projects / pve-qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| f06b222e FE |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Fiona Ebner <f.ebner@proxmox.com> | |
| 3 | Date: Thu, 16 May 2024 12:59:52 +0200 | |
| 4 | Subject: [PATCH] Revert "virtio-pci: fix use of a released vector" | |
| 5 | ||
| 6 | This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0. | |
| 7 | ||
| 8 | The fix causes some issues: | |
| 9 | https://gitlab.com/qemu-project/qemu/-/issues/2321 | |
| 10 | https://gitlab.com/qemu-project/qemu/-/issues/2334 | |
| 11 | ||
| 12 | The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released | |
| 13 | vector") is CVE-2024-4693 [0] and allows a malicious guest that | |
| 14 | controls the boot process in the guest to crash its QEMU process. | |
| 15 | ||
| 16 | The issues sound worse than the CVE, so revert until there is a proper | |
| 17 | fix. | |
| 18 | ||
| 19 | [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693 | |
| 20 | ||
| 21 | Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> | |
| 22 | --- | |
| 23 | hw/virtio/virtio-pci.c | 37 ++----------------------------------- | |
| 24 | 1 file changed, 2 insertions(+), 35 deletions(-) | |
| 25 | ||
| 26 | diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c | |
| 27 | index cb159fd078..cb6940fc0e 100644 | |
| 28 | --- a/hw/virtio/virtio-pci.c | |
| 29 | +++ b/hw/virtio/virtio-pci.c | |
| 30 | @@ -1424,38 +1424,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy, | |
| 31 | return offset; | |
| 32 | } | |
| 33 | ||
| 34 | -static void virtio_pci_set_vector(VirtIODevice *vdev, | |
| 35 | - VirtIOPCIProxy *proxy, | |
| 36 | - int queue_no, uint16_t old_vector, | |
| 37 | - uint16_t new_vector) | |
| 38 | -{ | |
| 39 | - bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) && | |
| 40 | - msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled(); | |
| 41 | - | |
| 42 | - if (new_vector == old_vector) { | |
| 43 | - return; | |
| 44 | - } | |
| 45 | - | |
| 46 | - /* | |
| 47 | - * If the device uses irqfd and the vector changes after DRIVER_OK is | |
| 48 | - * set, we need to release the old vector and set up the new one. | |
| 49 | - * Otherwise just need to set the new vector on the device. | |
| 50 | - */ | |
| 51 | - if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) { | |
| 52 | - kvm_virtio_pci_vector_release_one(proxy, queue_no); | |
| 53 | - } | |
| 54 | - /* Set the new vector on the device. */ | |
| 55 | - if (queue_no == VIRTIO_CONFIG_IRQ_IDX) { | |
| 56 | - vdev->config_vector = new_vector; | |
| 57 | - } else { | |
| 58 | - virtio_queue_set_vector(vdev, queue_no, new_vector); | |
| 59 | - } | |
| 60 | - /* If the new vector changed need to set it up. */ | |
| 61 | - if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) { | |
| 62 | - kvm_virtio_pci_vector_use_one(proxy, queue_no); | |
| 63 | - } | |
| 64 | -} | |
| 65 | - | |
| 66 | int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy, | |
| 67 | uint8_t bar, uint64_t offset, uint64_t length, | |
| 68 | uint8_t id) | |
| 69 | @@ -1602,8 +1570,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr, | |
| 70 | } else { | |
| 71 | val = VIRTIO_NO_VECTOR; | |
| 72 | } | |
| 73 | - virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX, | |
| 74 | - vdev->config_vector, val); | |
| 75 | + vdev->config_vector = val; | |
| 76 | break; | |
| 77 | case VIRTIO_PCI_COMMON_STATUS: | |
| 78 | if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) { | |
| 79 | @@ -1643,7 +1610,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr, | |
| 80 | } else { | |
| 81 | val = VIRTIO_NO_VECTOR; | |
| 82 | } | |
| 83 | - virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val); | |
| 84 | + virtio_queue_set_vector(vdev, vdev->queue_sel, val); | |
| 85 | break; | |
| 86 | case VIRTIO_PCI_COMMON_Q_ENABLE: | |
| 87 | if (val == 1) { |