diff --git a/hw-rdma-fix-CVE-2023-1544.patch b/hw-rdma-fix-CVE-2023-1544.patch new file mode 100644 index 0000000000000000000000000000000000000000..55dbff1a7559353d8d9e485767f690b9b73584cf --- /dev/null +++ b/hw-rdma-fix-CVE-2023-1544.patch @@ -0,0 +1,67 @@ +From f06d24d568d7ef25865eb87f32f0ec191c229e13 Mon Sep 17 00:00:00 2001 +From: Shao Denghui +Date: Mon, 17 Apr 2023 10:28:05 +0800 +Subject: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Signed-off-by: Shao Denghui +--- +v0 -> v1: + * Take ring-state into account + * Add Reported-by +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 91206dbb8e..01ca85f576 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 9fe62402971aa51471018ebb2b8be30d129920b9..7957130967ca3378e335f09c4bb9e2692329e21b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 72 +Release: 73 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -347,6 +347,7 @@ Patch0334: hw-display-qxl-Document-qxl_phys2virt.patch Patch0335: hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch Patch0336: hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch Patch0337: hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch +Patch0338: hw-rdma-fix-CVE-2023-1544.patch BuildRequires: flex BuildRequires: bison @@ -748,6 +749,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Apr 17 2023 shaodenghui +- hw/pvrdma: Protect against buggy or malicious guest driver(CVE-2023-1544) + * Mon Dec 05 yezengruan - fix CVE-2022-4144