* Wed Dec 14 2022 Jon Maloy <jmaloy@redhat.com> - 7.1.0-7
- kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch [bz#2149108] - Resolves: bz#2149108 (CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9])
This commit is contained in:
parent
c9394359b0
commit
55259e29d6
83
kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch
Normal file
83
kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From 108b687eb18d121d688e652ac13ba465083f4529 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Mon, 5 Dec 2022 15:32:55 -0500
|
||||
Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 125: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record
|
||||
RH-Bugzilla: 2149108
|
||||
RH-Acked-by: Gavin Shan <gshan@redhat.com>
|
||||
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
|
||||
RH-Commit: [1/1] cccd8b6b8f0f360c623f913dbc02d4eda2fbf972 (jmaloy/jmaloy-qemu-kvm-centos)
|
||||
|
||||
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2149108
|
||||
Upstream: Merged
|
||||
CVE: CVE-2022-4172
|
||||
|
||||
commit defb70980f6bed36100b74e84220f1764c0dd544
|
||||
Author: Christian A. Ehrhardt <lk@c--e.de>
|
||||
Date: Mon Oct 24 17:42:33 2022 +0200
|
||||
|
||||
hw/acpi/erst.c: Fix memory handling issues
|
||||
|
||||
- Fix memset argument order: The second argument is
|
||||
the value, the length goes last.
|
||||
- Fix an integer overflow reported by Alexander Bulekov.
|
||||
|
||||
Both issues allow the guest to overrun the host buffer
|
||||
allocated for the ERST memory device.
|
||||
|
||||
Cc: Eric DeVolder <eric.devolder@oracle.com
|
||||
Cc: Alexander Bulekov <alxndr@bu.edu>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
|
||||
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
|
||||
Message-Id: <20221024154233.1043347-1-lk@c--e.de>
|
||||
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
|
||||
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
|
||||
(cherry picked from commit defb70980f6bed36100b74e84220f1764c0dd544)
|
||||
Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
hw/acpi/erst.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
|
||||
index df856b2669..aefcc03ad6 100644
|
||||
--- a/hw/acpi/erst.c
|
||||
+++ b/hw/acpi/erst.c
|
||||
@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
|
||||
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
|
||||
rc = STATUS_FAILED;
|
||||
}
|
||||
- if ((s->record_offset + record_length) > exchange_length) {
|
||||
+ if (record_length > exchange_length - s->record_offset) {
|
||||
rc = STATUS_FAILED;
|
||||
}
|
||||
/* If all is ok, copy the record to the exchange buffer */
|
||||
@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
|
||||
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
|
||||
return STATUS_FAILED;
|
||||
}
|
||||
- if ((s->record_offset + record_length) > exchange_length) {
|
||||
+ if (record_length > exchange_length - s->record_offset) {
|
||||
return STATUS_FAILED;
|
||||
}
|
||||
|
||||
@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
|
||||
if (nvram) {
|
||||
/* Write the record into the slot */
|
||||
memcpy(nvram, exchange, record_length);
|
||||
- memset(nvram + record_length, exchange_length - record_length, 0xFF);
|
||||
+ memset(nvram + record_length, 0xFF, exchange_length - record_length);
|
||||
/* If a new record, increment the record_count */
|
||||
if (!record_found) {
|
||||
uint32_t record_count;
|
||||
--
|
||||
2.37.3
|
||||
|
@ -151,7 +151,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version} \
|
||||
Summary: QEMU is a machine emulator and virtualizer
|
||||
Name: qemu-kvm
|
||||
Version: 7.1.0
|
||||
Release: 6%{?rcrel}%{?dist}%{?cc_suffix}
|
||||
Release: 7%{?rcrel}%{?dist}%{?cc_suffix}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
# Epoch 15 used for RHEL 8
|
||||
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
|
||||
@ -261,6 +261,8 @@ Patch51: kvm-host-libusb-Remove-unused-variable.patch
|
||||
Patch52: kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
|
||||
# For bz#2143170 - The installation can not start when install files (iso) locate on a 4k disk
|
||||
Patch53: kvm-block-use-the-request-length-for-iov-alignment.patch
|
||||
# For bz#2149108 - CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9]
|
||||
Patch54: kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch
|
||||
|
||||
%if %{have_clang}
|
||||
BuildRequires: clang
|
||||
@ -1293,6 +1295,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 14 2022 Jon Maloy <jmaloy@redhat.com> - 7.1.0-7
|
||||
- kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch [bz#2149108]
|
||||
- Resolves: bz#2149108
|
||||
(CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9])
|
||||
|
||||
* Fri Dec 02 2022 Miroslav Rezanina <mrezanin@redhat.com> - 7.1.0-6
|
||||
- kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch [bz#2143170]
|
||||
- kvm-block-use-the-request-length-for-iov-alignment.patch [bz#2143170]
|
||||
|
Loading…
Reference in New Issue
Block a user