qemu/pcie_sriov-Validate-NumVFs-CVE-2024-26327.patch

From 632ec38ed57b76baf3e499d1789aeea0f74df0a5 Mon Sep 17 00:00:00 2001
From: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: Wed, 28 Feb 2024 20:33:13 +0900
Subject: [PATCH] pcie_sriov: Validate NumVFs (CVE-2024-26327)

The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.

Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
---
 hw/pci/pcie_sriov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
index a1fe65f5d8..da209b7f47 100644
--- a/hw/pci/pcie_sriov.c
+++ b/hw/pci/pcie_sriov.c
@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
 
     assert(sriov_cap > 0);
     num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+    if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
+        return;
+    }
 
     dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
 
-- 
2.27.0
QEMU update to version 8.2.0-2 - block: bugfix: Don't pause vm when NOSPACE EIO happened - block: enable cache mode of empty cdrom - block/mirror: fix file-system went to read-only after block-mirror - scsi-bus: fix incorrect call for blk_error_retry_reset_timeout() - scsi-bus: fix unmatched object_unref() - block: Add sanity check when setting retry parameters - block-backend: Stop retrying when draining - scsi-disk: Add support for retry on errors - scsi-bus: Refactor the code that retries requests - virtio_blk: Add support for retry on errors - block: Add error retry param setting - block-backend: Add timeout support for retry - block-backend: Enable retry action on errors - block-backend: Add device specific retry callback - block-backend: Introduce retry timer - qapi/block-core: Add retry option for error action - scsi: bugfix: fix division by zero - scsi: cdrom: Fix crash after remote cdrom detached - qemu-pr: fixed ioctl failed for multipath disk - scsi-disk: define props in scsi_block_disk to avoid memleaks - bugfix: fix possible memory leak - bugfix: fix some illegal memory access and memory leak - util/log: add CONFIG_DISABLE_QEMU_LOG macro - log: Add some logs on VM runtime path - bugfix: fix eventfds may double free when vm_id reused in ivshmem - hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize() - hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config() - qemu-img create: 'cache' paramter only use for reg file image - qemu-img: add qemu-img direct create - qemu-img block: set zero flags only when discard_zeros of the block supported - Revert "file-posix: Remove unused s->discard_zeroes" - pcie_sriov: Validate NumVFs (CVE-2024-26327) - hw/nvme: Use pcie_sriov_num_vfs() (CVE-2024-26328) - hw/acpi/cpu: Use CPUState typedef - target/i386/sev: Fix missing ERRP_GUARD() for error_prepend() - virtio-gpu: remove needless condition - hw/i2c/smbus_slave: Add object path on error prints - vfio/pci: Ascend710 change to bar2 quirk - vfio/pci: Ascend910 need 4Bytes quirk in bar0 - vfio/pci: Ascend710 need 4Bytes quirk in bar0 - vfio/pci: Ascend310 need 4Bytes quirk in bar4 - chardev/char-socket: Fix TLS io channels sending too much data to the backend - i386/cpuid: Move leaf 7 to correct group - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available - blkio: Respect memory-alignment for bounce buffer allocations - virtio-gpu: Correct virgl_renderer_resource_get_info() error check - hw/usb: Style cleanup - tests/qemu-iotests: resolved the problem that the 108 test cases in the container fail Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit 404d45bf9147058a475a8031c454a6c8e0acc123) 2024-03-23 09:20:40 +08:00			`From 632ec38ed57b76baf3e499d1789aeea0f74df0a5 Mon Sep 17 00:00:00 2001`
			`From: Akihiko Odaki <akihiko.odaki@daynix.com>`
			`Date: Wed, 28 Feb 2024 20:33:13 +0900`
			`Subject: [PATCH] pcie_sriov: Validate NumVFs (CVE-2024-26327)`

			`The guest may write NumVFs greater than TotalVFs and that can lead`
			`to buffer overflow in VF implementations.`

			`Cc: qemu-stable@nongnu.org`
			`Fixes: CVE-2024-26327`
			`Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")`
			`Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>`
			`Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>`
			`Reviewed-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>`
			`---`
			`hw/pci/pcie_sriov.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c`
			`index a1fe65f5d8..da209b7f47 100644`
			`--- a/hw/pci/pcie_sriov.c`
			`+++ b/hw/pci/pcie_sriov.c`
			`@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)`

			`assert(sriov_cap > 0);`
			`num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);`
			`+ if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {`
			`+ return;`
			`+ }`

			`dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);`

			`--`
			`2.27.0`