* Wed Dec 14 2022 Jon Maloy <jmaloy@redhat.com> - 7.1.0-7

- kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch [bz#2149108] - Resolves: bz#2149108 (CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9])
2022-12-14 22:30:47 +00:00 · 2022-12-14 22:30:47 +00:00 · 55259e29d6
parent c9394359b0
commit 55259e29d6
2 changed files with 91 additions and 1 deletions
--- a/kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch
+++ b/kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch
@ -0,0 +1,83 @@
+From 108b687eb18d121d688e652ac13ba465083f4529 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Mon, 5 Dec 2022 15:32:55 -0500
+Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 125: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record
+RH-Bugzilla: 2149108
+RH-Acked-by: Gavin Shan <gshan@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+RH-Commit: [1/1] cccd8b6b8f0f360c623f913dbc02d4eda2fbf972 (jmaloy/jmaloy-qemu-kvm-centos)
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2149108
+Upstream: Merged
+CVE: CVE-2022-4172
+
+commit defb70980f6bed36100b74e84220f1764c0dd544
+Author: Christian A. Ehrhardt <lk@c--e.de>
+Date:   Mon Oct 24 17:42:33 2022 +0200
+
+    hw/acpi/erst.c: Fix memory handling issues
+
+    - Fix memset argument order: The second argument is
+      the value, the length goes last.
+    - Fix an integer overflow reported by Alexander Bulekov.
+
+    Both issues allow the guest to overrun the host buffer
+    allocated for the ERST memory device.
+
+    Cc: Eric DeVolder <eric.devolder@oracle.com
+    Cc: Alexander Bulekov <alxndr@bu.edu>
+    Cc: qemu-stable@nongnu.org
+    Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
+    Tested-by: Alexander Bulekov <alxndr@bu.edu>
+    Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+    Message-Id: <20221024154233.1043347-1-lk@c--e.de>
+    Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
+    Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+    Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
+    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit defb70980f6bed36100b74e84220f1764c0dd544)
+Jon Maloy <jmaloy@redhat.com>
+---
+ hw/acpi/erst.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
+index df856b2669..aefcc03ad6 100644
+--- a/hw/acpi/erst.c
+++ b/hw/acpi/erst.c
+@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
+         if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
+             rc = STATUS_FAILED;
+         }
+-        if ((s->record_offset + record_length) > exchange_length) {
+        if (record_length > exchange_length - s->record_offset) {
+             rc = STATUS_FAILED;
+         }
+         /* If all is ok, copy the record to the exchange buffer */
+@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
+     if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
+         return STATUS_FAILED;
+     }
+-    if ((s->record_offset + record_length) > exchange_length) {
+    if (record_length > exchange_length - s->record_offset) {
+         return STATUS_FAILED;
+     }
+ 
+@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
+     if (nvram) {
+         /* Write the record into the slot */
+         memcpy(nvram, exchange, record_length);
+-        memset(nvram + record_length, exchange_length - record_length, 0xFF);
+        memset(nvram + record_length, 0xFF, exchange_length - record_length);
+         /* If a new record, increment the record_count */
+         if (!record_found) {
+             uint32_t record_count;
+-- 
+2.37.3
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -151,7 +151,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 7.1.0
-Release: 6%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 7%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -261,6 +261,8 @@ Patch51: kvm-host-libusb-Remove-unused-variable.patch
 Patch52: kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
 # For bz#2143170 - The installation can not start when install files (iso) locate on a 4k disk
 Patch53: kvm-block-use-the-request-length-for-iov-alignment.patch
+# For bz#2149108 - CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9]
+Patch54: kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch

 %if %{have_clang}
 BuildRequires: clang
@ -1293,6 +1295,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif

 %changelog
+* Wed Dec 14 2022 Jon Maloy <jmaloy@redhat.com> - 7.1.0-7
+- kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch [bz#2149108]
+- Resolves: bz#2149108
+  (CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9])
+
 * Fri Dec 02 2022 Miroslav Rezanina <mrezanin@redhat.com> - 7.1.0-6
 - kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch [bz#2143170]
 - kvm-block-use-the-request-length-for-iov-alignment.patch [bz#2143170]