[PULL,0/3] PVRDMA queue

Message ID	20210704105646.13524-1-marcel.apfelbaum@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=DOGv=L4=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 54596613F1 From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> To: qemu-devel@nongnu.org, peter.maydell@linaro.org Subject: [Qemu-devel] [PULL 0/3] PVRDMA queue Date: Sun, 4 Jul 2021 13:56:43 +0300 Message-Id: <20210704105646.13524-1-marcel.apfelbaum@gmail.com> Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=marcel.apfelbaum@gmail.com; helo=mail-ed1-x535.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Cc: mcascell@redhat.com, pjp@fedoraproject.org, yuval.shaia.ml@gmail.com, vv474172261@gmail.com, philmd@redhat.com Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Message ID

20210704105646.13524-1-marcel.apfelbaum@gmail.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 54596613F1
From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
To: qemu-devel@nongnu.org,
	peter.maydell@linaro.org
Subject: [Qemu-devel] [PULL 0/3] PVRDMA queue
Date: Sun,  4 Jul 2021 13:56:43 +0300
Message-Id: <20210704105646.13524-1-marcel.apfelbaum@gmail.com>
Received-SPF: pass client-ip=2a00:1450:4864:20::535;
 envelope-from=marcel.apfelbaum@gmail.com; helo=mail-ed1-x535.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: mcascell@redhat.com, pjp@fedoraproject.org, yuval.shaia.ml@gmail.com,
 vv474172261@gmail.com, philmd@redhat.com
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Message

Marcel Apfelbaum July 4, 2021, 10:56 a.m. UTC

The following changes since commit 9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1:
  
  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2021-07-02 11:46:32 +0100)

are available in the Git repository at:

  https://github.com/marcel-apf/qemu tags/pvrdma-04-07-2021

for you to fetch changes up to f6287078c2e41cd8de424682cc86c2afccbf3797:

  pvrdma: Fix the ring init error flow (CVE-2021-3608) (2021-07-04 11:14:02 +0300)

----------------------------------------------------------------
PVRDMA queue

Several CVE fixes for the PVRDMA device.

----------------------------------------------------------------
Marcel Apfelbaum (3):
  hw/rdma: Fix possible mremap overflow in the pvrdma device
    (CVE-2021-3582)
  pvrdma: Ensure correct input on ring init (CVE-2021-3607)
  pvrdma: Fix the ring init error flow (CVE-2021-3608)

 hw/rdma/vmw/pvrdma_cmd.c      | 6 ++++++
 hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
 hw/rdma/vmw/pvrdma_main.c     | 5 +++++
 3 files changed, 12 insertions(+), 1 deletion(-)

Comments

Peter Maydell July 4, 2021, 5:28 p.m. UTC | #1

On Sun, 4 Jul 2021 at 11:56, Marcel Apfelbaum
<marcel.apfelbaum@gmail.com> wrote:
>
> The following changes since commit 9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1:
>
>   Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2021-07-02 11:46:32 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/marcel-apf/qemu tags/pvrdma-04-07-2021
>
> for you to fetch changes up to f6287078c2e41cd8de424682cc86c2afccbf3797:
>
>   pvrdma: Fix the ring init error flow (CVE-2021-3608) (2021-07-04 11:14:02 +0300)
>
> ----------------------------------------------------------------
> PVRDMA queue
>
> Several CVE fixes for the PVRDMA device.
>
> ----------------------------------------------------------------
> Marcel Apfelbaum (3):
>   hw/rdma: Fix possible mremap overflow in the pvrdma device
>     (CVE-2021-3582)
>   pvrdma: Ensure correct input on ring init (CVE-2021-3607)
>   pvrdma: Fix the ring init error flow (CVE-2021-3608)

This fails to compile on 32-bit hosts:

In file included from ../hw/rdma/vmw/../rdma_backend_defs.h:23,
from ../hw/rdma/vmw/../rdma_rm_defs.h:19,
from ../hw/rdma/vmw/../rdma_backend.h:22,
from ../hw/rdma/vmw/pvrdma_cmd.c:21:
../hw/rdma/vmw/pvrdma_cmd.c: In function 'pvrdma_map_to_pdir':
../hw/rdma/vmw/../rdma_utils.h:25:18: error: format '%lu' expects
argument of type 'long unsigned int', but argument 4 has type 'size_t'
{aka 'unsigned int'} [-Werror=format=]
error_report("%s: " fmt, "rdma", ## __VA_ARGS__)
^~~~~~
../hw/rdma/vmw/pvrdma_cmd.c:43:9: note: in expansion of macro
'rdma_error_report'
rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length);
^~~~~~~~~~~~~~~~~

You can see this in the gitlab CI jobs, eg:

https://gitlab.com/qemu-project/qemu/-/jobs/1398130500

thanks
-- PMM

Marcel Apfelbaum July 4, 2021, 7:26 p.m. UTC | #2

Hi Peter,

On Sun, Jul 4, 2021 at 8:28 PM Peter Maydell <peter.maydell@linaro.org>
wrote:

> On Sun, 4 Jul 2021 at 11:56, Marcel Apfelbaum
> <marcel.apfelbaum@gmail.com> wrote:
> >
> > The following changes since commit
> 9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1:
> >
> >   Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into
> staging (2021-07-02 11:46:32 +0100)
> >
> > are available in the Git repository at:
> >
> >   https://github.com/marcel-apf/qemu tags/pvrdma-04-07-2021
> >
> > for you to fetch changes up to f6287078c2e41cd8de424682cc86c2afccbf3797:
> >
> >   pvrdma: Fix the ring init error flow (CVE-2021-3608) (2021-07-04
> 11:14:02 +0300)
> >
> > ----------------------------------------------------------------
> > PVRDMA queue
> >
> > Several CVE fixes for the PVRDMA device.
> >
> > ----------------------------------------------------------------
> > Marcel Apfelbaum (3):
> >   hw/rdma: Fix possible mremap overflow in the pvrdma device
> >     (CVE-2021-3582)
> >   pvrdma: Ensure correct input on ring init (CVE-2021-3607)
> >   pvrdma: Fix the ring init error flow (CVE-2021-3608)
>
> This fails to compile on 32-bit hosts:
>
> In file included from ../hw/rdma/vmw/../rdma_backend_defs.h:23,
> from ../hw/rdma/vmw/../rdma_rm_defs.h:19,
> from ../hw/rdma/vmw/../rdma_backend.h:22,
> from ../hw/rdma/vmw/pvrdma_cmd.c:21:
> ../hw/rdma/vmw/pvrdma_cmd.c: In function 'pvrdma_map_to_pdir':
> ../hw/rdma/vmw/../rdma_utils.h:25:18: error: format '%lu' expects
> argument of type 'long unsigned int', but argument 4 has type 'size_t'
> {aka 'unsigned int'} [-Werror=format=]
> error_report("%s: " fmt, "rdma", ## __VA_ARGS__)
> ^~~~~~
> ../hw/rdma/vmw/pvrdma_cmd.c:43:9: note: in expansion of macro
> 'rdma_error_report'
> rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length);
> ^~~~~~~~~~~~~~~~~
>
>
I reproduced the issue, thank you.
I will fix and re-spin.

Thanks,
Marcel


> You can see this in the gitlab CI jobs, eg:
>
> https://gitlab.com/qemu-project/qemu/-/jobs/1398130500
>
> thanks
> -- PMM
>

[PULL,0/3] PVRDMA queue

Pull-request

Message

Comments