From 1ece911d205b13a08cc8619cc36d62713a8a6398 Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Wed, 16 Aug 2023 09:32:34 +0800 Subject: [PATCH] QEMU update to version 4.1.0-79 - virtio-crypto: verify src&dst buffer length for sym request Signed-off-by: Jiabo Feng --- qemu.spec | 6 ++- ...rify-src-dst-buffer-length-for-sym-r.patch | 47 +++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch diff --git a/qemu.spec b/qemu.spec index e577f29..f6e29a8 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 78 +Release: 79 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -386,6 +386,7 @@ Patch0373: hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch Patch0374: 9pfs-prevent-opening-special-files-CVE-2023-2861.patch Patch0375: qga-win32-Remove-change-action-from-MSI-installer.patch Patch0376: qga-win32-Use-rundll-for-VSS-installation.patch +Patch0377: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch BuildRequires: flex BuildRequires: bison @@ -786,6 +787,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Aug 16 2023 Jiabo Feng +- virtio-crypto: verify src&dst buffer length for sym request + * Fri Jul 26 2023 Jiabo Feng - qga/win32: Use rundll for VSS installation - qga/win32: Remove change action from MSI installer diff --git a/virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch b/virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch new file mode 100644 index 0000000..622078d --- /dev/null +++ b/virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch @@ -0,0 +1,47 @@ +From b7a55d4f0ad26e2796170d607fc45de312f1b558 Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei +Cc: Mauro Matteo Cascella +Cc: Yiming Tao +Signed-off-by: zhenwei pi +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980) +Signed-off-by: Michael Tokarev +--- + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 45187d3344..5e112a2402 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -455,6 +455,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); +-- +2.41.0.windows.1 + -- Gitee