qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 736b01: hw/nvme: fix CVE-2021-3929

From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] 736b01: hw/nvme: fix CVE-2021-3929
Date: Tue, 15 Feb 2022 05:57:00 -0800 
  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: 736b01642d85be832385063f278fe7cd4ffb5221
      
https://github.com/qemu/qemu/commit/736b01642d85be832385063f278fe7cd4ffb5221
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2022-02-14 (Mon, 14 Feb 2022)

  Changed paths:
    M hw/nvme/ctrl.c

  Log Message:
  -----------
  hw/nvme: fix CVE-2021-3929

This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
device itself. This still allows DMA to MMIO regions of other devices
(e.g. doing P2P DMA to the controller memory buffer of another NVMe
device).

Fixes: CVE-2021-3929
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: e080ce8676e9097184304a2ed11bf95443c0e547
      
https://github.com/qemu/qemu/commit/e080ce8676e9097184304a2ed11bf95443c0e547
  Author: Philippe Mathieu-Daudé <philmd@redhat.com>
  Date:   2022-02-14 (Mon, 14 Feb 2022)

  Changed paths:
    M hw/nvme/ctrl.c

  Log Message:
  -----------
  hw/nvme/ctrl: Have nvme_addr_write() take const buffer

The 'buf' argument is not modified, so better pass it as const type.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: 8d3a17be6f556a996ab9404bead7fc58758c21eb
      
https://github.com/qemu/qemu/commit/8d3a17be6f556a996ab9404bead7fc58758c21eb
  Author: Philippe Mathieu-Daudé <philmd@redhat.com>
  Date:   2022-02-14 (Mon, 14 Feb 2022)

  Changed paths:
    M hw/nvme/ctrl.c
    M hw/nvme/nvme.h

  Log Message:
  -----------
  hw/nvme/ctrl: Pass buffers as 'void *' types

These buffers can be anything, not an array of chars,
so use the 'void *' type for them.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: 6190d92ff70c177e901a85fe0c2da44e34c606f9
      
https://github.com/qemu/qemu/commit/6190d92ff70c177e901a85fe0c2da44e34c606f9
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2022-02-14 (Mon, 14 Feb 2022)

  Changed paths:
    M hw/nvme/ctrl.c
    M include/block/nvme.h

  Log Message:
  -----------
  hw/nvme: add struct for zone management send

Add struct for Zone Management Send in preparation for more zone send
flags.

Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: 25872031e14edf6a47bff1c015a026afe5c1c967
      
https://github.com/qemu/qemu/commit/25872031e14edf6a47bff1c015a026afe5c1c967
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2022-02-14 (Mon, 14 Feb 2022)

  Changed paths:
    M hw/nvme/ns.c
    M include/block/nvme.h

  Log Message:
  -----------
  hw/nvme: add ozcs enum

Add enumeration for OZCS values.

Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: e321b4cdc2dd0b5e806ecf759138be7f83774142
      
https://github.com/qemu/qemu/commit/e321b4cdc2dd0b5e806ecf759138be7f83774142
  Author: Klaus Jensen <k.jensen@samsung.com>
  Date:   2022-02-14 (Mon, 14 Feb 2022)

  Changed paths:
    M hw/nvme/ctrl.c
    M hw/nvme/ns.c
    M hw/nvme/nvme.h
    M hw/nvme/trace-events
    M include/block/nvme.h

  Log Message:
  -----------
  hw/nvme: add support for zoned random write area

Add support for TP 4076 ("Zoned Random Write Area"), v2021.08.23
("Ratified").

This adds three new namespace parameters: "zoned.numzrwa" (number of
zrwa resources, i.e. number of zones that can have a zrwa),
"zoned.zrwas" (zrwa size in LBAs), "zoned.zrwafg" (granularity in LBAs
for flushes).

Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>


  Commit: cc6721e449c4c5a9a5007ad8a810f7f54143eadc
      
https://github.com/qemu/qemu/commit/cc6721e449c4c5a9a5007ad8a810f7f54143eadc
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2022-02-15 (Tue, 15 Feb 2022)

  Changed paths:
    M hw/nvme/ctrl.c
    M hw/nvme/ns.c
    M hw/nvme/nvme.h
    M hw/nvme/trace-events
    M include/block/nvme.h

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/nvme/tags/nvme-next-pull-request' into 
staging

hw/nvme updates

  - fix CVE-2021-3929
  - add zone random write area support
  - misc cleanups from Philippe

# gpg: Signature made Mon 14 Feb 2022 08:01:34 GMT
# gpg:                using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown]
# gpg:                 aka "Klaus Jensen <k.jensen@samsung.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468  4272 63D5 6FC5 E55D A838
#      Subkey fingerprint: 5228 33AA 75E2 DCE6 A247  66C0 4DE1 AF31 6D4F 0DE9

* remotes/nvme/tags/nvme-next-pull-request:
  hw/nvme: add support for zoned random write area
  hw/nvme: add ozcs enum
  hw/nvme: add struct for zone management send
  hw/nvme/ctrl: Pass buffers as 'void *' types
  hw/nvme/ctrl: Have nvme_addr_write() take const buffer
  hw/nvme: fix CVE-2021-3929

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/e56d873f0ed9...cc6721e449c4
reply via email to
[Prev in Thread] Current Thread [Next in Thread]