mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-02 13:29:49 +00:00
Code Issues Projects Releases Wiki Activity

qemu: fix CVE-2021-3582

Browse Source 
Source: http://git.yoctoproject.org/cgit/poky.git
MR: 112743
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=e11384737ed489ea02800d545432b9ded82bf1bb
ChangeID: a2ff7112354349e8cf8960f30499f61e545d7f8e
Description:

(From OE-Core rev: fb2634922db91e5b877dd10021dafec7b5c6e565)

(From OE-Core rev: 942d936524d3948d74c7240038ce81d859f68cab)

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e11384737e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sakib Sajal
2021-08-24 11:18:29 -07:00
committed by Richard Purdie
parent d56b8f6f76
commit f63635a30d
2 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/qemu/qemu.inc
+1
View File
@@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3546.patch \
file://CVE-2021-3527-1.patch \
file://CVE-2021-3527-2.patch \
file://CVE-2021-3582.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
+47
View File
@@ -0,0 +1,47 @@
From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
From: Marcel Apfelbaum <marcel@redhat.com>
Date: Wed, 16 Jun 2021 14:06:00 +0300
Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
(CVE-2021-3582)
Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.
Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
CVE: CVE-2021-3582
Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f59879e257..da7ddfa548 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
return NULL;
}
+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
+ if (nchunks * TARGET_PAGE_SIZE != length) {
+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
+ (unsigned long)length);
+ return NULL;
+ }
+
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
rdma_error_report("Failed to map to page directory");
--
2.25.1