import qemu-kvm-6.1.0-5.module+el8.6.0+13430+8fdd5f85
This commit is contained in:
parent
514343f27c
commit
8d8bcd27d3
71
SOURCES/kvm-e1000-fix-tx-re-entrancy-problem.patch
Normal file
71
SOURCES/kvm-e1000-fix-tx-re-entrancy-problem.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From bf83e26f55bd16f06df86b1bfc1a9c4708c9d11e Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Thu, 21 Oct 2021 12:10:47 -0400
|
||||
Subject: [PATCH 1/2] e1000: fix tx re-entrancy problem
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 54: e1000: fix tx re-entrancy problem
|
||||
RH-Commit: [1/1] 0aa00b3d9db1c318bf133e1f073e289ef4fb1cfa (jmaloy/qemu-kvm)
|
||||
RH-Bugzilla: 1930092
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
|
||||
RH-Acked-by: Jason Wang <None>
|
||||
|
||||
The fact that the MMIO handler is not re-entrant causes an infinite
|
||||
loop under certain conditions:
|
||||
|
||||
Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX
|
||||
|
||||
We now eliminate the effect of this problem locally in e1000, by adding
|
||||
a boolean in struct E1000State indicating when the TX side is busy. This
|
||||
will cause any entering new call to return early instead of interfering
|
||||
with the ongoing work, and eliminates any risk of looping.
|
||||
|
||||
This is intended to address CVE-2021-20257.
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 25ddb946e6301f42cff3094ea1c25fb78813e7e9)
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
hw/net/e1000.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
||||
index c2877978d9..282d01e374 100644
|
||||
--- a/hw/net/e1000.c
|
||||
+++ b/hw/net/e1000.c
|
||||
@@ -107,6 +107,7 @@ struct E1000State_st {
|
||||
e1000x_txd_props props;
|
||||
e1000x_txd_props tso_props;
|
||||
uint16_t tso_frames;
|
||||
+ bool busy;
|
||||
} tx;
|
||||
|
||||
struct {
|
||||
@@ -763,6 +764,11 @@ start_xmit(E1000State *s)
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (s->tx.busy) {
|
||||
+ return;
|
||||
+ }
|
||||
+ s->tx.busy = true;
|
||||
+
|
||||
while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
|
||||
base = tx_desc_base(s) +
|
||||
sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
|
||||
@@ -789,6 +795,7 @@ start_xmit(E1000State *s)
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ s->tx.busy = false;
|
||||
set_ics(s, 0, cause);
|
||||
}
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,62 @@
|
||||
From 1ed9669ab7ef35a592dd78636c60300466f9c71f Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Thu, 4 Nov 2021 17:31:38 +0100
|
||||
Subject: [PATCH 2/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
|
||||
SELECT commands
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 69: hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands
|
||||
RH-Commit: [1/1] 929b23f9ac50b3b1e6712c85018feee384a0ca19 (jmaloy/qemu-kvm)
|
||||
RH-Bugzilla: 2020720
|
||||
RH-Acked-by: Mauro Matteo Cascella <None>
|
||||
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
|
||||
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
|
||||
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
|
||||
This avoids an off-by-one read of 'mode_sense_valid' buffer in
|
||||
hw/scsi/scsi-disk.c:mode_sense_page().
|
||||
|
||||
Fixes: CVE-2021-3930
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
|
||||
Fixes: #546
|
||||
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
|
||||
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8)
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
hw/scsi/scsi-disk.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
|
||||
index e8a547dbb7..d4914178ea 100644
|
||||
--- a/hw/scsi/scsi-disk.c
|
||||
+++ b/hw/scsi/scsi-disk.c
|
||||
@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
|
||||
uint8_t *p = *p_outbuf + 2;
|
||||
int length;
|
||||
|
||||
+ assert(page < ARRAY_SIZE(mode_sense_valid));
|
||||
if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
|
||||
return -1;
|
||||
}
|
||||
@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
|
||||
+ if (page == MODE_PAGE_ALLS) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
p = mode_current;
|
||||
memset(mode_current, 0, inlen + 2);
|
||||
len = mode_sense_page(s, page, &p, 0);
|
||||
--
|
||||
2.27.0
|
||||
|
@ -86,7 +86,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
|
||||
Summary: QEMU is a machine emulator and virtualizer
|
||||
Name: qemu-kvm
|
||||
Version: 6.1.0
|
||||
Release: 4%{?rcrel}%{?dist}
|
||||
Release: 5%{?rcrel}%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 15
|
||||
License: GPLv2 and GPLv2+ and CC-BY
|
||||
@ -150,6 +150,10 @@ Patch22: kvm-redhat-Add-s390x-machine-type-compatibility-update-f.patch
|
||||
Patch23: kvm-virtio-net-fix-use-after-unmap-free-for-sg.patch
|
||||
# For bz#1998947 - Add machine type compatibility update for 6.1 rebase [aarch64]
|
||||
Patch25: kvm-hw-arm-virt-Add-hw_compat_rhel_8_5-to-8.5-machine-ty.patch
|
||||
# For bz#1930092 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0]
|
||||
Patch26: kvm-e1000-fix-tx-re-entrancy-problem.patch
|
||||
# For bz#2020720 - CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8]
|
||||
Patch27: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
|
||||
|
||||
BuildRequires: wget
|
||||
BuildRequires: rpm-build
|
||||
@ -1304,6 +1308,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Nov 22 2021 Jon Maloy <jmaloy@redhat.com> - 6.1.0-5
|
||||
- kvm-e1000-fix-tx-re-entrancy-problem.patch [bz#1930092]
|
||||
- kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2020720]
|
||||
- Resolves: bz#1930092
|
||||
(CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0])
|
||||
- Resolves: bz#2020720
|
||||
(CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8])
|
||||
|
||||
* Thu Oct 21 2021 Jon Maloy <jmaloy@redhat.com> - 6.1.0-4
|
||||
- kvm-spec-Remove-qemu-kiwi-build.patch [bz#2002694]
|
||||
- kvm-hw-arm-virt-Add-hw_compat_rhel_8_5-to-8.5-machine-ty.patch [bz#1998947]
|
||||
|
Loading…
Reference in New Issue
Block a user