openkylin
/
qemu
mirror of https://gitee.com/openkylin/qemu.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix CVE-2023-3301

This commit is contained in:
zeng_chi 2024-09-27 15:01:30 +08:00 committed by openkylin-cibot
parent 8e91afa374
commit 41ef34d7a9
3 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
debian/changelog vendored
View File

@ -1,3 +1,15 @@
qemu (1:7.1.0-ok19) yangtze; urgency=medium
* CVE-2023-3301
-- root <zengchi@kylinos.cn> Fri, 27 Sep 2024 14:50:15 +0800
qemu (1:7.1.0-ok18) yangtze; urgency=medium
* CVE-2023-42467
-- root <zengchi@kylinos.cn> Thu, 29 Aug 2024 15:47:13 +0800
qemu (1:7.1.0-ok17) yangtze; urgency=medium
* CVE-2023-3255

45
debian/patches/0031-Fix-CVE-2023-3301.patch vendored Normal file
View File

@ -0,0 +1,45 @@
From: zeng_chi <11612732+zeng_chi@user.noreply.gitee.com>
Date: Fri, 27 Sep 2024 15:01:30 +0800
Subject: Fix CVE-2023-3301
---
hw/scsi/scsi-disk.c | 5 +++--
net/vhost-vdpa.c | 8 ++++++++
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index efee673..275a4e3 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1624,9 +1624,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
* Since the existing code only checks/updates bits 8-15 of the block
* size, restrict ourselves to the same requirement for now to ensure
* that a block size set by a block descriptor and then read back by
- * a subsequent SCSI command will be the same
+ * a subsequent SCSI command will be the same. Also disallow a block
+ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
*/
- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
+ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
s->qdev.blocksize = bs;
trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
}
diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 303447a..3421b55 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -157,6 +157,14 @@ static void vhost_vdpa_cleanup(NetClientState *nc)
VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
struct vhost_dev *dev = &s->vhost_net->dev;
+ /*
+ * If a peer NIC is attached, do not cleanup anything.
+ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
+ * when the guest is shutting down.
+ */
+ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
+ return;
+ }
qemu_vfree(s->cvq_cmd_out_buffer);
qemu_vfree(s->cvq_cmd_in_buffer);
if (dev->vq_index + dev->nvqs == dev->vq_index_end) {

1
debian/patches/series vendored
View File

@ -28,3 +28,4 @@ hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
0028-21-Fix-CVE-2023-1544.patch
0029-Fix-CVE-2023-3180.patch
0030-Fix-CVE-2023-3255.patch
0031-Fix-CVE-2023-3301.patch