diff --git a/SOURCES/kvm-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch b/SOURCES/kvm-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch new file mode 100644 index 0000000..56d4a38 --- /dev/null +++ b/SOURCES/kvm-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch @@ -0,0 +1,55 @@ +From f63534122060ee84b0fe696bef136b05e427c755 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Mon, 28 Sep 2020 20:44:52 -0400 +Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in + net_tx_pkt_add_raw_fragment() + +RH-Author: Jon Maloy +Message-id: <20200928204452.1061309-2-jmaloy@redhat.com> +Patchwork-id: 98507 +O-Subject: [RHEL-7.9.z qemu-kvm-ma PATCH 1/1] hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment() +Bugzilla: 1860961 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Stefan Hajnoczi + +From: Mauro Matteo Cascella + +An assertion failure issue was found in the code that processes network packets +while adding data fragments into the packet context. It could be abused by a +malicious guest to abort the QEMU process on the host. This patch replaces the +affected assert() with a conditional statement, returning false if the current +data fragment exceeds max_raw_frags. + +Reported-by: Alexander Bulekov +Reported-by: Ziming Zhang +Reviewed-by: Dmitry Fleytman +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Jason Wang + +(cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8) +Signed-off-by: Jon Maloy +Signed-off-by: Jon Maloy +--- + hw/net/net_tx_pkt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 162f802dd7..54d4c3bbd0 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, + hwaddr mapped_len = 0; + struct iovec *ventry; + assert(pkt); +- assert(pkt->max_raw_frags > pkt->raw_frags); ++ ++ if (pkt->raw_frags >= pkt->max_raw_frags) { ++ return false; ++ } + + if (!len) { + return true; +-- +2.18.2 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index c4e5bf5..d16e5a6 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -108,7 +108,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 2.12.0 -Release: 48%{?dist}.1 +Release: 48%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY @@ -1996,6 +1996,8 @@ Patch916: kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch Patch917: kvm-usb-fix-setup_len-init-CVE-2020-14364.patch # For bz#1837568 - CVE-2020-1983 qemu-kvm-ma: QEMU: slirp: use-after-free in ip_reass() function in ip_input.c [rhel-7] Patch918: kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch +# For bz#1860961 - CVE-2020-16092 qemu-kvm-ma: QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c [rhel-7.9.z] +Patch919: kvm-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -3131,6 +3133,7 @@ ApplyOptionalPatch() %patch916 -p1 %patch917 -p1 %patch918 -p1 +%patch919 -p1 # Fix executable permission for iotests chmod 755 $(ls tests/qemu-iotests/???) @@ -3651,6 +3654,14 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Wed Nov 18 2020 Jon Maloy - ma-2.12.0-48.el7_9.2 +- kvm-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx_pk.patch [bz#1860961] +- kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch [bz#1837568] +- Resolves: bz#1860961 + (CVE-2020-16092 qemu-kvm-ma: QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c [rhel-7.9.z]) +- Resolves: bz#1837568 + (CVE-2020-1983 qemu-kvm-ma: QEMU: slirp: use-after-free in ip_reass() function in ip_input.c [rhel-7.9.z] + * Mon Sep 14 2020 Jon Maloy - ma-2.12.0-48.el7_9.1 - kvm-usb-fix-setup_len-init-CVE-2020-14364.patch [bz#1869706] - Resolves: bz#1869706