b647e6427f
- kvm-virtio-gpu-free-BHs-by-implementing-unrealize.patch [RHEL-32276] - kvm-virtio-gpu-reset-gfx-resources-in-main-thread.patch [RHEL-32276] - kvm-hw-virtio-Introduce-virtio_bh_new_guarded-helper.patch [RHEL-32276] - kvm-hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch [RHEL-32276] - kvm-hw-char-virtio-serial-bus-Protect-from-DMA-re-entran.patch [RHEL-32276] - kvm-hw-virtio-virtio-crypto-Protect-from-DMA-re-entrancy.patch [RHEL-32276] - Resolves: RHEL-32276 (CVE-2024-3446 virt:rhel/qemu-kvm: QEMU: virtio: DMA reentrancy issue leads to double free vulnerability [rhel-8])
87 lines
3.1 KiB
Diff
87 lines
3.1 KiB
Diff
From 1b62d61c495bf4cd3a819ab8d1ef024d153e0ece Mon Sep 17 00:00:00 2001
|
|
From: Jon Maloy <jmaloy@redhat.com>
|
|
Date: Thu, 18 Jul 2024 09:40:29 -0400
|
|
Subject: [PATCH 3/6] hw/virtio: Introduce virtio_bh_new_guarded() helper
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
|
RH-MergeRequest: 380: QEMU: virtio: DMA reentrancy issue leads to double free vulnerability
|
|
RH-Jira: RHEL-32276
|
|
RH-Acked-by: Gerd Hoffmann <None>
|
|
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
RH-Commit: [3/6] 1cbde7ddb8393b72e2e8d457b5e2d739116567a9 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-32276
|
|
CVE: CVE-2024-3446
|
|
Upstream: Merged
|
|
|
|
commit ec0504b989ca61e03636384d3602b7bf07ffe4da
|
|
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Date: Thu Apr 4 20:56:11 2024 +0200
|
|
|
|
hw/virtio: Introduce virtio_bh_new_guarded() helper
|
|
|
|
Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded()
|
|
but using the transport memory guard, instead of the device one
|
|
(there can only be one virtio device per virtio bus).
|
|
|
|
Inspired-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Message-Id: <20240409105537.18308-2-philmd@linaro.org>
|
|
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
---
|
|
hw/virtio/virtio.c | 10 ++++++++++
|
|
include/hw/virtio/virtio.h | 7 +++++++
|
|
2 files changed, 17 insertions(+)
|
|
|
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
|
index ea7c079fb0..5ae9c44841 100644
|
|
--- a/hw/virtio/virtio.c
|
|
+++ b/hw/virtio/virtio.c
|
|
@@ -3874,3 +3874,13 @@ static void virtio_register_types(void)
|
|
}
|
|
|
|
type_init(virtio_register_types)
|
|
+
|
|
+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
|
|
+ QEMUBHFunc *cb, void *opaque,
|
|
+ const char *name)
|
|
+{
|
|
+ DeviceState *transport = qdev_get_parent_bus(dev)->parent;
|
|
+
|
|
+ return qemu_bh_new_full(cb, opaque, name,
|
|
+ &transport->mem_reentrancy_guard);
|
|
+}
|
|
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
|
|
index 8bab9cfb75..731c631a81 100644
|
|
--- a/include/hw/virtio/virtio.h
|
|
+++ b/include/hw/virtio/virtio.h
|
|
@@ -22,6 +22,7 @@
|
|
#include "standard-headers/linux/virtio_config.h"
|
|
#include "standard-headers/linux/virtio_ring.h"
|
|
#include "qom/object.h"
|
|
+#include "block/aio.h"
|
|
|
|
/* A guest should never accept this. It implies negotiation is broken. */
|
|
#define VIRTIO_F_BAD_FEATURE 30
|
|
@@ -397,4 +398,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
|
|
bool virtio_legacy_allowed(VirtIODevice *vdev);
|
|
bool virtio_legacy_check_disabled(VirtIODevice *vdev);
|
|
|
|
+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
|
|
+ QEMUBHFunc *cb, void *opaque,
|
|
+ const char *name);
|
|
+#define virtio_bh_new_guarded(dev, cb, opaque) \
|
|
+ virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
|
|
+
|
|
#endif
|
|
--
|
|
2.39.3
|
|
|