diff --git a/bundles.tar.xz b/bundles.tar.xz index 217c2333..46117cd5 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c67f3ecc31706a88b9777641c089555b6f8e7767bda5cd6ad4141353f3bf3e76 -size 91872 +oid sha256:833afbfee882243b6f321ab192b0de9bdbe817d2d9a159ca244a2e2dee6642fe +size 92996 diff --git a/hw-nvme-fix-CVE-2021-3929.patch b/hw-nvme-fix-CVE-2021-3929.patch new file mode 100644 index 00000000..7370a06a --- /dev/null +++ b/hw-nvme-fix-CVE-2021-3929.patch @@ -0,0 +1,65 @@ +From: Klaus Jensen +Date: Fri, 17 Dec 2021 10:44:01 +0100 +Subject: hw/nvme: fix CVE-2021-3929 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 736b01642d85be832385063f278fe7cd4ffb5221 +Refrences: bsc#1193880 CVE-2021-3929 + +This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the +device itself. This still allows DMA to MMIO regions of other devices +(e.g. doing P2P DMA to the controller memory buffer of another NVMe +device). + +Fixes: CVE-2021-3929 +Reported-by: Qiuhao Li +Reviewed-by: Keith Busch +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Klaus Jensen +Signed-off-by: Li Zhang +--- + hw/nvme/ctrl.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c417b3d66c30814a74b192a..eda52c6ac74b3419ca4b656d0ee0 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) + return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba); + } + ++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr hi, lo; ++ ++ /* ++ * The purpose of this check is to guard against invalid "local" access to ++ * the iomem (i.e. controller registers). Thus, we check against the range ++ * covered by the 'bar0' MemoryRegion since that is currently composed of ++ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, ++ * that if the device model is ever changed to allow the CMB to be located ++ * in BAR0 as well, then this must be changed. ++ */ ++ lo = n->bar0.addr; ++ hi = lo + int128_get64(n->bar0.size); ++ ++ return addr >= lo && addr < hi; ++} ++ + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + hwaddr hi = addr + size - 1; +@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) + + trace_pci_nvme_map_addr(addr, len); + ++ if (nvme_addr_is_iomem(n, addr)) { ++ return NVME_DATA_TRAS_ERROR; ++ } ++ + if (nvme_addr_is_cmb(n, addr)) { + cmb = true; + } else if (nvme_addr_is_pmr(n, addr)) { diff --git a/qemu.changes b/qemu.changes index 9a92b5a4..b0a62411 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 29 14:58:37 UTC 2022 - Li Zhang + +* Patches added: + hw-nvme-fix-CVE-2021-3929.patch + ------------------------------------------------------------------- Tue Mar 29 10:16:18 UTC 2022 - Li Zhang diff --git a/qemu.spec b/qemu.spec index 233c6e38..76450e8a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -226,6 +226,7 @@ Patch00079: Revert-python-machine-add-instance-disam.patch Patch00080: Revert-python-machine-remove-_remove_mon.patch Patch00081: Revert-python-machine-add-sock_dir-prope.patch Patch00082: Revert-python-iotests-replace-qmp-with-a.patch +Patch00083: hw-nvme-fix-CVE-2021-3929.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1231,6 +1232,7 @@ This package records qemu testsuite results and represents successful testing. %patch00080 -p1 %patch00081 -p1 %patch00082 -p1 +%patch00083 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1