diff --git a/hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch new file mode 100644 index 0000000000000000000000000000000000000000..a30f739409c40941b06f1491e070bcd2689e3148 --- /dev/null +++ b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch @@ -0,0 +1,65 @@ +From 4c26f60c6ec78b8c043915a1c64633f20213f43e Mon Sep 17 00:00:00 2001 +From: Yuval Shaia +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 1d9f84e89a..9bd08622f1 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 499aaa79394b571245262e657885c1a754ce64cf..54b0fe44ed83e18c642102f14d219362e6c6ca59 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 80 +Release: 81 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -390,6 +390,7 @@ Patch0377: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch Patch0378: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch Patch0379: pci-assert-configuration-access-is-within-bounds.patch Patch0380: accel-tcg-fix-race-in-cpu_exec_step_atomic-bug-18630.patch +Patch0381: hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch BuildRequires: flex BuildRequires: bison @@ -790,6 +791,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Nov 28 2023 Jiabo Feng +- hw/pvrdma: Protect against buggy or malicious guest driver + * Mon Sep 11 2023 Jiabo Feng - accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) - pci: assert configuration access is within bounds