diff options
author | Léo Le Bouter <lle-bout@zaclys.net> | 2021-02-28 04:40:05 +0100 |
---|---|---|
committer | Léo Le Bouter <lle-bout@zaclys.net> | 2021-02-28 04:40:05 +0100 |
commit | e05c0b334d55d1399303ce097f70eaa2ca3ad7df (patch) | |
tree | ec3361fbc58cd6db31a8b22575501f6d67247bba | |
parent | 8eb9e759dc2aa0aaf150848094211a3efc6abecb (diff) |
gnu: qemu: Fix CVE-2021-20203.
* gnu/packages/patches/qemu-CVE-2021-20203.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/virtualization.scm (qemu): Apply it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2021-20203.patch | 172 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 3 |
3 files changed, 175 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 76bb7ef1f0..83753e6b4e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1561,6 +1561,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/pypy3-7.3.1-fix-tests.patch \ %D%/packages/patches/qemu-build-info-manual.patch \ + %D%/packages/patches/qemu-CVE-2021-20203.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ %D%/packages/patches/qpdfview-qt515-compat.patch \ %D%/packages/patches/qrcodegen-cpp-make-install.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2021-20203.patch b/gnu/packages/patches/qemu-CVE-2021-20203.patch new file mode 100644 index 0000000000..9d2ceaa649 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2021-20203.patch @@ -0,0 +1,172 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: <SRS0=i+5i=HB=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_INVALID, + DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, + MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, + URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 87556C433E0 + for <qemu-devel@archiver.kernel.org>; Sat, 30 Jan 2021 13:20:40 +0000 (UTC) +Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.kernel.org (Postfix) with ESMTPS id EF26964DE1 + for <qemu-devel@archiver.kernel.org>; Sat, 30 Jan 2021 13:20:39 +0000 (UTC) +DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EF26964DE1 +Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com +Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Received: from localhost ([::1]:42488 helo=lists1p.gnu.org) + by lists.gnu.org with esmtp (Exim 4.90_1) + (envelope-from <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>) + id 1l5qB3-0008CX-02 + for qemu-devel@archiver.kernel.org; Sat, 30 Jan 2021 08:20:37 -0500 +Received: from eggs.gnu.org ([2001:470:142:3::10]:45174) + by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) + (Exim 4.90_1) (envelope-from <ppandit@redhat.com>) + id 1l5q9q-0007ld-1c + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:22 -0500 +Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:42898) + by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) + (Exim 4.90_1) (envelope-from <ppandit@redhat.com>) + id 1l5q9k-0007Ia-TV + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:21 -0500 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; + s=mimecast20190719; t=1612012753; + h=from:from:reply-to:subject:subject:date:date:message-id:message-id: + to:to:cc:cc:mime-version:mime-version:content-type:content-type: + content-transfer-encoding:content-transfer-encoding; + bh=7vu4z8M+bFjhFzEuAYsQG4i3APx7aMqv7tFxRRO5+8Q=; + b=egCsTdgVBnRlHnVN84HsSpNOUl/NkqEnGuv9rRdG2AZ1Fee5ZatpJm5zJ7YUW2HvzB4rtO + EaDIKaN1wzf/yHf0CsJ60TPGG3DqQSC/EsTSr2l/GNGq4prDYTXVrS3rXFu9ofByUVvzwU + q9Iy1X1Bh3S21m7jXY0AYx4Tu9Ikq9w= +Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com + [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id + us-mta-588-1JF7mzMfP1KpRpNKj4cAWQ-1; Sat, 30 Jan 2021 08:19:08 -0500 +X-MC-Unique: 1JF7mzMfP1KpRpNKj4cAWQ-1 +Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com + [10.5.11.22]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8F0F439380; + Sat, 30 Jan 2021 13:19:07 +0000 (UTC) +Received: from localhost.localdomain (unknown [10.33.36.2]) + by smtp.corp.redhat.com (Postfix) with ESMTPS id 17D581002C11; + Sat, 30 Jan 2021 13:19:04 +0000 (UTC) +From: P J P <ppandit@redhat.com> +To: Dmitry Fleytman <dmitry.fleytman@gmail.com> +Subject: [PATCH] net: vmxnet3: validate configuration values during activate + (CVE-2021-20203) +Date: Sat, 30 Jan 2021 18:46:52 +0530 +Message-Id: <20210130131652.954143-1-ppandit@redhat.com> +MIME-Version: 1.0 +X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 +Authentication-Results: relay.mimecast.com; + auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ppandit@redhat.com +X-Mimecast-Spam-Score: 0 +X-Mimecast-Originator: redhat.com +Content-Transfer-Encoding: 8bit +Content-Type: text/plain; charset="US-ASCII" +Received-SPF: pass client-ip=63.128.21.124; envelope-from=ppandit@redhat.com; + helo=us-smtp-delivery-124.mimecast.com +X-Spam_score_int: -30 +X-Spam_score: -3.1 +X-Spam_bar: --- +X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.255, + DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, + RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, + SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no +X-Spam_action: no action +X-BeenThere: qemu-devel@nongnu.org +X-Mailman-Version: 2.1.23 +Precedence: list +List-Id: <qemu-devel.nongnu.org> +List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>, + <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe> +List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel> +List-Post: <mailto:qemu-devel@nongnu.org> +List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help> +List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>, + <mailto:qemu-devel-request@nongnu.org?subject=subscribe> +Cc: Gaoning Pan <pgn@zju.edu.cn>, QEMU Developers <qemu-devel@nongnu.org>, + Prasad J Pandit <pjp@fedoraproject.org> +Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Sender: "Qemu-devel" + <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> +Archived-At: <https://lore.kernel.org/qemu-devel/20210130131652.954143-1-ppandit@redhat.com/> +List-Archive: <https://lore.kernel.org/qemu-devel/> + +From: Prasad J Pandit <pjp@fedoraproject.org> + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f629..4a910ca971 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.29.2 + + + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 8da57cf6ab..1f8c3beea0 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -141,7 +141,8 @@ (sha256 (base32 "1rd41wwlvp0vpialjp2czs6i3lsc338xc72l3zkbb7ixjfslw5y9")) - (patches (search-patches "qemu-build-info-manual.patch")) + (patches (search-patches "qemu-build-info-manual.patch" + "qemu-CVE-2021-20203.patch")) (modules '((guix build utils))) (snippet '(begin |