Accepting request 965700 from home:lizhang:branches:Virtualization

- Fix bsc#1193880 CVE-2021-3929
* Patches added:
  hw-nvme-fix-CVE-2021-3929.patch

OBS-URL: https://build.opensuse.org/request/show/965700
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=704

bundles.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c67f3ecc31706a88b9777641c089555b6f8e7767bda5cd6ad4141353f3bf3e76
-size 91872
+oid sha256:833afbfee882243b6f321ab192b0de9bdbe817d2d9a159ca244a2e2dee6642fe
+size 92996

hw-nvme-fix-CVE-2021-3929.patch

@@ -0,0 +1,65 @@
+From: Klaus Jensen <k.jensen@samsung.com>
+Date: Fri, 17 Dec 2021 10:44:01 +0100
+Subject: hw/nvme: fix CVE-2021-3929
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 736b01642d85be832385063f278fe7cd4ffb5221
+Refrences:  bsc#1193880  CVE-2021-3929
+
+This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
+device itself. This still allows DMA to MMIO regions of other devices
+(e.g. doing P2P DMA to the controller memory buffer of another NVMe
+device).
+
+Fixes: CVE-2021-3929
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Li Zhang <lizhang@suse.de>
+---
+ hw/nvme/ctrl.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 5f573c417b3d66c30814a74b192a..eda52c6ac74b3419ca4b656d0ee0 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr)
+     return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba);
+ }
+ 
++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
++{
++    hwaddr hi, lo;
++
++    /*
++     * The purpose of this check is to guard against invalid "local" access to
++     * the iomem (i.e. controller registers). Thus, we check against the range
++     * covered by the 'bar0' MemoryRegion since that is currently composed of
++     * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
++     * that if the device model is ever changed to allow the CMB to be located
++     * in BAR0 as well, then this must be changed.
++     */
++    lo = n->bar0.addr;
++    hi = lo + int128_get64(n->bar0.size);
++
++    return addr >= lo && addr < hi;
++}
++
+ static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
+ {
+     hwaddr hi = addr + size - 1;
+@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len)
+ 
+     trace_pci_nvme_map_addr(addr, len);
+ 
++    if (nvme_addr_is_iomem(n, addr)) {
++        return NVME_DATA_TRAS_ERROR;
++    }
++
+     if (nvme_addr_is_cmb(n, addr)) {
+         cmb = true;
+     } else if (nvme_addr_is_pmr(n, addr)) {

qemu.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar 29 14:58:37 UTC 2022 - Li Zhang <li.zhang@suse.com>
+
+* Patches added:
+  hw-nvme-fix-CVE-2021-3929.patch
+
 -------------------------------------------------------------------
 Tue Mar 29 10:16:18 UTC 2022 - Li Zhang <li.zhang@suse.com>
 

qemu.spec

@@ -226,6 +226,7 @@ Patch00079:     Revert-python-machine-add-instance-disam.patch
 Patch00080:     Revert-python-machine-remove-_remove_mon.patch
 Patch00081:     Revert-python-machine-add-sock_dir-prope.patch
 Patch00082:     Revert-python-iotests-replace-qmp-with-a.patch
+Patch00083:     hw-nvme-fix-CVE-2021-3929.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@@ -1231,6 +1232,7 @@ This package records qemu testsuite results and represents successful testing.
 %patch00080 -p1
 %patch00081 -p1
 %patch00082 -p1
+%patch00083 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1