From: "Anuj Mittal" <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [hardknott][PATCH 22/23] qemu: fix CVE-2021-3527
Date: Mon, 9 Aug 2021 23:35:54 +0800 [thread overview]
Message-ID: <fcbcd27a1c97668af9634143376f75ab32fffd68.1628522214.git.anuj.mittal@intel.com> (raw)
In-Reply-To: <cover.1628522214.git.anuj.mittal@intel.com>
From: Lee Chee Yang <chee.yang.lee@intel.com>
(cherry picked from commit 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-3527-1.patch | 42 +++++++++++++
.../qemu/qemu/CVE-2021-3527-2.patch | 59 +++++++++++++++++++
3 files changed, 103 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5f7d82dfed..a22721004e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -64,6 +64,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \
file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
+ file://CVE-2021-3527-1.patch \
+ file://CVE-2021-3527-2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
+From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+ if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+ next == NULL ||
+ /* Work around for Linux usbfs bulk splitting + migration */
+- (totalsize == (16 * KiB - 36) && p->int_req)) {
++ (totalsize == (16 * KiB - 36) && p->int_req) ||
++ /* Next package may grow combined package over 1MiB */
++ totalsize > 1 * MiB - ep->max_packet_size) {
+ usb_device_handle_data(ep->dev, first);
+ assert(first->status == USB_RET_ASYNC);
+ if (first->combined) {
+--
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
new file mode 100644
index 0000000000..6371aced12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
+From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:12 +0200
+Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use autofree heap allocation instead.
+
+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/redirect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f3417..6a75b0dc4a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
+ .endpoint = ep,
+ .length = p->iov.size
+ };
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ /* No id, we look at the ep when receiving a status back */
+ usb_packet_copy(p, buf, p->iov.size);
+ usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+ &bulk_packet, NULL, 0);
+ } else {
+- uint8_t buf[size];
++ g_autofree uint8_t *buf = g_malloc(size);
+ usb_packet_copy(p, buf, size);
+ usbredir_log_data(dev, "bulk data out:", buf, size);
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
+ USBPacket *p, uint8_t ep)
+ {
+ struct usb_redir_interrupt_packet_header interrupt_packet;
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+
+ DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+ p->iov.size, p->id);
+--
+GitLab
+
--
2.31.1
next prev parent reply other threads:[~2021-08-09 15:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-09 15:35 [hardknott][PATCH 00/23] review request Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 01/23] stress-ng: Drop defining daddr_t Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 02/23] parselogs.py: qemuarm should be qemuarmv5 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 03/23] devtool: print a warning on upgrades if PREFERRED_VERSION is set Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 04/23] zstd: fix CVE_PRODUCT Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 05/23] linux-yocto/5.10: update to v5.10.53 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 06/23] linux-yocto/5.4: update to v5.4.135 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 07/23] linux-yocto-rt/5.10: update to -rt47 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 08/23] linux-yocto/5.10: enable TYPEC_TCPCI in usbc fragment Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 09/23] sstate: Fix rebuilds when changing layer config Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 10/23] license: Exclude COPYING.MIT from pseudo Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 11/23] runqemu: Fix typo in error message Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 12/23] aspell: fix CVE-2019-25051 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 13/23] createrepo-c: fix createrepo-c failed in nativesdk Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 14/23] oeqa/runtime/cases/ptest: Increase test timeout from 300s to 450s Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 15/23] cve-check: fix comments Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 16/23] cve-check: update link to NVD website for CVE details Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 17/23] cve-check: improve comment about CVE patch file names Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 18/23] curl: fix CVE-2021-22925 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 19/23] curl: fix CVES Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 20/23] util-linux: fix CVE 2021-37600 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 21/23] qemu: fix virtio vhost-user-gpu CVEs Anuj Mittal
2021-08-09 15:35 ` Anuj Mittal [this message]
2021-08-09 15:35 ` [hardknott][PATCH 23/23] nettle: update 3.7.2 -> 3.7.3 Anuj Mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fcbcd27a1c97668af9634143376f75ab32fffd68.1628522214.git.anuj.mittal@intel.com \
--to=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.