From: Yogita Urade <[email protected]> QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
References: https://nvd.nist.gov/vuln/detail/CVE-2023-42467 https://gitlab.com/qemu-project/qemu/-/issues/1813 Signed-off-by: Yogita Urade <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-42467.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index cd17a11335..00decc57e5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2023-2861.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ + file://CVE-2023-42467.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch new file mode 100644 index 0000000000..0ca93494f0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch @@ -0,0 +1,49 @@ +From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001 +From: Thomas Huth <[email protected]> +Date: Wed, 4 Oct 2023 08:54:13 +0000 +Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 + [CVE-2023-42467] + +We are doing things like + + nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); + +in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if +the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes +with a division by 0 exception. Thus disallow block sizes of 256 +bytes to avoid this situation. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 +CVE: 2023-42467 +Signed-off-by: Thomas Huth <[email protected]> +Message-ID: <[email protected]> +Signed-off-by: Paolo Bonzini <[email protected]> + +CVE: CVE-2023-42467 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c] + +Signed-off-by: Yogita Urade <[email protected]> +--- + hw/scsi/scsi-disk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e493c2881..915e0369c 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1624,9 +1624,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + * Since the existing code only checks/updates bits 8-15 of the block + * size, restrict ourselves to the same requirement for now to ensure + * that a block size set by a block descriptor and then read back by +- * a subsequent SCSI command will be the same ++ * a subsequent SCSI command will be the same. Also disallow a block ++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. + */ +- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { + s->qdev.blocksize = bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } +-- +2.40.0 -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188803): https://lists.openembedded.org/g/openembedded-core/message/188803 Mute This Topic: https://lists.openembedded.org/mt/101824848/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
