From patchwork Wed Aug 10 14:11:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11236 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5FFAC00140 for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web09.6308.1660140748211111611 for ; Wed, 10 Aug 2022 07:12:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=UQDtOhDJ; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdF006366 for ; Wed, 10 Aug 2022 07:12:27 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=zMlHjrdWv5Grv+LQ4YnwvU+xejbp79BbnBUfiLOXFSs=; b=UQDtOhDJzlKrlJWKiLTy+tC+5i+2A+dD4GYYAUXsrpKh83jeny+E/EExcJKogWDPK7ND WjXHENOeeDNHCjX8ySYfrMdAH/KWutUQrQM+Ecam0DGRoLkF822Gd2Y4cWuuMfQBIJno CTZQjVm18Tnk9GkCmBEB8WFSPxEjDcnPLZm9X9h3FIJ56I7wXMIhCHdP1flIq+BRagG7 xqw0RTF0BdAWYE5gNV2A1jdDjxTcnG29GRDDbnQx2+djqX58llc+wg5Kp9BzcaJGf0jJ 8gdDn6xWSOUxdrOKB18/R5nP34TIbTsHnu468t1CTrGI31zI71qTY51gAsyfZX2OUvYL zQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:27 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VQmldeaIWV+Y7ymDQTLPJsO06Gq+IudGzwJ8fkxZDgeiA6uw+36YXer+eBIRebpvoV8iqNu0AuNk/7pHsTeIpAJJGBjB3wE5qGc2zL2siltQj51eGXA1+10HED8z4QFKeohpB71iZrlvb62ZhItFippZ3S0yZCezfThBZ/gv5D2yP2+bZCl1tARy0V1TmAf/qY+Lan8S5DopreJuXtAjEhKxquw48j3+TN5lXP7tyb/q9MNuLTw3fOtxdP0rUyxLQv9yDBIe6IU7QbbCvI+B+wd+sOOeAL9ljbpmdVppVdMU6PmgSqdJTZoJpnvFYkLOI4DK0/+cFziF35dgUrbidw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zMlHjrdWv5Grv+LQ4YnwvU+xejbp79BbnBUfiLOXFSs=; b=LQWdPEJV2eD60BN5gZx6TvFpj46mHy/3pdRpmFutLO7o3zD6qEACZI9ZtRAU93KcN/oufZWCaUY1ICHxpJc99Vl8wkxVe0LKkYZaqhN+q29l968y90XzMLmbp7aClEoJHt+WFm7ZoDa+wiy2IkNIK2xO3Q5Waz31KzVpZOaOd2gz+VrRX0PXhUAr8tvA+qPTyJjWqVGTPoEDx6I2yRseXxNIekfgaTLiWsPyq/BWtXzA2rMFlNu3zcFR8XmMFHxC0heGmie702M84pnLjP2YHOAleVOcZiM37QcPvvUyEWywU5iMsZ+dNgda1gNIXKiInLOHu6hzn00aWTW9WyePLw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:24 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:24 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 2/5] qemu: fix CVE-2021-3929 Date: Wed, 10 Aug 2022 10:11:56 -0400 Message-Id: <20220810141159.21182-2-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220810141159.21182-1-sakib.sajal@windriver.com> References: <20220810141159.21182-1-sakib.sajal@windriver.com> X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9a9481cc-5a65-4835-2da9-08da7ada58d7 X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xu+TmkihkyhQ78b+H1e9OLNIVcCvby0vNLFeuD7+VSgKj9iVK90EDzWOgZDdJ5q+3vyG05zddgUbZGvPTTSjrAp1StvF6X5xp/S4tYR/IIYaJtF3MnHVqCxU/vRHDipDSJMD2rFYcc1llet3sZb7aVQkrkuwaNP82YaxpMQ4WHI0Sg7h2nuAQSPyV0pcT0+OPo7cphNm0+mxJRVEe9tPcbamIikX6a8E5jJuHvUXglSwWu8JJIAAJ4r/V//l/xfMuIzvu34sL8uterzTuJnaq1UTDAfJUzb7nd73Q+0JyjMs9Nkt9ZfhR8tkRPFuHboR8vHQz683X1BLssdL2Bsmo4BdWYI8pFcNhrqzXD1Hdgd7Fp1RbxZYf/RdREnIVraXKwiLeoh+iE74Ojp4g5OKE/Y2nde95EipQBBq+3H0DiuGxTEjO0DpHh+C6GRnxH5RglXAKiz2SP7G8BLdihyg2gk1VCGvUc4QjQxCDVRqv53TYjTtQNoFb1Ra9BQjGM2LEVS/nmW+LFyZr/5vj3sQt7PmVA3NswHKCeKE5XzI+LRtLhfo1PhuYwu4jByzn0OaXfDyNX/kV8Bw2tWU7a9WSkzj07+NzNmAQMnMMPKLP6ZNbPKlPznyV34pTihe3xQFOU3TAX5hexcKs9vWq5qZB11TDpd5GnnRx/2MFUy3SUNnU1UtottYtIvnjnBKq0ht4VIPANNfsS+gxDLCBDsthAiPkRjn/8LkAe79do/3C49rNP4BUk5MqTVbxm35RMjy4YjmIkRqsFzqaVLmIMa1Ql/Ev8unFE8LeZr0NclKYW8rORFIFTDzBWPjAtwl8kPT349Wd1BQphoAEVVN8dv7cQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(45080400002)(86362001)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?XBheJAqoiK1/LEFs5kl7dDBwGlAv?= =?utf-8?q?dHdKFsB25RH7+3llTnqGa59nlqstUWYr3Kdiz52MQlry3/uc8DdSni1GDjOHr59b2?= =?utf-8?q?sj+ZNiqrcBcfd8xIvWKbiC1WY6hFCr7aqIu/WqoyhxAHjLHsFMvbahJuA0kKDIowq?= =?utf-8?q?QAZnG/5Id113sRsw+RJ/8SJq4Xb2XFhhR47E53PwzUKE1g2nNBN3Csc6kZj8zHNrQ?= =?utf-8?q?OTUcQXHtlv877C/bF44JKwg+bmWaZBHIZavYuWR0NeRoC5O4qOW5k3W3jiG0hWZ18?= =?utf-8?q?cWGjWehN9gK/5uGKT0/EHuRNzDQMyGvqPHWjo8gAYUuOTC3Gv1uleAHdRRWW5H1KH?= =?utf-8?q?kWFS36obglf1Vw2VJuGtGVLm70Loi8awdTmVTj83BhRcrEyngwvvQYTYzvxBpOydc?= =?utf-8?q?J3uJsR8krn8Xhqw9iYDy8r2Q9dORD4P17MjUJxhewxkkQFN981lkUqvmsAQ9xtx3P?= =?utf-8?q?2YYLEOJnFCk1uSd7sejWr3iBz6FHW1MJ2xQfA/UrbrL8uFoMbVExtUS4ZFZdKz83z?= =?utf-8?q?tPCe8onp+2RDrgkVzM6ADeD2No3uhWhV1cOhnDzTKkh8XZJLgeLWy+AOuzAtZ9/9p?= =?utf-8?q?X7mIOlRaKBy7jWXmkVkacTdkt9QSE2YdaiJEsLGucmuU9ZiSt8JpHyLfirDpbpNIm?= =?utf-8?q?yZKzCmwxppHXdcnvP1TnjpuPpUieHhMNwjupOFqsFgItD4fftishjR1DBN12l/Tgr?= =?utf-8?q?CB/+fsvlByT6NmLnNwGg+JCAAL9/jiDQcr5n+fCycns7DSCkCYOJdYlNgJe/Zo/ON?= =?utf-8?q?zxNf/LJYgKilHCcSsomMIeoz+AKMK1XVjf8FvddvAG3RF1CPrkpFIAkSQ+y990R6s?= =?utf-8?q?Z7uFnFlkBmjrRfupdkPLmMPwP+x3M0VP1wgcPeWEyolfvUX44XBqyCeYjFagBekcL?= =?utf-8?q?HcBVDjsDYYMaIsxqwfP2lL+F3ZaktBMnTwfxoKowwbpRZlAsMeiWD8N8GQbUtQtcx?= =?utf-8?q?u54GGEjFGlryc4H1Jj4UQ+yfBGWBqdNvL/qbNVwzFXzUD4y1UamC6mubh6nYMiEoj?= =?utf-8?q?Werm2M4vDMHT3dAY5C4UP+PsP5Vh5MiP+fPGnj0huJFKpRYiTumCiXIaNuI7SfU3J?= =?utf-8?q?/OjkT+YeT1ANnqxq/8H2TsZS3m6BzEecK4ZHhgf1Jqqn0nPJUCe/YkuJ+Uw+ouMTs?= =?utf-8?q?zQeIMo8qKHohgoRXV1LE5iXOdRmy8VxeEqT+aDnaTCFaqZxBoahUx8ehGaTRWzcDr?= =?utf-8?q?AWg4V8HjM+xB5ICdGgSRd2g8UUkeGSy2IIldSwzASrdsew6gMPWPNo1np0xX7WHTM?= =?utf-8?q?UxgAkgxQ03OeZxTLp5sq/jDO+3GCXO0HzTPByTH7rRaGOyAKTVoOJf9ux1xC6JZZr?= =?utf-8?q?S2Wo3gQoUV1lP+GSeP3ACSiMS55Au15/XPS0LjgV/o2F1qkierSX88n6z1qqfKVJv?= =?utf-8?q?TbHw0M6yK/hZUPal8rAwvxYya6IcNWmD3QtOvC3j1ojnVySxOSb0gjNeq63uc+GVu?= =?utf-8?q?r+k9wZ6hqeN8nZWSDr7TgnbYeffo1Sgj7rgAUB1UjKOP1Hyp90YoQqdfGd42UHq+K?= =?utf-8?q?U1e4OttYOnMHRYy00gwpYRaPmMpkJJlAjQ=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9a9481cc-5a65-4835-2da9-08da7ada58d7 X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:23.9396 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: V5UEdYVE82vp2xOHn3n+6/X2b26O6u5XP7LicP2nTI3cHSq6oME0WHqJ0tF12H/ePk/+sdI0JwBWrIgEHb3uHqRS7Qy/l1hJtOedGQ4WLaI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: kjV8vgI0C-pWt9ddTmzX0gKYsd2aGMMG X-Proofpoint-ORIG-GUID: kjV8vgI0C-pWt9ddTmzX0gKYsd2aGMMG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=577 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 27ACdJdF006366 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169192 Backport patch to fix CVE-2021-3929. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3929.patch | 70 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index dd30313fdd..53bad5c453 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2022-35414.patch \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ + file://CVE-2021-3929.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..7555e5bc40 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch @@ -0,0 +1,70 @@ +From 12daeafc9868c1ebe482d580494f9e6d3d5c260f Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Fri, 17 Dec 2021 10:44:01 +0100 +Subject: [PATCH] hw/nvme: fix CVE-2021-3929 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the +device itself. This still allows DMA to MMIO regions of other devices +(e.g. doing P2P DMA to the controller memory buffer of another NVMe +device). + +Fixes: CVE-2021-3929 +Reported-by: Qiuhao Li +Reviewed-by: Keith Busch +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Klaus Jensen + +Upstream-Status: Backport [736b01642d85be832385063f278fe7cd4ffb5221] +CVE: CVE-2021-3929 + +Signed-off-by: Sakib Sajal +--- + hw/nvme/ctrl.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c417..eda52c6ac 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) + return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba); + } + ++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr hi, lo; ++ ++ /* ++ * The purpose of this check is to guard against invalid "local" access to ++ * the iomem (i.e. controller registers). Thus, we check against the range ++ * covered by the 'bar0' MemoryRegion since that is currently composed of ++ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, ++ * that if the device model is ever changed to allow the CMB to be located ++ * in BAR0 as well, then this must be changed. ++ */ ++ lo = n->bar0.addr; ++ hi = lo + int128_get64(n->bar0.size); ++ ++ return addr >= lo && addr < hi; ++} ++ + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + hwaddr hi = addr + size - 1; +@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) + + trace_pci_nvme_map_addr(addr, len); + ++ if (nvme_addr_is_iomem(n, addr)) { ++ return NVME_DATA_TRAS_ERROR; ++ } ++ + if (nvme_addr_is_cmb(n, addr)) { + cmb = true; + } else if (nvme_addr_is_pmr(n, addr)) { +-- +2.33.0 +