diff options
| author |   Sakib Sajal <sakib.sajal@windriver.com> | 2021-08-10 23:08:47 -0400 |
|---|---|---|
| committer |   Anuj Mittal <anuj.mittal@intel.com> | 2021-08-11 16:39:03 +0800 |
| commit | 764bca67650da9df439527796879dda767c8c008 (patch) | |
| tree | 1f4aec3890c058794a90b0c3b197005425d360ef | |
| parent | fb2634922db91e5b877dd10021dafec7b5c6e565 (diff) | |
| download | openembedded-core-contrib-764bca67650da9df439527796879dda767c8c008.tar.gz | |
qemu: fix CVE-2021-3607
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch | 43 |
2 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3cef5a2d7e..0849196650 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -67,6 +67,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3527-1.patch \ file://CVE-2021-3527-2.patch \ file://CVE-2021-3582.patch \ + file://CVE-2021-3607.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch new file mode 100644 index 0000000000..0547c74484 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch @@ -0,0 +1,43 @@ +From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:46:34 +0300 +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) + +Check the guest passed a non zero page count +for pvrdma device ring buffers. + +Fixes: CVE-2021-3607 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630114634.2168872-1-marcel@redhat.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3607 +Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 84ae8024fc..7c0c3551a8 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + uint64_t *dir, *tbl; + int rc = 0; + ++ if (!num_pages) { ++ rdma_error_report("Ring pages count must be strictly positive"); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); +-- +2.25.1 + |