Re: [OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3019
I'm getting oe-selftest failures with this patch:
https://errors.yoctoproject.org/Errors/Details/761408/
"Failed: qemux86 does not shutdown within timeout(120)"
Steve
On Fri, Mar 29, 2024 at 12:38 AM Urade, Yogita via
lists.openembedded.org
wrote:
>
> From: Yogita Urade
>
> A DMA reentrancy issue leading to a use-after-free error was
> found in the e1000e NIC emulation code in QEMU. This issue
> could allow a privileged guest user to crash the QEMU process
> on the host, resulting in a denial of service.
>
> Fix indent issue in qemu.inc file
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-3019
>
> Signed-off-by: Yogita Urade
> ---
> meta/recipes-devtools/qemu/qemu.inc | 19 +-
> .../qemu/qemu/CVE-2023-3019-0001.patch| 135
> .../qemu/qemu/CVE-2023-3019-0002.patch| 610 ++
> .../qemu/qemu/CVE-2023-3019-0003.patch| 88 +++
> 4 files changed, 844 insertions(+), 8 deletions(-)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0003.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc
> b/meta/recipes-devtools/qemu/qemu.inc
> index ad6b310137..08ce72546d 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -97,17 +97,20 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2023-3301.patch \
> file://CVE-2023-3255.patch \
> file://CVE-2023-2861.patch \
> - file://CVE-2020-14394.patch \
> - file://CVE-2023-3354.patch \
> - file://CVE-2023-3180.patch \
> - file://CVE-2021-3638.patch \
> - file://CVE-2023-1544.patch \
> - file://CVE-2023-5088.patch \
> - file://CVE-2024-24474.patch \
> - file://CVE-2023-6693.patch \
> + file://CVE-2020-14394.patch \
> + file://CVE-2023-3354.patch \
> + file://CVE-2023-3180.patch \
> + file://CVE-2021-3638.patch \
> + file://CVE-2023-1544.patch \
> + file://CVE-2023-5088.patch \
> + file://CVE-2024-24474.patch \
> + file://CVE-2023-6693.patch \
>
> file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch
> \
>
> file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch
> \
> file://CVE-2023-42467.patch \
> + file://CVE-2023-3019-0001.patch \
> + file://CVE-2023-3019-0002.patch \
> + file://CVE-2023-3019-0003.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
> new file mode 100644
> index 00..c1ef645eaf
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
> @@ -0,0 +1,135 @@
> +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
> +From: Alexander Bulekov
> +Date: Wed, 27 Mar 2024 09:41:44 +
> +Subject: [PATCH] memory: prevent dma-reentracy issues
> +
> +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> +This flag is set/checked prior to calling a device's MemoryRegion
> +handlers, and set when device code initiates DMA. The purpose of this
> +flag is to prevent two types of DMA-based reentrancy issues:
> +
> +1.) mmio -> dma -> mmio case
> +2.) bh -> dma write -> mmio case
> +
> +These issues have led to problems such as stack-exhaustion and
> +use-after-frees.
> +
> +Summary of the problem from Peter Maydell:
> +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
> +
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
> +Resolves: CVE-2023-0330
> +
> +Signed-off-by: Alexander Bulekov
> +Reviewed-by: Thomas Huth
> +Message-Id: <20230427211013.2994127-2-alx...@bu.edu>
> +[thuth: Replace warn_report() with warn_report_once()]
> +Signed-off-by: Thomas Huth
> +
> +CVE: CVE-2023-3019
> +Upstream-Status: Backport
> [https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
> +
> +Signed-off-by: Yogita Urade
> +---
> + include/exec/memory.h | 5 +
> + include/hw/qdev-core.h | 7 +++
> + softmmu/memory.c | 16
> + 3 files changed, 28 insertions(+)
> +
> +diff --git a/include/exec/memory.h b/include/exec/memory.h
> +index
[OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3019
From: Yogita Urade
A DMA reentrancy issue leading to a use-after-free error was
found in the e1000e NIC emulation code in QEMU. This issue
could allow a privileged guest user to crash the QEMU process
on the host, resulting in a denial of service.
Fix indent issue in qemu.inc file
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3019
Signed-off-by: Yogita Urade
---
meta/recipes-devtools/qemu/qemu.inc | 19 +-
.../qemu/qemu/CVE-2023-3019-0001.patch| 135
.../qemu/qemu/CVE-2023-3019-0002.patch| 610 ++
.../qemu/qemu/CVE-2023-3019-0003.patch| 88 +++
4 files changed, 844 insertions(+), 8 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0003.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index ad6b310137..08ce72546d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -97,17 +97,20 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-3301.patch \
file://CVE-2023-3255.patch \
file://CVE-2023-2861.patch \
- file://CVE-2020-14394.patch \
- file://CVE-2023-3354.patch \
- file://CVE-2023-3180.patch \
- file://CVE-2021-3638.patch \
- file://CVE-2023-1544.patch \
- file://CVE-2023-5088.patch \
- file://CVE-2024-24474.patch \
- file://CVE-2023-6693.patch \
+ file://CVE-2020-14394.patch \
+ file://CVE-2023-3354.patch \
+ file://CVE-2023-3180.patch \
+ file://CVE-2021-3638.patch \
+ file://CVE-2023-1544.patch \
+ file://CVE-2023-5088.patch \
+ file://CVE-2024-24474.patch \
+ file://CVE-2023-6693.patch \
file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \
file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch
\
file://CVE-2023-42467.patch \
+ file://CVE-2023-3019-0001.patch \
+ file://CVE-2023-3019-0002.patch \
+ file://CVE-2023-3019-0003.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
new file mode 100644
index 00..c1ef645eaf
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
@@ -0,0 +1,135 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov
+Date: Wed, 27 Mar 2024 09:41:44 +
+Subject: [PATCH] memory: prevent dma-reentracy issues
+
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA. The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+
+Signed-off-by: Alexander Bulekov
+Reviewed-by: Thomas Huth
+Message-Id: <20230427211013.2994127-2-alx...@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth
+
+CVE: CVE-2023-3019
+Upstream-Status: Backport
[https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+
+Signed-off-by: Yogita Urade
+---
+ include/exec/memory.h | 5 +
+ include/hw/qdev-core.h | 7 +++
+ softmmu/memory.c | 16
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 20f1b2737..e089f90f9 100644
+--- a/include/exec/memory.h
b/include/exec/memory.h
+@@ -734,6 +734,8 @@ struct MemoryRegion {
+ bool is_iommu;
+ RAMBlock *ram_block;
+ Object *owner;
++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath
*/
++DeviceState *dev;
+
+ const MemoryRegionOps *ops;
+ void *opaque;
+@@ -757,6 +759,9 @@ struct MemoryRegion {
+ unsigned ioeventfd_nb;
+ MemoryRegionIoeventfd *ioeventfds;
+
