import qemu-kvm-4.2.0-59.module+el8.5.0+13495+8166cdf8.1

2021-12-21 04:15:46 -05:00 · 2021-12-21 04:15:46 -05:00 · 4cb2a81ea6
parent 18777481c4
commit 4cb2a81ea6
3 changed files with 145 additions and 1 deletions
--- a/SOURCES/kvm-e1000-fix-tx-re-entrancy-problem.patch
+++ b/SOURCES/kvm-e1000-fix-tx-re-entrancy-problem.patch
@ -0,0 +1,71 @@
+From fc0bca7bd2685b8f8e3c37f19ce74967870ef952 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 21 Oct 2021 12:10:47 -0400
+Subject: [PATCH 2/2] e1000: fix tx re-entrancy problem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 73: e1000: fix tx re-entrancy problem
+RH-Commit: [1/1] 3088ea275ddcee1ba0d47f7cff195af3e256f15f (jmaloy/qemu-kvm)
+RH-Bugzilla: 2025011
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+The fact that the MMIO handler is not re-entrant causes an infinite
+loop under certain conditions:
+
+Guest write to TDT ->  Loopback -> RX (DMA to TDT) -> TX
+
+We now eliminate the effect of this problem locally in e1000, by adding
+a boolean in struct E1000State indicating when the TX side is busy. This
+will cause any entering new call to return early instead of interfering
+with the ongoing work, and eliminates any risk of looping.
+
+This is intended to address CVE-2021-20257.
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 25ddb946e6301f42cff3094ea1c25fb78813e7e9)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/net/e1000.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index 8680b7d46b..1963a5b243 100644
+--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
+@@ -105,6 +105,7 @@ typedef struct E1000State_st {
+         e1000x_txd_props props;
+         e1000x_txd_props tso_props;
+         uint16_t tso_frames;
+        bool busy;
+     } tx;
+ 
+     struct {
+@@ -749,6 +750,11 @@ start_xmit(E1000State *s)
+         return;
+     }
+ 
+    if (s->tx.busy) {
+        return;
+    }
+    s->tx.busy = true;
+
+     while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
+         base = tx_desc_base(s) +
+                sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
+@@ -775,6 +781,7 @@ start_xmit(E1000State *s)
+             break;
+         }
+     }
+    s->tx.busy = false;
+     set_ics(s, 0, cause);
+ }
+ 
+-- 
+2.27.0
+
--- a/SOURCES/kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
+++ b/SOURCES/kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
@ -0,0 +1,61 @@
+From 60b05771b8afc08e0ca9956658d2c55cd1739652 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH 1/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
+ SELECT commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 70: hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands
+RH-Commit: [1/1] bd3de8bdf48aa6c522612505d08c23dafb122a34 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2025605
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index 5cb5fd35bd..1d0ea72289 100644
+--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
+@@ -1086,6 +1086,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+     uint8_t *p = *p_outbuf + 2;
+     int length;
+ 
+    assert(page < ARRAY_SIZE(mode_sense_valid));
+     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+         return -1;
+     }
+@@ -1427,6 +1428,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+         return -1;
+     }
+ 
+    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
+    if (page == MODE_PAGE_ALLS) {
+        return -1;
+    }
+
+     p = mode_current;
+     memset(mode_current, 0, inlen + 2);
+     len = mode_sense_page(s, page, &p, 0);
+-- 
+2.27.0
+
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@ -67,7 +67,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 4.2.0
-Release: 59%{?dist}
+Release: 59%{?dist}.1
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -1248,6 +1248,10 @@ Patch542: kvm-virtiofsd-Disable-remote-posix-locks-by-default.patch
 Patch543: kvm-virtiofsd-Fix-the-help-message-of-posix-lock.patch
 # For bz#1994041 - qemu-kvm scsi: change default passthrough timeout to non-infinite
 Patch544: kvm-scsi-make-io_timeout-configurable.patch
+# For bz#2025605 - CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8.5.0.z]
+Patch545: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
+# For bz#2025011 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z]
+Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch

 BuildRequires: wget
 BuildRequires: rpm-build
@ -2196,6 +2200,14 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \


 %changelog
+* Thu Nov 25 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-59.el8_5
+- kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2025605]
+- kvm-e1000-fix-tx-re-entrancy-problem.patch [bz#2025011]
+- Resolves: bz#2025605
+  (CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8.5.0.z])
+- Resolves: bz#2025011
+  (CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z])
+
 * Fri Oct 01 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-59
 - kvm-scsi-make-io_timeout-configurable.patch [bz#1994041]
 - Resolves: bz#1994041