diff --git a/hw-rdma-fix-CVE-2023-1544.patch b/hw-rdma-fix-CVE-2023-1544.patch new file mode 100644 index 0000000000000000000000000000000000000000..55dbff1a7559353d8d9e485767f690b9b73584cf --- /dev/null +++ b/hw-rdma-fix-CVE-2023-1544.patch @@ -0,0 +1,67 @@ +From f06d24d568d7ef25865eb87f32f0ec191c229e13 Mon Sep 17 00:00:00 2001 +From: Shao Denghui +Date: Mon, 17 Apr 2023 10:28:05 +0800 +Subject: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Signed-off-by: Shao Denghui +--- +v0 -> v1: + * Take ring-state into account + * Add Reported-by +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 91206dbb8e..01ca85f576 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 5eb58fa51195927e32ae94f4a0f4366c10d17e75..57776b5ccc2a8f9872b5d5cb90010cbff800f3d7 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 57 +Release: 58 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -287,6 +287,7 @@ Patch0274: scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch Patch0275: curses-Fixes-curses-compiling-errors.patch Patch0276: net-dump.c-Suppress-spurious-compiler-warning.patch Patch0277: tests-Replace-deprecated-ASN1-code.patch +Patch0278: hw-rdma-fix-CVE-2023-1544.patch BuildRequires: flex BuildRequires: bison @@ -632,6 +633,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Apr 17 2023 shaodenghui +- hw/pvrdma: Protect against buggy or malicious guest driver(CVE-2023-1544) + * Sat May 28 2022 sundongxu - e1000: fail early for evil descriptor - e1000: fix tx re-entrancy problem