qemu 6.2.0: Fix CVE-2023-1544

Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 Type: Security Fix CVE: CVE-2023-1544 Score: 6.3 Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c (From OE-Core rev: d019fcc99c542d49be6e1615a5c75f88f8ff5a52) Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-20 00:32:13 +02:00 · 2023-11-16 21:20:00 -08:00
parent f9527fb2ac
commit 24646e55b2
2 changed files with 71 additions and 0 deletions
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
 	   file://CVE-2023-3354.patch \
 	   file://CVE-2023-3180.patch \
 	   file://CVE-2021-3638.patch \
+	   file://CVE-2023-1544.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch
@@ -0,0 +1,70 @@
+From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Wed, 1 Mar 2023 16:29:26 +0200
+Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
+
+Guest driver allocates and initialize page tables to be used as a ring
+of descriptors for CQ and async events.
+The page table that represents the ring, along with the number of pages
+in the page table is passed to the device.
+Currently our device supports only one page table for a ring.
+
+Let's make sure that the number of page table entries the driver
+reports, do not exceeds the one page table size.
+
+CVE: CVE-2023-1544
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c]
+
+Reported-by: Soul Chen <soulchen8650@gmail.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Fixes: CVE-2023-1544
+Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087)
+Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 4fc6712025..55b338046e 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
+                          dma_addr_t dir_addr, uint32_t num_pages)
+ {
+     uint64_t *dir, *tbl;
+-    int rc = 0;
+    int max_pages, rc = 0;
+ 
+     if (!num_pages) {
+         rdma_error_report("Ring pages count must be strictly positive");
+         return -EINVAL;
+     }
+ 
+    /*
+     * Make sure we can satisfy the requested number of pages in a single
+     * TARGET_PAGE_SIZE sized page table (taking into account that first entry
+     * is reserved for ring-state)
+     */
+    max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1;
+    if (num_pages > max_pages) {
+        rdma_error_report("Maximum pages on a single directory must not exceed %d\n",
+                          max_pages);
+        return -EINVAL;
+    }
+
+     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+     if (!dir) {
+         rdma_error_report("Failed to map to page directory (ring %s)", name);
+         rc = -ENOMEM;
+         goto out;
+     }
+
+    /* We support only one page table for a ring */
+     tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE);
+     if (!tbl) {
+         rdma_error_report("Failed to map to page table (ring %s)", name);
+-- 
+2.35.6
+