packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hw/nvme: fix CVE-2021-3929 (openeuler !313)

Browse Source 
Signed-off-by: yezengruan <yezengruan@huawei.com>
This commit is contained in:
yezengruan 2022-06-22 10:38:05 +08:00
parent 0bac9fa8ce
commit 36eaeb0b27
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
hw-nvme-fix-CVE-2021-3929.patch Normal file
View File

@ -0,0 +1,65 @@
From 4f45d3a6a7c7803d31705e58f0e6356024998ef8 Mon Sep 17 00:00:00 2001
From: Klaus Jensen <k.jensen@samsung.com>
Date: Fri, 17 Dec 2021 10:44:01 +0100
Subject: [PATCH] hw/nvme: fix CVE-2021-3929
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
device itself. This still allows DMA to MMIO regions of other devices
(e.g. doing P2P DMA to the controller memory buffer of another NVMe
device).
Fixes: CVE-2021-3929
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
hw/nvme/ctrl.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 462f79a1f6..40fbda3b03 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr)
return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba);
}
+static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
+{
+ hwaddr hi, lo;
+
+ /*
+ * The purpose of this check is to guard against invalid "local" access to
+ * the iomem (i.e. controller registers). Thus, we check against the range
+ * covered by the 'bar0' MemoryRegion since that is currently composed of
+ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
+ * that if the device model is ever changed to allow the CMB to be located
+ * in BAR0 as well, then this must be changed.
+ */
+ lo = n->bar0.addr;
+ hi = lo + int128_get64(n->bar0.size);
+
+ return addr >= lo && addr < hi;
+}
+
static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
{
hwaddr hi = addr + size - 1;
@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len)
trace_pci_nvme_map_addr(addr, len);
+ if (nvme_addr_is_iomem(n, addr)) {
+ return NVME_DATA_TRAS_ERROR;
+ }
+
if (nvme_addr_is_cmb(n, addr)) {
cmb = true;
} else if (nvme_addr_is_pmr(n, addr)) {
--
2.27.0

6
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu Name: qemu
Version: 6.2.0 Version: 6.2.0
Release: 40 Release: 41
Epoch: 2 Epoch: 2
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -279,6 +279,7 @@ Patch0265: pci-Let-ld-_pci_dma-propagate-MemTxResult.patch
Patch0266: hw-audio-intel-hda-Do-not-ignore-DMA-overrun-errors.patch Patch0266: hw-audio-intel-hda-Do-not-ignore-DMA-overrun-errors.patch
Patch0267: hw-audio-intel-hda-Restrict-DMA-engine-to-memories-n.patch Patch0267: hw-audio-intel-hda-Restrict-DMA-engine-to-memories-n.patch
Patch0268: tests-qtest-intel-hda-test-Add-reproducer-for-issue-.patch Patch0268: tests-qtest-intel-hda-test-Add-reproducer-for-issue-.patch
Patch0269: hw-nvme-fix-CVE-2021-3929.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc BuildRequires: gcc
@ -781,6 +782,9 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Wed Jun 22 2022 yezengruan <yezengruan@huawei.com> - 2:6.2.0-41
- hw/nvme: fix CVE-2021-3929
* Mon Jun 20 2022 zhangziyang <zhangziyang1@huawei.com> - 2:6.2.0-40 * Mon Jun 20 2022 zhangziyang <zhangziyang1@huawei.com> - 2:6.2.0-40
- add qemu-system-riscv rpm package build - add qemu-system-riscv rpm package build