diff --git a/SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch b/SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch new file mode 100644 index 0000000..fa17617 --- /dev/null +++ b/SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch @@ -0,0 +1,107 @@ +From 5688fdb9a3ed192b85dca84c47a7ddfd325778d9 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Thu, 24 Mar 2022 16:04:57 +0100 +Subject: [PATCH 1/3] RHEL: disable "seqpacket" for "vhost-vsock-device" in + rhel8.6.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Stefano Garzarella +RH-MergeRequest: 135: RHEL: disable "seqpacket" for "vhost-vsock-device" in rhel8.6.0 [rhel-9.0.0.z] +RH-Commit: [1/1] 5ee0de3110deaa0222c9783c00168b536b0c8934 +RH-Bugzilla: 2071102 +RH-Acked-by: Jason Wang +RH-Acked-by: Eugenio PĂ©rez +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Stefan Hajnoczi + +vhost-vsock device in RHEL 8 kernels doesn't support seqpacket. +To avoid problems when migrating a VM from RHEL 9 host, we need to +disable it in rhel8-* machine types. + +Signed-off-by: Stefano Garzarella +--- + hw/core/machine.c | 10 ++++++++++ + hw/i386/pc_piix.c | 2 ++ + hw/i386/pc_q35.c | 2 ++ + hw/s390x/s390-virtio-ccw.c | 1 + + include/hw/boards.h | 3 +++ + 5 files changed, 18 insertions(+) + +diff --git a/hw/core/machine.c b/hw/core/machine.c +index 5fae55d6cd..7dcceb904a 100644 +--- a/hw/core/machine.c ++++ b/hw/core/machine.c +@@ -43,6 +43,16 @@ + const char *rhel_old_machine_deprecation = + "machine types for previous major releases are deprecated"; + ++GlobalProperty hw_compat_rhel_8_6[] = { ++ /* hw_compat_rhel_8_6 bz 2065589 */ ++ /* ++ * vhost-vsock device in RHEL 8 kernels doesn't support seqpacket, so ++ * we need do disable it downstream on the latest hw_compat_rhel_8. ++ */ ++ { "vhost-vsock-device", "seqpacket", "off" }, ++}; ++const size_t hw_compat_rhel_8_6_len = G_N_ELEMENTS(hw_compat_rhel_8_6); ++ + /* + * Mostly the same as hw_compat_6_0 and hw_compat_6_1 + */ +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index cf68d7498c..08579366b6 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -998,6 +998,8 @@ static void pc_machine_rhel760_options(MachineClass *m) + pcmc->kvmclock_create_always = false; + /* From pc_i440fx_5_1_machine_options() */ + pcmc->pci_root_uid = 1; ++ compat_props_add(m->compat_props, hw_compat_rhel_8_6, ++ hw_compat_rhel_8_6_len); + compat_props_add(m->compat_props, hw_compat_rhel_8_5, + hw_compat_rhel_8_5_len); + compat_props_add(m->compat_props, pc_rhel_8_5_compat, +diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c +index c8e06da084..23dacdd923 100644 +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -680,6 +680,8 @@ static void pc_q35_machine_rhel860_options(MachineClass *m) + + pcmc->smbios_stream_product = "RHEL-AV"; + pcmc->smbios_stream_version = "8.6.0"; ++ compat_props_add(m->compat_props, hw_compat_rhel_8_6, ++ hw_compat_rhel_8_6_len); + } + + DEFINE_PC_MACHINE(q35_rhel860, "pc-q35-rhel8.6.0", pc_q35_init_rhel860, +diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c +index cc78a315e3..13bfa4253e 100644 +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -1121,6 +1121,7 @@ static void ccw_machine_rhel860_instance_options(MachineState *machine) + static void ccw_machine_rhel860_class_options(MachineClass *mc) + { + ccw_machine_rhel900_class_options(mc); ++ compat_props_add(mc->compat_props, hw_compat_rhel_8_6, hw_compat_rhel_8_6_len); + + /* All RHEL machines for prior major releases are deprecated */ + mc->deprecation_reason = rhel_old_machine_deprecation; +diff --git a/include/hw/boards.h b/include/hw/boards.h +index 21d8d5528e..b9c12c4bf2 100644 +--- a/include/hw/boards.h ++++ b/include/hw/boards.h +@@ -443,6 +443,9 @@ extern const size_t hw_compat_2_2_len; + extern GlobalProperty hw_compat_2_1[]; + extern const size_t hw_compat_2_1_len; + ++extern GlobalProperty hw_compat_rhel_8_6[]; ++extern const size_t hw_compat_rhel_8_6_len; ++ + extern GlobalProperty hw_compat_rhel_8_5[]; + extern const size_t hw_compat_rhel_8_5_len; + +-- +2.31.1 + diff --git a/SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch new file mode 100644 index 0000000..7f4388a --- /dev/null +++ b/SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -0,0 +1,77 @@ +From 3a8dff1446aaa9a3b93a16ea027214064e84a582 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Thu, 14 Apr 2022 10:38:26 -0400 +Subject: [PATCH 3/3] vhost-vsock: detach the virqueue element in case of error + +RH-Author: Jon Maloy +RH-MergeRequest: 179: vhost-vsock: detach the virqueue element in case of error +RH-Commit: [1/1] 9275dbff40eb3c7be2abca8369055ca4a1e1e52d (jmaloy/qemu-kvm) +RH-Bugzilla: 2075640 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Laurent Vivier + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075640 +Upstream: Merged +CVE: CVE-2022-26354 + +commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf +Author: Stefano Garzarella +Date: Mon Feb 28 10:50:58 2022 +0100 + + vhost-vsock: detach the virqueue element in case of error + + In vhost_vsock_common_send_transport_reset(), if an element popped from + the virtqueue is invalid, we should call virtqueue_detach_element() to + detach it from the virtqueue before freeing its memory. + + Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") + Fixes: CVE-2022-26354 + Cc: qemu-stable@nongnu.org + Reported-by: VictorV + Signed-off-by: Stefano Garzarella + Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> + Reviewed-by: Stefan Hajnoczi + Reviewed-by: Michael S. Tsirkin + Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf) +Signed-off-by: Jon Maloy +--- + hw/virtio/vhost-vsock-common.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c +index 3f3771274e..ed706681ac 100644 +--- a/hw/virtio/vhost-vsock-common.c ++++ b/hw/virtio/vhost-vsock-common.c +@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) + if (elem->out_num) { + error_report("invalid vhost-vsock event virtqueue element with " + "out buffers"); +- goto out; ++ goto err; + } + + if (iov_from_buf(elem->in_sg, elem->in_num, 0, + &event, sizeof(event)) != sizeof(event)) { + error_report("vhost-vsock event virtqueue element is too short"); +- goto out; ++ goto err; + } + + virtqueue_push(vq, elem, sizeof(event)); + virtio_notify(VIRTIO_DEVICE(vvc), vq); + +-out: ++ g_free(elem); ++ return; ++ ++err: ++ virtqueue_detach_element(vq, elem, 0); + g_free(elem); + } + +-- +2.31.1 + diff --git a/SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch b/SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch new file mode 100644 index 0000000..aa52233 --- /dev/null +++ b/SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -0,0 +1,61 @@ +From d1a64781c4f7fa698a359ea078a98029f4f67c1b Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: [PATCH 2/3] virtio-net: fix map leaking on error during receive + +RH-Author: Jon Maloy +RH-MergeRequest: 178: virtio-net: fix map leaking on error during receive +RH-Commit: [1/1] afdfa3198fcf815de59915136222f73711efd292 (jmaloy/qemu-kvm) +RH-Bugzilla: 2075635 +RH-Acked-by: Jason Wang +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Kevin Wolf +RH-Acked-by: Laurent Vivier + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075635 +Upstream: Merged +CVE: CVE-2022-26353 + +commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37 +Author: Jason Wang +Date: Tue Mar 8 10:42:51 2022 +0800 + + virtio-net: fix map leaking on error during receive + + Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") + tries to fix the use after free of the sg by caching the virtqueue + elements in an array and unmap them at once after receiving the + packets, But it forgot to unmap the cached elements on error which + will lead to leaking of mapping and other unexpected results. + + Fixing this by detaching the cached elements on error. This addresses + CVE-2022-26353. + + Reported-by: Victor Tom + Cc: qemu-stable@nongnu.org + Fixes: CVE-2022-26353 + Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") + Reviewed-by: Michael S. Tsirkin + Signed-off-by: Jason Wang + +(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37) +Signed-off-by: Jon Maloy +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index f2014d5ea0..e1f4748831 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } + +-- +2.31.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index da009f8..71aad4d 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -151,7 +151,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version} \ Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.2.0 -Release: 11%{?rcrel}%{?dist}%{?cc_suffix}.2 +Release: 11%{?rcrel}%{?dist}%{?cc_suffix}.3 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) @@ -320,6 +320,12 @@ Patch82: kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch Patch83: kvm-tests-acpi-update-expected-blobs.patch # For bz#2043531 - Guest can not start with SLIC acpi table Patch84: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch +# For bz#2071102 - RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-9.0.0.z] +Patch85: kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch +# For bz#2075635 - CVE-2022-26353 qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-9] [rhel-9.0.0.z] +Patch86: kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch +# For bz#2075640 - CVE-2022-26354 qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-9] [rhel-9.0.0.z] +Patch87: kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch # Source-git patches @@ -1370,6 +1376,17 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Mon May 09 2022 Miroslav Rezanina - 6.2.0-11.el9_0.3 +- kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch [bz#2071102] +- kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch [bz#2075635] +- kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch [bz#2075640] +- Resolves: bz#2071102 + (RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-9.0.0.z]) +- Resolves: bz#2075635 + (CVE-2022-26353 qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-9] [rhel-9.0.0.z]) +- Resolves: bz#2075640 + (CVE-2022-26354 qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-9] [rhel-9.0.0.z]) + * Tue Mar 22 2022 - 6.2.0-11.el9_0.2 - kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2053584] - kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2053584]