diff --git a/backport-CVE-2023-0330.patch b/backport-CVE-2023-0330.patch new file mode 100644 index 0000000000000000000000000000000000000000..02291fb9c212fb5078e5e3045d2aba7bfded63d9 --- /dev/null +++ b/backport-CVE-2023-0330.patch @@ -0,0 +1,74 @@ +From 62b5107d16ee5b46daae111f0868163f20ea7c69 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 17 Oct 2023 11:59:11 +0800 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: #1563 + +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi's avatarStefan Hajnoczi +Reviewed-by: default avatarAlexander Bulekov +Signed-off-by: Thomas Huth's avatarThomas Huth +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 32 ++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index b9c9eb0da..f7559051c 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s) + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1596,6 +1605,8 @@ again: + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index a68acd934f4d9dc7e6da49d572ec32ef4c845c59..22fb2b0ab2e18fe964a80f10f2c9b33bca23c396 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Name: qemu Version: 4.1.0 Release: 76 -Epoch: 10 +Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 URL: http://www.qemu.org @@ -355,6 +355,7 @@ Patch0342: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch Patch0343: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch Patch0344: pci-assert-configuration-access-is-within-bounds.patch Patch0345: accel-tcg-fix-race-in-cpu_exec_step_atomic-bug-18630.patch +Patch0346: backport-CVE-2023-0330.patch BuildRequires: flex BuildRequires: bison @@ -756,6 +757,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Oct 17 2023 liningjie +- Fix CVE-2023-0330 + * Mon Sep 11 2023 Jiabo Feng - accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) - pci: assert configuration access is within bounds