rpms/qemu-kvm
7
0
Fork 0
Code Issues Pull Requests Releases Activity
cfe9adea3d
qemu-kvm/kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
Miroslav Rezanina cfe9adea3d * Mon Nov 13 2023 Miroslav Rezanina <mrezanin@redhat.com> - 8.1.0-4 
- kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch [RHEL-2828]
- kvm-Enable-igb-on-x86_64.patch [RHEL-1308]
- kvm-host-include-generic-host-atomic128-Fix-compilation-.patch [RHEL-12991]
- kvm-Enable-qemu-kvm-device-usb-redirec-for-aarch64.patch [RHEL-7561]
- Resolves: RHEL-2828
  (CVE-2023-42467 qemu-kvm: qemu: denial of service due to division by zero [rhel-9])
- Resolves: RHEL-1308
  ([RFE] iGB: Add an emulated SR-IOV network card)
- Resolves: RHEL-12991
  (qemu-kvm fails to build on s390x with clang-17)
- Resolves: RHEL-7561
  (Missing the rpm package qemu-kvm-device-usb-redirect on Arm64 platform)
2023-11-13 02:38:53 -05:00

64 lines
2.5 KiB
Diff
Raw Blame History

From 3e9164c9c80be093d7c9c590a643bf1aecf23496 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 18 Oct 2023 11:31:15 -0400
Subject: [PATCH 1/4] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
[CVE-2023-42467]
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 204: hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
RH-Jira: RHEL-2828
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Commit: [1/1] 7b5306fdadb000216505b8f47a6ab8e4c4336506 (jmaloy/jmaloy-qemu-kvm-2)
Jira: https://issues.redhat.com/browse/RHEL-2828
CVE: CVE-2023-42467
Upstream: Merged
commit 7cfcc79b0ab800959716738aff9419f53fc68c9c
Author: Thomas Huth <thuth@redhat.com>
Date: Mon Sep 25 11:18:54 2023 +0200
hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
We are doing things like
nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
with a division by 0 exception. Thus disallow block sizes of 256
bytes to avoid this situation.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
CVE: 2023-42467
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230925091854.49198-1-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/scsi/scsi-disk.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index e0d79c7966..477ee2bcd4 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
* Since the existing code only checks/updates bits 8-15 of the block
* size, restrict ourselves to the same requirement for now to ensure
* that a block size set by a block descriptor and then read back by
- * a subsequent SCSI command will be the same
+ * a subsequent SCSI command will be the same. Also disallow a block
+ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
*/
- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
+ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
s->qdev.blocksize = bs;
trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
}
--
2.39.3
Reference in New Issue View Git Blame Copy Permalink