poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch - openbmc/openbmc - Gitiles

 From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
 From: Marcel Apfelbaum <marcel@redhat.com>
 Date: Wed, 16 Jun 2021 14:06:00 +0300
 Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
  (CVE-2021-3582)

 Ensure mremap boundaries not trusting the guest kernel to
 pass the correct buffer length.

 Fixes: CVE-2021-3582
 Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
 Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
 Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
 Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
 Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
 Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
 Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
 Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>

 CVE: CVE-2021-3582
 Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
 Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
 ---
  hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
  1 file changed, 7 insertions(+)

 diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
 index f59879e257..da7ddfa548 100644
 --- a/hw/rdma/vmw/pvrdma_cmd.c
 +++ b/hw/rdma/vmw/pvrdma_cmd.c
 @@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
          return NULL;
      }

 +    length = ROUND_UP(length, TARGET_PAGE_SIZE);
 +    if (nchunks * TARGET_PAGE_SIZE != length) {
 +        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
 +                          (unsigned long)length);
 +        return NULL;
 +    }
 +
      dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
      if (!dir) {
          rdma_error_report("Failed to map to page directory");
 --
 2.25.1
	From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
	From: Marcel Apfelbaum <marcel@redhat.com>
	Date: Wed, 16 Jun 2021 14:06:00 +0300
	Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
	(CVE-2021-3582)

	Ensure mremap boundaries not trusting the guest kernel to
	pass the correct buffer length.

	Fixes: CVE-2021-3582
	Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
	Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
	Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
	Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
	Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
	Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
	Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>

	CVE: CVE-2021-3582
	Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	---
	hw/rdma/vmw/pvrdma_cmd.c \| 7 +++++++
	1 file changed, 7 insertions(+)

	diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
	index f59879e257..da7ddfa548 100644
	--- a/hw/rdma/vmw/pvrdma_cmd.c
	+++ b/hw/rdma/vmw/pvrdma_cmd.c
	@@ -38,6 +38,13 @@ static void pvrdma_map_to_pdir(PCIDevice pdev, uint64_t pdir_dma,
	return NULL;
	}

	+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
	+ if (nchunks * TARGET_PAGE_SIZE != length) {
	+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
	+ (unsigned long)length);
	+ return NULL;
	+ }
	+
	dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
	if (!dir) {
	rdma_error_report("Failed to map to page directory");
	--
	2.25.1