qemu.spec @@ -313,6 +313,7 @@ Patch0300: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0301: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0302: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0303: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0304: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch BuildRequires: flex BuildRequires: bison @@ -710,6 +711,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Wed Apr 06 2022 yezengruan - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607) -- Gitee From 9325b338deb039cf7c19d176e332f15d75b15f2c Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: [PATCH 3/7] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Reviewed-by: Prasad J Pandit Signed-off-by: Marcel Apfelbaum cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4 Signed-off-by: yezengruan --- hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee3..52746db 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ -From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 +From b5d95cb90dba247a0a9ca3bc77b23d78632085ee Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. -- Gitee From 8ac5c522d311334394a088c055c64aa7e721bb1e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: [PATCH 4/7] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534 Signed-off-by: yezengruan --- pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be3129..d7a451a 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ -From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 +From f393d5e5c1d54ff82eac24076f5a2f6f9412871f Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. -- Gitee From aac0c2c07477ad4c8a6ea9db56cc3c9300a911dd Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: [PATCH 5/7] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630115246.2178219-1-marcel@redhat.com> Tested-by: Yuval Shaia Reviewed-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Marcel Apfelbaum cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3 Signed-off-by: yezengruan --- pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b..0ea6a49 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ -From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 +From c07792a3e5decb249a952c5a4658f7cd23699eb2 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 4e2d2a49f124399320cc92ba1847f07069f670ea Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:38 +0800 Subject: [PATCH 6/7] spec: Update patch and changelog with !276 Fixes: CVE-2021-3582/CVE-2021-3607/CVE-2021-3608 !276 hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) pvrdma: Ensure correct input on ring init (CVE-2021-3607) pvrdma: Fix the ring init error flow (CVE-2021-3608) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index 7d50270..684e3d9 100644 --- a/qemu.spec +++ b/qemu.spec @@ -314,6 +314,9 @@ Patch0301: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0302: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0303: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0304: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0305: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0306: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0307: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -711,6 +714,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + * Fri Apr 08 2022 Chen Qun - hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands -- Gitee From cdfe7c08083477f2782d9caee072363fa0c57520 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:28:07 +0800 Subject: [PATCH 7/7] spec: Update release version with !269 !276 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 684e3d9..50b4254 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 61 +Release: 62 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee