Re: [OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3019
I'm getting oe-selftest failures with this patch: https://errors.yoctoproject.org/Errors/Details/761408/ "Failed: qemux86 does not shutdown within timeout(120)" Steve On Fri, Mar 29, 2024 at 12:38 AM Urade, Yogita via lists.openembedded.org wrote: > > From: Yogita Urade > > A DMA reentrancy issue leading to a use-after-free error was > found in the e1000e NIC emulation code in QEMU. This issue > could allow a privileged guest user to crash the QEMU process > on the host, resulting in a denial of service. > > Fix indent issue in qemu.inc file > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-3019 > > Signed-off-by: Yogita Urade > --- > meta/recipes-devtools/qemu/qemu.inc | 19 +- > .../qemu/qemu/CVE-2023-3019-0001.patch| 135 > .../qemu/qemu/CVE-2023-3019-0002.patch| 610 ++ > .../qemu/qemu/CVE-2023-3019-0003.patch| 88 +++ > 4 files changed, 844 insertions(+), 8 deletions(-) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0003.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > b/meta/recipes-devtools/qemu/qemu.inc > index ad6b310137..08ce72546d 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -97,17 +97,20 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2023-3301.patch \ > file://CVE-2023-3255.patch \ > file://CVE-2023-2861.patch \ > - file://CVE-2020-14394.patch \ > - file://CVE-2023-3354.patch \ > - file://CVE-2023-3180.patch \ > - file://CVE-2021-3638.patch \ > - file://CVE-2023-1544.patch \ > - file://CVE-2023-5088.patch \ > - file://CVE-2024-24474.patch \ > - file://CVE-2023-6693.patch \ > + file://CVE-2020-14394.patch \ > + file://CVE-2023-3354.patch \ > + file://CVE-2023-3180.patch \ > + file://CVE-2021-3638.patch \ > + file://CVE-2023-1544.patch \ > + file://CVE-2023-5088.patch \ > + file://CVE-2024-24474.patch \ > + file://CVE-2023-6693.patch \ > > file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch > \ > > file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch > \ > file://CVE-2023-42467.patch \ > + file://CVE-2023-3019-0001.patch \ > + file://CVE-2023-3019-0002.patch \ > + file://CVE-2023-3019-0003.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch > new file mode 100644 > index 00..c1ef645eaf > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch > @@ -0,0 +1,135 @@ > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 > +From: Alexander Bulekov > +Date: Wed, 27 Mar 2024 09:41:44 + > +Subject: [PATCH] memory: prevent dma-reentracy issues > + > +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. > +This flag is set/checked prior to calling a device's MemoryRegion > +handlers, and set when device code initiates DMA. The purpose of this > +flag is to prevent two types of DMA-based reentrancy issues: > + > +1.) mmio -> dma -> mmio case > +2.) bh -> dma write -> mmio case > + > +These issues have led to problems such as stack-exhaustion and > +use-after-frees. > + > +Summary of the problem from Peter Maydell: > +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > + > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 > +Resolves: CVE-2023-0330 > + > +Signed-off-by: Alexander Bulekov > +Reviewed-by: Thomas Huth > +Message-Id: <20230427211013.2994127-2-alx...@bu.edu> > +[thuth: Replace warn_report() with warn_report_once()] > +Signed-off-by: Thomas Huth > + > +CVE: CVE-2023-3019 > +Upstream-Status: Backport > [https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380] > + > +Signed-off-by: Yogita Urade > +--- > + include/exec/memory.h | 5 + > + include/hw/qdev-core.h | 7 +++ > + softmmu/memory.c | 16 > + 3 files changed, 28 insertions(+) > + > +diff --git a/include/exec/memory.h b/include/exec/memory.h > +index
[OE-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3019
From: Yogita Urade A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Fix indent issue in qemu.inc file References: https://nvd.nist.gov/vuln/detail/CVE-2023-3019 Signed-off-by: Yogita Urade --- meta/recipes-devtools/qemu/qemu.inc | 19 +- .../qemu/qemu/CVE-2023-3019-0001.patch| 135 .../qemu/qemu/CVE-2023-3019-0002.patch| 610 ++ .../qemu/qemu/CVE-2023-3019-0003.patch| 88 +++ 4 files changed, 844 insertions(+), 8 deletions(-) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0003.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index ad6b310137..08ce72546d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -97,17 +97,20 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2023-3301.patch \ file://CVE-2023-3255.patch \ file://CVE-2023-2861.patch \ - file://CVE-2020-14394.patch \ - file://CVE-2023-3354.patch \ - file://CVE-2023-3180.patch \ - file://CVE-2021-3638.patch \ - file://CVE-2023-1544.patch \ - file://CVE-2023-5088.patch \ - file://CVE-2024-24474.patch \ - file://CVE-2023-6693.patch \ + file://CVE-2020-14394.patch \ + file://CVE-2023-3354.patch \ + file://CVE-2023-3180.patch \ + file://CVE-2021-3638.patch \ + file://CVE-2023-1544.patch \ + file://CVE-2023-5088.patch \ + file://CVE-2024-24474.patch \ + file://CVE-2023-6693.patch \ file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ file://CVE-2023-42467.patch \ + file://CVE-2023-3019-0001.patch \ + file://CVE-2023-3019-0002.patch \ + file://CVE-2023-3019-0003.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch new file mode 100644 index 00..c1ef645eaf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch @@ -0,0 +1,135 @@ +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Wed, 27 Mar 2024 09:41:44 + +Subject: [PATCH] memory: prevent dma-reentracy issues + +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. +This flag is set/checked prior to calling a device's MemoryRegion +handlers, and set when device code initiates DMA. The purpose of this +flag is to prevent two types of DMA-based reentrancy issues: + +1.) mmio -> dma -> mmio case +2.) bh -> dma write -> mmio case + +These issues have led to problems such as stack-exhaustion and +use-after-frees. + +Summary of the problem from Peter Maydell: +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 +Resolves: CVE-2023-0330 + +Signed-off-by: Alexander Bulekov +Reviewed-by: Thomas Huth +Message-Id: <20230427211013.2994127-2-alx...@bu.edu> +[thuth: Replace warn_report() with warn_report_once()] +Signed-off-by: Thomas Huth + +CVE: CVE-2023-3019 +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380] + +Signed-off-by: Yogita Urade +--- + include/exec/memory.h | 5 + + include/hw/qdev-core.h | 7 +++ + softmmu/memory.c | 16 + 3 files changed, 28 insertions(+) + +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 20f1b2737..e089f90f9 100644 +--- a/include/exec/memory.h b/include/exec/memory.h +@@ -734,6 +734,8 @@ struct MemoryRegion { + bool is_iommu; + RAMBlock *ram_block; + Object *owner; ++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ ++DeviceState *dev; + + const MemoryRegionOps *ops; + void *opaque; +@@ -757,6 +759,9 @@ struct MemoryRegion { + unsigned ioeventfd_nb; + MemoryRegionIoeventfd *ioeventfds; +