Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
qemu-linux-user
0256-hw-nvme-fix-CVE-2021-3929.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0256-hw-nvme-fix-CVE-2021-3929.patch of Package qemu-linux-user
From: Klaus Jensen <k.jensen@samsung.com> Date: Fri, 17 Dec 2021 10:44:01 +0100 Subject: hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 736b01642d85be832385063f278fe7cd4ffb5221 References: bsc#1193880,CVE-2021-3929 This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the device itself. This still allows DMA to MMIO regions of other devices (e.g. doing P2P DMA to the controller memory buffer of another NVMe device). Fixes: CVE-2021-3929 Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>4 Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Lin Ma <lma@suse.com> Signed-off-by: Dario Faggioli <dfaggioli@suse.com> --- hw/block/nvme.c | 43 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index 7c8c63e8f5e2215d98fd1f91c78e..67cd99a4b697c8847a7c65d9b84e 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -50,6 +50,24 @@ static void nvme_process_sq(void *opaque); +static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) +{ + PCIDevice *pci_dev = &n->parent_obj; + hwaddr regs_hi, regs_lo, msix_hi, msix_lo; + + /* + * The purpose of this check is to guard against invalid "local" access + * to the iomem (i.e. controller registers, MSIX-related space). + */ + regs_lo = n->iomem.addr; + regs_hi = regs_lo + int128_get64(n->iomem.size); + msix_lo = pci_dev->msix_exclusive_bar.addr; + msix_hi = msix_lo + int128_get64(pci_dev->msix_exclusive_bar.size); + + return (addr >= regs_lo && addr < regs_hi) || + (addr >= msix_lo && addr < msix_hi); +} + static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) { if (n->cmbsz && addr >= n->ctrl_mem.addr && @@ -146,14 +164,19 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, if (unlikely(!prp1)) { trace_nvme_err_invalid_prp(); return NVME_INVALID_FIELD | NVME_DNR; - } else if (n->cmbsz && prp1 >= n->ctrl_mem.addr && - prp1 < n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size)) { - qsg->nsg = 0; - qemu_iovec_init(iov, num_prps); - qemu_iovec_add(iov, (void *)&n->cmbuf[prp1 - n->ctrl_mem.addr], trans_len); } else { - pci_dma_sglist_init(qsg, &n->parent_obj, num_prps); - qemu_sglist_add(qsg, prp1, trans_len); + if (nvme_addr_is_iomem(n, prp1)) { + return NVME_DATA_TRAS_ERROR; + } + if (n->cmbsz && prp1 >= n->ctrl_mem.addr && + prp1 < n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size)) { + qsg->nsg = 0; + qemu_iovec_init(iov, num_prps); + qemu_iovec_add(iov, (void *)&n->cmbuf[prp1 - n->ctrl_mem.addr], trans_len); + } else { + pci_dma_sglist_init(qsg, &n->parent_obj, num_prps); + qemu_sglist_add(qsg, prp1, trans_len); + } } len -= trans_len; if (len) { @@ -192,6 +215,9 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, } trans_len = MIN(len, n->page_size); + if (nvme_addr_is_iomem(n, prp_ent)) { + return NVME_DATA_TRAS_ERROR; + } if (qsg->nsg){ qemu_sglist_add(qsg, prp_ent, trans_len); } else { @@ -205,6 +231,9 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, trace_nvme_err_invalid_prp2_align(prp2); goto unmap; } + if (nvme_addr_is_iomem(n, prp2)) { + return NVME_DATA_TRAS_ERROR; + } if (qsg->nsg) { qemu_sglist_add(qsg, prp2, len); } else {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor