diff -Nru qemu-8.0.4+dfsg/debian/changelog qemu-8.0.4+dfsg/debian/changelog --- qemu-8.0.4+dfsg/debian/changelog 2023-10-30 20:16:32.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/changelog 2023-11-30 13:22:57.000000000 +0000 @@ -1,3 +1,28 @@ +qemu (1:8.0.4+dfsg-1ubuntu3.23.10.2) mantic-security; urgency=medium + + * SECURITY UPDATE: OOB read in RDMA device + - debian/patches/CVE-2023-1544.patch: protect against buggy or + malicious guest driver in hw/rdma/vmw/pvrdma_main.c. + - CVE-2023-1544 + * SECURITY UPDATE: null pointer deref in NVME device + - debian/patches/CVE-2023-40360.patch: fix null pointer access in + directive receive in hw/nvme/ctrl.c. + - CVE-2023-40360 + * SECURITY UPDATE: OOB read in NVME device + - debian/patches/CVE-2023-4135.patch: fix oob memory read in fdp events + log in hw/nvme/ctrl.c. + - CVE-2023-4135 + * SECURITY UPDATE: division by zero via scsi block size + - debian/patches/CVE-2023-42467.patch: disallow block sizes smaller + than 512 in hw/scsi/scsi-disk.c. + - CVE-2023-42467 + * SECURITY UPDATE: disk offset 0 access + - debian/patches/CVE-2023-5088.patch: cancel async DMA operation before + resetting state in hw/ide/core.c. + - CVE-2023-5088 + + -- Marc Deslauriers Thu, 30 Nov 2023 08:22:57 -0500 + qemu (1:8.0.4+dfsg-1ubuntu3.23.10.1) mantic; urgency=medium * d/p/u/lp2003673-*.patch: Enable passthrough of IBM Z crypto diff -Nru qemu-8.0.4+dfsg/debian/patches/CVE-2023-1544.patch qemu-8.0.4+dfsg/debian/patches/CVE-2023-1544.patch --- qemu-8.0.4+dfsg/debian/patches/CVE-2023-1544.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/patches/CVE-2023-1544.patch 2023-11-30 13:21:39.000000000 +0000 @@ -0,0 +1,65 @@ +From 85fc35afa93c7320d1641d344d0c5dfbe341d087 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 4fc67120256..55b338046e6 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +GitLab + diff -Nru qemu-8.0.4+dfsg/debian/patches/CVE-2023-40360.patch qemu-8.0.4+dfsg/debian/patches/CVE-2023-40360.patch --- qemu-8.0.4+dfsg/debian/patches/CVE-2023-40360.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/patches/CVE-2023-40360.patch 2023-11-30 13:22:06.000000000 +0000 @@ -0,0 +1,31 @@ +From 6c8f8456cb0b239812dee5211881426496da7b98 Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Tue, 8 Aug 2023 17:16:13 +0200 +Subject: [PATCH] hw/nvme: fix null pointer access in directive receive + +nvme_directive_receive() does not check if an endurance group has been +configured (set) prior to testing if flexible data placement is enabled +or not. + +Fix this. + +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815 +Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") +Reviewed-by: Jesper Wendel Devantier +Signed-off-by: Klaus Jensen +--- + hw/nvme/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -6862,7 +6862,7 @@ static uint16_t nvme_directive_receive(N + case NVME_DIRECTIVE_IDENTIFY: + switch (doper) { + case NVME_DIRECTIVE_RETURN_PARAMS: +- if (ns->endgrp->fdp.enabled) { ++ if (ns->endgrp && ns->endgrp->fdp.enabled) { + id.supported |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT; + id.enabled |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT; + id.persistent |= 1 << NVME_DIRECTIVE_DATA_PLACEMENT; diff -Nru qemu-8.0.4+dfsg/debian/patches/CVE-2023-4135.patch qemu-8.0.4+dfsg/debian/patches/CVE-2023-4135.patch --- qemu-8.0.4+dfsg/debian/patches/CVE-2023-4135.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/patches/CVE-2023-4135.patch 2023-11-30 13:22:20.000000000 +0000 @@ -0,0 +1,36 @@ +From ecb1b7b082d3b7dceff0e486a114502fc52c0fdf Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Thu, 3 Aug 2023 20:44:23 +0200 +Subject: [PATCH] hw/nvme: fix oob memory read in fdp events log + +As reported by Trend Micro's Zero Day Initiative, an oob memory read +vulnerability exists in nvme_fdp_events(). The host-provided offset is +not verified. + +Fix this. + +This is only exploitable when Flexible Data Placement mode (fdp=on) is +enabled. + +Fixes: CVE-2023-4135 +Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") +Reported-by: Trend Micro's Zero Day Initiative +Signed-off-by: Klaus Jensen +--- + hw/nvme/ctrl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -5091,6 +5091,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl + } + + log_size = sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpEvent); ++ ++ if (off >= log_size) { ++ return NVME_INVALID_FIELD | NVME_DNR; ++ } ++ + trans_len = MIN(log_size - off, buf_len); + elog = g_malloc0(log_size); + elog->num_events = cpu_to_le32(ebuf->nelems); diff -Nru qemu-8.0.4+dfsg/debian/patches/CVE-2023-42467.patch qemu-8.0.4+dfsg/debian/patches/CVE-2023-42467.patch --- qemu-8.0.4+dfsg/debian/patches/CVE-2023-42467.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/patches/CVE-2023-42467.patch 2023-11-30 13:22:28.000000000 +0000 @@ -0,0 +1,44 @@ +From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Mon, 25 Sep 2023 11:18:54 +0200 +Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 + [CVE-2023-42467] + +We are doing things like + + nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); + +in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if +the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes +with a division by 0 exception. Thus disallow block sizes of 256 +bytes to avoid this situation. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 +CVE: 2023-42467 +Signed-off-by: Thomas Huth +Message-ID: <20230925091854.49198-1-thuth@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/scsi-disk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e0d79c7966c..477ee2bcd47 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + * Since the existing code only checks/updates bits 8-15 of the block + * size, restrict ourselves to the same requirement for now to ensure + * that a block size set by a block descriptor and then read back by +- * a subsequent SCSI command will be the same ++ * a subsequent SCSI command will be the same. Also disallow a block ++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. + */ +- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { + s->qdev.blocksize = bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } +-- +GitLab + diff -Nru qemu-8.0.4+dfsg/debian/patches/CVE-2023-5088.patch qemu-8.0.4+dfsg/debian/patches/CVE-2023-5088.patch --- qemu-8.0.4+dfsg/debian/patches/CVE-2023-5088.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/patches/CVE-2023-5088.patch 2023-11-30 13:22:41.000000000 +0000 @@ -0,0 +1,105 @@ +From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001 +From: Fiona Ebner +Date: Wed, 6 Sep 2023 15:09:21 +0200 +Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there is a pending DMA operation during ide_bus_reset(), the fact +that the IDEState is already reset before the operation is canceled +can be problematic. In particular, ide_dma_cb() might be called and +then use the reset IDEState which contains the signature after the +reset. When used to construct the IO operation this leads to +ide_get_sector() returning 0 and nsector being 1. This is particularly +bad, because a write command will thus destroy the first sector which +often contains a partition table or similar. + +Traces showing the unsolicited write happening with IDEState +0x5595af6949d0 being used after reset: + +> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 +> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port +> ide_reset IDEstate 0x5595af6949d0 +> ide_reset IDEstate 0x5595af694da8 +> ide_bus_reset_aio aio_cancel +> dma_aio_cancel dbs=0x7f64600089a0 +> dma_blk_cb dbs=0x7f64600089a0 ret=0 +> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 +> ahci_populate_sglist ahci(0x5595af6923f0)[0] +> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 +> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE +> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 +> dma_blk_cb dbs=0x7f6420802010 ret=0 + +> (gdb) p *qiov +> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, +> iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", +> size = 512}}} +> (gdb) bt +> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, +> cb=0x5595ace6f0b0 , opaque=0x7f6420802010) +> at ../block/block-backend.c:1682 +> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=) +> at ../softmmu/dma-helpers.c:179 +> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> io_func=io_func@entry=0x5595ace6ee30 , +> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, +> cb=0x5595acd40b30 , opaque=0x5595af6949d0, +> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 +> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> cb=cb@entry=0x5595acd40b30 , opaque=opaque@entry=0x5595af6949d0) +> at ../softmmu/dma-helpers.c:280 +> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=) +> at ../hw/ide/core.c:953 +> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) +> at ../softmmu/dma-helpers.c:107 +> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 +> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) +> at ../block/block-backend.c:1527 +> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 +> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 +> #10 0x00005595ad258cfb in coroutine_trampoline (i0=, +> i1=) at ../util/coroutine-ucontext.c:177 + +Signed-off-by: Fiona Ebner +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: simon.rowe@nutanix.com +Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/ide/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -2513,19 +2513,19 @@ static void ide_dummy_transfer_stop(IDES + + void ide_bus_reset(IDEBus *bus) + { +- bus->unit = 0; +- bus->cmd = 0; +- ide_reset(&bus->ifs[0]); +- ide_reset(&bus->ifs[1]); +- ide_clear_hob(bus); +- +- /* pending async DMA */ ++ /* pending async DMA - needs the IDEState before it is reset */ + if (bus->dma->aiocb) { + trace_ide_bus_reset_aio(); + blk_aio_cancel(bus->dma->aiocb); + bus->dma->aiocb = NULL; + } + ++ bus->unit = 0; ++ bus->cmd = 0; ++ ide_reset(&bus->ifs[0]); ++ ide_reset(&bus->ifs[1]); ++ ide_clear_hob(bus); ++ + /* reset dma provider too */ + if (bus->dma->ops->reset) { + bus->dma->ops->reset(bus->dma); diff -Nru qemu-8.0.4+dfsg/debian/patches/series qemu-8.0.4+dfsg/debian/patches/series --- qemu-8.0.4+dfsg/debian/patches/series 2023-10-30 20:16:32.000000000 +0000 +++ qemu-8.0.4+dfsg/debian/patches/series 2023-11-30 13:22:37.000000000 +0000 @@ -31,3 +31,8 @@ ubuntu/lp2003673-update-linux-headers-6.6rc1.patch ubuntu/lp2003673-s390x-refactor-ap-functionalities.patch ubuntu/lp2003673-s390x-ap-passthrough-for-pv-guests.patch +CVE-2023-1544.patch +CVE-2023-40360.patch +CVE-2023-4135.patch +CVE-2023-42467.patch +CVE-2023-5088.patch