poky/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2018-20216
 Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]

 Signed-off-by: Kai Kang <kai.kang@windriver.com>

 From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Thu, 13 Dec 2018 01:00:39 +0530
 Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines

 pvrdma_idx_ring_has_[data/space] routines also return invalid
 index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
 return value from these routines to avoid plausible infinite loops.

 Reported-by: Li Qiang <liq3ea@163.com>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
 Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
 ---
  hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
  1 file changed, 11 insertions(+), 18 deletions(-)

 diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
 index 01247fc041..e8e5b502f6 100644
 --- a/hw/rdma/vmw/pvrdma_dev_ring.c
 +++ b/hw/rdma/vmw/pvrdma_dev_ring.c
 @@ -73,23 +73,16 @@ out:

  void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
  {
 +    int e;
      unsigned int idx = 0, offset;

 -    /*
 -    pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
 -           ring->ring_state->cons_head);
 -    */
 -
 -    if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
 +    e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
 +    if (e <= 0) {
          pr_dbg("No more data in ring\n");
          return NULL;
      }

      offset = idx * ring->elem_sz;
 -    /*
 -    pr_dbg("idx=%d\n", idx);
 -    pr_dbg("offset=%d\n", offset);
 -    */
      return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
  }

 @@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)

  void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
  {
 -    unsigned int idx, offset, tail;
 +    int idx;
 +    unsigned int offset, tail;

 -    /*
 -    pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
 -           ring->ring_state->cons_head);
 -    */
 -
 -    if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
 +    idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
 +    if (idx <= 0) {
          pr_dbg("CQ is full\n");
          return NULL;
      }

      idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
 -    /* TODO: tail == idx */
 +    if (idx < 0 || tail != idx) {
 +        pr_dbg("invalid idx\n");
 +        return NULL;
 +    }

      offset = idx * ring->elem_sz;
      return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
 --
 2.20.1
	CVE: CVE-2018-20216
	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]

	Signed-off-by: Kai Kang <kai.kang@windriver.com>

	From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
	From: Prasad J Pandit <pjp@fedoraproject.org>
	Date: Thu, 13 Dec 2018 01:00:39 +0530
	Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines

	pvrdma_idx_ring_has_[data/space] routines also return invalid
	index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
	return value from these routines to avoid plausible infinite loops.

	Reported-by: Li Qiang <liq3ea@163.com>
	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
	Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
	---
	hw/rdma/vmw/pvrdma_dev_ring.c \| 29 +++++++++++------------------
	1 file changed, 11 insertions(+), 18 deletions(-)

	diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
	index 01247fc041..e8e5b502f6 100644
	--- a/hw/rdma/vmw/pvrdma_dev_ring.c
	+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
	@@ -73,23 +73,16 @@ out:

	void pvrdma_ring_next_elem_read(PvrdmaRing ring)
	{
	+ int e;
	unsigned int idx = 0, offset;

	- /*
	- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
	- ring->ring_state->cons_head);
	- */
	-
	- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
	+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
	+ if (e <= 0) {
	pr_dbg("No more data in ring\n");
	return NULL;
	}

	offset = idx * ring->elem_sz;
	- /*
	- pr_dbg("idx=%d\n", idx);
	- pr_dbg("offset=%d\n", offset);
	- */
	return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
	}

	@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)

	void pvrdma_ring_next_elem_write(PvrdmaRing ring)
	{
	- unsigned int idx, offset, tail;
	+ int idx;
	+ unsigned int offset, tail;

	- /*
	- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
	- ring->ring_state->cons_head);
	- */
	-
	- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
	+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
	+ if (idx <= 0) {
	pr_dbg("CQ is full\n");
	return NULL;
	}

	idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
	- /* TODO: tail == idx */
	+ if (idx < 0 \|\| tail != idx) {
	+ pr_dbg("invalid idx\n");
	+ return NULL;
	+ }

	offset = idx * ring->elem_sz;
	return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
	--
	2.20.1