rpms/qemu-kvm
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed Dec 14 2022 Jon Maloy <jmaloy@redhat.com> - 7.1.0-7

Browse Source 
- kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch [bz#2149108]
- Resolves: bz#2149108
  (CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9])
This commit is contained in:
Jon Maloy 2022-12-14 22:30:47 +00:00
parent c9394359b0
commit 55259e29d6
2 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch Normal file
View File

@ -0,0 +1,83 @@
From 108b687eb18d121d688e652ac13ba465083f4529 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Mon, 5 Dec 2022 15:32:55 -0500
Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 125: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record
RH-Bugzilla: 2149108
RH-Acked-by: Gavin Shan <gshan@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Commit: [1/1] cccd8b6b8f0f360c623f913dbc02d4eda2fbf972 (jmaloy/jmaloy-qemu-kvm-centos)
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2149108
Upstream: Merged
CVE: CVE-2022-4172
commit defb70980f6bed36100b74e84220f1764c0dd544
Author: Christian A. Ehrhardt <lk@c--e.de>
Date: Mon Oct 24 17:42:33 2022 +0200
hw/acpi/erst.c: Fix memory handling issues
- Fix memset argument order: The second argument is
the value, the length goes last.
- Fix an integer overflow reported by Alexander Bulekov.
Both issues allow the guest to overrun the host buffer
allocated for the ERST memory device.
Cc: Eric DeVolder <eric.devolder@oracle.com
Cc: Alexander Bulekov <alxndr@bu.edu>
Cc: qemu-stable@nongnu.org
Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Message-Id: <20221024154233.1043347-1-lk@c--e.de>
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit defb70980f6bed36100b74e84220f1764c0dd544)
Jon Maloy <jmaloy@redhat.com>
---
hw/acpi/erst.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
index df856b2669..aefcc03ad6 100644
--- a/hw/acpi/erst.c
+++ b/hw/acpi/erst.c
@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
rc = STATUS_FAILED;
}
- if ((s->record_offset + record_length) > exchange_length) {
+ if (record_length > exchange_length - s->record_offset) {
rc = STATUS_FAILED;
}
/* If all is ok, copy the record to the exchange buffer */
@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
return STATUS_FAILED;
}
- if ((s->record_offset + record_length) > exchange_length) {
+ if (record_length > exchange_length - s->record_offset) {
return STATUS_FAILED;
}
@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
if (nvram) {
/* Write the record into the slot */
memcpy(nvram, exchange, record_length);
- memset(nvram + record_length, exchange_length - record_length, 0xFF);
+ memset(nvram + record_length, 0xFF, exchange_length - record_length);
/* If a new record, increment the record_count */
if (!record_found) {
uint32_t record_count;
--
2.37.3

9
qemu-kvm.spec
View File

@ -151,7 +151,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version} \
Summary: QEMU is a machine emulator and virtualizer Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm Name: qemu-kvm
Version: 7.1.0 Version: 7.1.0
Release: 6%{?rcrel}%{?dist}%{?cc_suffix} Release: 7%{?rcrel}%{?dist}%{?cc_suffix}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
# Epoch 15 used for RHEL 8 # Epoch 15 used for RHEL 8
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -261,6 +261,8 @@ Patch51: kvm-host-libusb-Remove-unused-variable.patch
Patch52: kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch Patch52: kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
# For bz#2143170 - The installation can not start when install files (iso) locate on a 4k disk # For bz#2143170 - The installation can not start when install files (iso) locate on a 4k disk
Patch53: kvm-block-use-the-request-length-for-iov-alignment.patch Patch53: kvm-block-use-the-request-length-for-iov-alignment.patch
# For bz#2149108 - CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9]
Patch54: kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch
%if %{have_clang} %if %{have_clang}
BuildRequires: clang BuildRequires: clang
@ -1293,6 +1295,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%endif %endif
%changelog %changelog
* Wed Dec 14 2022 Jon Maloy <jmaloy@redhat.com> - 7.1.0-7
- kvm-hw-acpi-erst.c-Fix-memory-handling-issues.patch [bz#2149108]
- Resolves: bz#2149108
(CVE-2022-4172 qemu-kvm: QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record [rhel-9])
* Fri Dec 02 2022 Miroslav Rezanina <mrezanin@redhat.com> - 7.1.0-6 * Fri Dec 02 2022 Miroslav Rezanina <mrezanin@redhat.com> - 7.1.0-6
- kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch [bz#2143170] - kvm-block-move-bdrv_qiov_is_aligned-to-file-posix.patch [bz#2143170]
- kvm-block-use-the-request-length-for-iov-alignment.patch [bz#2143170] - kvm-block-use-the-request-length-for-iov-alignment.patch [bz#2143170]