import qemu-kvm-6.1.0-5.module+el8.6.0+13430+8fdd5f85

2021-11-26 09:51:01 +00:00 · 2021-11-26 09:51:01 +00:00 · 8d8bcd27d3
commit 8d8bcd27d3
parent 514343f27c
3 changed files with 146 additions and 1 deletions
--- a/SOURCES/kvm-e1000-fix-tx-re-entrancy-problem.patch
+++ b/SOURCES/kvm-e1000-fix-tx-re-entrancy-problem.patch
@ -0,0 +1,71 @@
+From bf83e26f55bd16f06df86b1bfc1a9c4708c9d11e Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 21 Oct 2021 12:10:47 -0400
+Subject: [PATCH 1/2] e1000: fix tx re-entrancy problem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 54: e1000: fix tx re-entrancy problem
+RH-Commit: [1/1] 0aa00b3d9db1c318bf133e1f073e289ef4fb1cfa (jmaloy/qemu-kvm)
+RH-Bugzilla: 1930092
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Jason Wang <None>
+
+The fact that the MMIO handler is not re-entrant causes an infinite
+loop under certain conditions:
+
+Guest write to TDT ->  Loopback -> RX (DMA to TDT) -> TX
+
+We now eliminate the effect of this problem locally in e1000, by adding
+a boolean in struct E1000State indicating when the TX side is busy. This
+will cause any entering new call to return early instead of interfering
+with the ongoing work, and eliminates any risk of looping.
+
+This is intended to address CVE-2021-20257.
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 25ddb946e6301f42cff3094ea1c25fb78813e7e9)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/net/e1000.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index c2877978d9..282d01e374 100644
+--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
+@@ -107,6 +107,7 @@ struct E1000State_st {
+         e1000x_txd_props props;
+         e1000x_txd_props tso_props;
+         uint16_t tso_frames;
+        bool busy;
+     } tx;
+ 
+     struct {
+@@ -763,6 +764,11 @@ start_xmit(E1000State *s)
+         return;
+     }
+ 
+    if (s->tx.busy) {
+        return;
+    }
+    s->tx.busy = true;
+
+     while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
+         base = tx_desc_base(s) +
+                sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
+@@ -789,6 +795,7 @@ start_xmit(E1000State *s)
+             break;
+         }
+     }
+    s->tx.busy = false;
+     set_ics(s, 0, cause);
+ }
+ 
+-- 
+2.27.0
+
--- a/SOURCES/kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
+++ b/SOURCES/kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch
@ -0,0 +1,62 @@
+From 1ed9669ab7ef35a592dd78636c60300466f9c71f Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH 2/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
+ SELECT commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 69: hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands
+RH-Commit: [1/1] 929b23f9ac50b3b1e6712c85018feee384a0ca19 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2020720
+RH-Acked-by: Mauro Matteo Cascella <None>
+RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e8a547dbb7..d4914178ea 100644
+--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
+@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+     uint8_t *p = *p_outbuf + 2;
+     int length;
+ 
+    assert(page < ARRAY_SIZE(mode_sense_valid));
+     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+         return -1;
+     }
+@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+         return -1;
+     }
+ 
+    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
+    if (page == MODE_PAGE_ALLS) {
+        return -1;
+    }
+
+     p = mode_current;
+     memset(mode_current, 0, inlen + 2);
+     len = mode_sense_page(s, page, &p, 0);
+-- 
+2.27.0
+
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@ -86,7 +86,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.1.0
-Release: 4%{?rcrel}%{?dist}
+Release: 5%{?rcrel}%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -150,6 +150,10 @@ Patch22: kvm-redhat-Add-s390x-machine-type-compatibility-update-f.patch
 Patch23: kvm-virtio-net-fix-use-after-unmap-free-for-sg.patch
 # For bz#1998947 - Add machine type compatibility update for 6.1 rebase [aarch64]
 Patch25: kvm-hw-arm-virt-Add-hw_compat_rhel_8_5-to-8.5-machine-ty.patch
+# For bz#1930092 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0]
+Patch26: kvm-e1000-fix-tx-re-entrancy-problem.patch
+# For bz#2020720 - CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8]
+Patch27: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch

 BuildRequires: wget
 BuildRequires: rpm-build
@ -1304,6 +1308,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :


 %changelog
+* Mon Nov 22 2021 Jon Maloy <jmaloy@redhat.com> - 6.1.0-5
+- kvm-e1000-fix-tx-re-entrancy-problem.patch [bz#1930092]
+- kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2020720]
+- Resolves: bz#1930092
+  (CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0])
+- Resolves: bz#2020720
+  (CVE-2021-3930 virt:rhel/qemu-kvm: QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c [rhel-8])
+
 * Thu Oct 21 2021 Jon Maloy <jmaloy@redhat.com> - 6.1.0-4
 - kvm-spec-Remove-qemu-kiwi-build.patch [bz#2002694]
 - kvm-hw-arm-virt-Add-hw_compat_rhel_8_5-to-8.5-machine-ty.patch [bz#1998947]