import qemu-kvm-4.2.0-59.module+el8.5.0+13495+8166cdf8.1

This commit is contained in:
CentOS Sources 2021-12-21 04:15:46 -05:00 committed by Stepan Oksanichenko
parent 18777481c4
commit 4cb2a81ea6
3 changed files with 145 additions and 1 deletions

View File

@ -0,0 +1,71 @@
From fc0bca7bd2685b8f8e3c37f19ce74967870ef952 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 21 Oct 2021 12:10:47 -0400
Subject: [PATCH 2/2] e1000: fix tx re-entrancy problem
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 73: e1000: fix tx re-entrancy problem
RH-Commit: [1/1] 3088ea275ddcee1ba0d47f7cff195af3e256f15f (jmaloy/qemu-kvm)
RH-Bugzilla: 2025011
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
The fact that the MMIO handler is not re-entrant causes an infinite
loop under certain conditions:
Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX
We now eliminate the effect of this problem locally in e1000, by adding
a boolean in struct E1000State indicating when the TX side is busy. This
will cause any entering new call to return early instead of interfering
with the ongoing work, and eliminates any risk of looping.
This is intended to address CVE-2021-20257.
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 25ddb946e6301f42cff3094ea1c25fb78813e7e9)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/net/e1000.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 8680b7d46b..1963a5b243 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -105,6 +105,7 @@ typedef struct E1000State_st {
e1000x_txd_props props;
e1000x_txd_props tso_props;
uint16_t tso_frames;
+ bool busy;
} tx;
struct {
@@ -749,6 +750,11 @@ start_xmit(E1000State *s)
return;
}
+ if (s->tx.busy) {
+ return;
+ }
+ s->tx.busy = true;
+
while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
base = tx_desc_base(s) +
sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
@@ -775,6 +781,7 @@ start_xmit(E1000State *s)
break;
}
}
+ s->tx.busy = false;
set_ics(s, 0, cause);
}
--
2.27.0

View File

@ -0,0 +1,61 @@
From 60b05771b8afc08e0ca9956658d2c55cd1739652 Mon Sep 17 00:00:00 2001
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Thu, 4 Nov 2021 17:31:38 +0100
Subject: [PATCH 1/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
SELECT commands
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 70: hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands
RH-Commit: [1/1] bd3de8bdf48aa6c522612505d08c23dafb122a34 (jmaloy/qemu-kvm)
RH-Bugzilla: 2025605
RH-Acked-by: Paolo Bonzini <None>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
This avoids an off-by-one read of 'mode_sense_valid' buffer in
hw/scsi/scsi-disk.c:mode_sense_page().
Fixes: CVE-2021-3930
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
Fixes: #546
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/scsi/scsi-disk.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 5cb5fd35bd..1d0ea72289 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1086,6 +1086,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
uint8_t *p = *p_outbuf + 2;
int length;
+ assert(page < ARRAY_SIZE(mode_sense_valid));
if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
return -1;
}
@@ -1427,6 +1428,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
return -1;
}
+ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
+ if (page == MODE_PAGE_ALLS) {
+ return -1;
+ }
+
p = mode_current;
memset(mode_current, 0, inlen + 2);
len = mode_sense_page(s, page, &p, 0);
--
2.27.0

View File

@ -67,7 +67,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 4.2.0
Release: 59%{?dist}
Release: 59%{?dist}.1
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -1248,6 +1248,10 @@ Patch542: kvm-virtiofsd-Disable-remote-posix-locks-by-default.patch
Patch543: kvm-virtiofsd-Fix-the-help-message-of-posix-lock.patch
# For bz#1994041 - qemu-kvm scsi: change default passthrough timeout to non-infinite
Patch544: kvm-scsi-make-io_timeout-configurable.patch
# For bz#2025605 - CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8.5.0.z]
Patch545: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
# For bz#2025011 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z]
Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -2196,6 +2200,14 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Thu Nov 25 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-59.el8_5
- kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2025605]
- kvm-e1000-fix-tx-re-entrancy-problem.patch [bz#2025011]
- Resolves: bz#2025605
(CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8.5.0.z])
- Resolves: bz#2025011
(CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z])
* Fri Oct 01 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-59
- kvm-scsi-make-io_timeout-configurable.patch [bz#1994041]
- Resolves: bz#1994041