From cdae7a424491875abbe7c06ed6bda0725bc2a593 Mon Sep 17 00:00:00 2001 From: Shao Denghui Date: Mon, 17 Apr 2023 17:22:38 +0800 Subject: [PATCH] fix CVE-2023-1544 Signed-off-by: Shao Denghui --- hw-rdma-fix-CVE-2023-1544.patch | 67 +++++++++++++++++++++++++++++++++ qemu.spec | 6 ++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 hw-rdma-fix-CVE-2023-1544.patch diff --git a/hw-rdma-fix-CVE-2023-1544.patch b/hw-rdma-fix-CVE-2023-1544.patch new file mode 100644 index 00000000..55dbff1a --- /dev/null +++ b/hw-rdma-fix-CVE-2023-1544.patch @@ -0,0 +1,67 @@ +From f06d24d568d7ef25865eb87f32f0ec191c229e13 Mon Sep 17 00:00:00 2001 +From: Shao Denghui +Date: Mon, 17 Apr 2023 10:28:05 +0800 +Subject: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Signed-off-by: Shao Denghui +--- +v0 -> v1: + * Take ring-state into account + * Add Reported-by +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 91206dbb8e..01ca85f576 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 3ac034dd..55ad6cfd 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 65 +Release: 66 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -444,6 +444,7 @@ Patch0429: migration-report-multiFd-related-thread-pid-to-libvi.patch Patch0430: vhost_net-keep-acked_feature-only-for-NET_CLIENT_DRI.patch Patch0431: linux-user-Add-strace-output-for-timer_settime64-sys.patch Patch0432: fix-qemu-core-when-vhost-user-net-config-with-server.patch +Patch0433: hw-rdma-fix-CVE-2023-1544.patch BuildRequires: flex BuildRequires: gcc @@ -975,6 +976,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Apr 17 2023 shaodenghui - 10:6.2.0-66 +- hw/pvrdma: Protect against buggy or malicious guest driver(CVE-2023-1544) + * Tue Dec 20 2022 yezengruan - 10:6.2.0-65 - linux-user: Add strace output for timer_settime64() syscall - fix qemu-core when vhost-user-net config with server mode -- Gitee