!850 [sync] PR-849: QEMU update to version 4.1.0-81

From: @openeuler-sync-bot 
Reviewed-by: @aven6 
Signed-off-by: @aven6

hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch

@@ -0,0 +1,65 @@
+From 4c26f60c6ec78b8c043915a1c64633f20213f43e Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Wed, 1 Mar 2023 16:29:26 +0200
+Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
+
+Guest driver allocates and initialize page tables to be used as a ring
+of descriptors for CQ and async events.
+The page table that represents the ring, along with the number of pages
+in the page table is passed to the device.
+Currently our device supports only one page table for a ring.
+
+Let's make sure that the number of page table entries the driver
+reports, do not exceeds the one page table size.
+
+Reported-by: Soul Chen <soulchen8650@gmail.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Fixes: CVE-2023-1544
+Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 1d9f84e89a..9bd08622f1 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state,
+                          dma_addr_t dir_addr, uint32_t num_pages)
+ {
+     uint64_t *dir, *tbl;
+-    int rc = 0;
++    int max_pages, rc = 0;
+ 
+     if (!num_pages) {
+         rdma_error_report("Ring pages count must be strictly positive");
+         return -EINVAL;
+     }
+ 
++    /*
++     * Make sure we can satisfy the requested number of pages in a single
++     * TARGET_PAGE_SIZE sized page table (taking into account that first entry
++     * is reserved for ring-state)
++     */
++    max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1;
++    if (num_pages > max_pages) {
++        rdma_error_report("Maximum pages on a single directory must not exceed %d\n",
++                          max_pages);
++        return -EINVAL;
++    }
++
+     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+     if (!dir) {
+         rdma_error_report("Failed to map to page directory (ring %s)", name);
+         rc = -ENOMEM;
+         goto out;
+     }
++
++    /* We support only one page table for a ring */
+     tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE);
+     if (!tbl) {
+         rdma_error_report("Failed to map to page table (ring %s)", name);
+-- 
+2.27.0
+

qemu.spec

@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 80
+Release: 81
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -390,6 +390,7 @@ Patch0377: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch
 Patch0378: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
 Patch0379: pci-assert-configuration-access-is-within-bounds.patch
 Patch0380: accel-tcg-fix-race-in-cpu_exec_step_atomic-bug-18630.patch
+Patch0381: hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -790,6 +791,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Nov 28 2023 Jiabo Feng <fengjiabo1@huawei.com>
+- hw/pvrdma: Protect against buggy or malicious guest driver
+
 * Mon Sep 11 2023 Jiabo Feng <fengjiabo1@huawei.com>
 - accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025)
 - pci: assert configuration access is within bounds