Accepting request 908021 from home:jziviani:branches:Virtualization
- Disabled skiboot building for PowerPC due to the following issue: https://github.com/open-power/skiboot/issues/265 - Fix possible mremap overflow in the pvrdma (CVE-2021-3582, bsc#1187499) hw-rdma-Fix-possible-mremap-overflow-in-.patch - Ensure correct input on ring init (CVE-2021-3607, bsc#1187539) pvrdma-Ensure-correct-input-on-ring-init.patch - Fix the ring init error flow (CVE-2021-3608, bsc#1187538) pvrdma-Fix-the-ring-init-error-flow-CVE-.patch OBS-URL: https://build.opensuse.org/request/show/908021 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=662
This commit is contained in:
José Ricardo Ziviani
committed by
Git OBS Bridge
Git OBS Bridge
parent
7ff99ac35a
commit
183c086c65
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:14c73ceb03c53d00c3e40c4274d169800e2d03a9c3b22c3c5553b261ee61818e
|
||||
size 73624
|
||||
oid sha256:8ec63ad5df6ad6e4aa0b206d4db157c88cf8ae8bfd8261a7332f7c6a1f24cab8
|
||||
size 75016
|
||||
|
||||
43
hw-rdma-Fix-possible-mremap-overflow-in-.patch
Normal file
43
hw-rdma-Fix-possible-mremap-overflow-in-.patch
Normal file
@@ -0,0 +1,43 @@
|
||||
From: Marcel Apfelbaum <marcel@redhat.com>
|
||||
Date: Wed, 16 Jun 2021 14:06:00 +0300
|
||||
Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device
|
||||
(CVE-2021-3582)
|
||||
|
||||
Git-commit: 284f191b4abad213aed04cb0458e1600fd18d7c4
|
||||
References: CVE-2021-3582 bsc#1187499
|
||||
|
||||
Ensure mremap boundaries not trusting the guest kernel to
|
||||
pass the correct buffer length.
|
||||
|
||||
Fixes: CVE-2021-3582
|
||||
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
|
||||
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
|
||||
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
|
||||
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
|
||||
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
|
||||
index f59879e2574ea5569b098bb338e6..da7ddfa548ffb349dd3d695a6766 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_cmd.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_cmd.c
|
||||
@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
|
||||
+ if (nchunks * TARGET_PAGE_SIZE != length) {
|
||||
+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
|
||||
+ (unsigned long)length);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
|
||||
if (!dir) {
|
||||
rdma_error_report("Failed to map to page directory");
|
||||
39
pvrdma-Ensure-correct-input-on-ring-init.patch
Normal file
39
pvrdma-Ensure-correct-input-on-ring-init.patch
Normal file
@@ -0,0 +1,39 @@
|
||||
From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Date: Wed, 30 Jun 2021 14:46:34 +0300
|
||||
Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607)
|
||||
|
||||
Git-commit: 32e5703cfea07c91e6e84bcb0313f633bb146534
|
||||
References: CVE-2021-3607 bsc#1187539
|
||||
|
||||
Check the guest passed a non zero page count
|
||||
for pvrdma device ring buffers.
|
||||
|
||||
Fixes: CVE-2021-3607
|
||||
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
|
||||
Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
|
||||
Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
|
||||
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_main.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
|
||||
index 84ae8024fcfd86c535aeacc7198a..7c0c3551a8a4952397e1202cfc9f 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_main.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_main.c
|
||||
@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
|
||||
uint64_t *dir, *tbl;
|
||||
int rc = 0;
|
||||
|
||||
+ if (!num_pages) {
|
||||
+ rdma_error_report("Ring pages count must be strictly positive");
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
|
||||
if (!dir) {
|
||||
rdma_error_report("Failed to map to page directory (ring %s)", name);
|
||||
39
pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
Normal file
39
pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
Normal file
@@ -0,0 +1,39 @@
|
||||
From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Date: Wed, 30 Jun 2021 14:52:46 +0300
|
||||
Subject: pvrdma: Fix the ring init error flow (CVE-2021-3608)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Git-commit: 66ae37d8cc313f89272e711174a846a229bcdbd3
|
||||
References: CVE-2021-3608 bsc#1187538
|
||||
|
||||
Do not unmap uninitialized dma addresses.
|
||||
|
||||
Fixes: CVE-2021-3608
|
||||
Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
|
||||
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
|
||||
Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
|
||||
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
|
||||
index 074ac59b84db3ab6bb092cb28fea..42130667a7d41bb2500f3ae5119c 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_dev_ring.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
|
||||
@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
|
||||
qatomic_set(&ring->ring_state->cons_head, 0);
|
||||
*/
|
||||
ring->npages = npages;
|
||||
- ring->pages = g_malloc(npages * sizeof(void *));
|
||||
+ ring->pages = g_malloc0(npages * sizeof(void *));
|
||||
|
||||
for (i = 0; i < npages; i++) {
|
||||
if (!tbl[i]) {
|
||||
19
qemu.changes
19
qemu.changes
@@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 23 19:43:33 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
|
||||
|
||||
- Disabled skiboot building for PowerPC due to the following issue:
|
||||
https://github.com/open-power/skiboot/issues/265
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 23 19:22:24 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
|
||||
|
||||
- Fix possible mremap overflow in the pvrdma
|
||||
(CVE-2021-3582, bsc#1187499)
|
||||
hw-rdma-Fix-possible-mremap-overflow-in-.patch
|
||||
- Ensure correct input on ring init
|
||||
(CVE-2021-3607, bsc#1187539)
|
||||
pvrdma-Ensure-correct-input-on-ring-init.patch
|
||||
- Fix the ring init error flow
|
||||
(CVE-2021-3608, bsc#1187538)
|
||||
pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Jul 3 00:14:31 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
|
||||
|
||||
|
||||
10
qemu.spec
10
qemu.spec
@@ -44,12 +44,12 @@
|
||||
%endif
|
||||
|
||||
%ifarch ppc64
|
||||
%define build_skiboot_from_source 1
|
||||
%define build_skiboot_from_source 0
|
||||
%define build_slof_from_source 1
|
||||
%endif
|
||||
|
||||
%ifarch ppc64le
|
||||
%define build_skiboot_from_source 1
|
||||
%define build_skiboot_from_source 0
|
||||
%define build_slof_from_source 1
|
||||
%endif
|
||||
|
||||
@@ -220,6 +220,9 @@ Patch00084: tcg-Allocate-sufficient-storage-in-temp_.patch
|
||||
Patch00085: hw-block-nvme-align-with-existing-style.patch
|
||||
Patch00086: hw-nvme-fix-missing-check-for-PMR-capabi.patch
|
||||
Patch00087: hw-nvme-fix-pin-based-interrupt-behavior.patch
|
||||
Patch00088: hw-rdma-Fix-possible-mremap-overflow-in-.patch
|
||||
Patch00089: pvrdma-Ensure-correct-input-on-ring-init.patch
|
||||
Patch00090: pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
|
||||
# Patches applied in roms/seabios/:
|
||||
Patch01000: seabios-use-python2-explicitly-as-needed.patch
|
||||
Patch01001: seabios-switch-to-python3-as-needed.patch
|
||||
@@ -1153,6 +1156,9 @@ This package records qemu testsuite results and represents successful testing.
|
||||
%patch00085 -p1
|
||||
%patch00086 -p1
|
||||
%patch00087 -p1
|
||||
%patch00088 -p1
|
||||
%patch00089 -p1
|
||||
%patch00090 -p1
|
||||
%patch01000 -p1
|
||||
%patch01001 -p1
|
||||
%patch01002 -p1
|
||||
|
||||
@@ -44,12 +44,12 @@
|
||||
%endif
|
||||
|
||||
%ifarch ppc64
|
||||
%define build_skiboot_from_source 1
|
||||
%define build_skiboot_from_source 0
|
||||
%define build_slof_from_source 1
|
||||
%endif
|
||||
|
||||
%ifarch ppc64le
|
||||
%define build_skiboot_from_source 1
|
||||
%define build_skiboot_from_source 0
|
||||
%define build_slof_from_source 1
|
||||
%endif
|
||||
|
||||
|
||||
Reference in New Issue
Block a user