]>
Commit | Line | Data |
---|---|---|
f06b222e FE |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Fiona Ebner <f.ebner@proxmox.com> | |
3 | Date: Thu, 16 May 2024 12:59:52 +0200 | |
4 | Subject: [PATCH] Revert "virtio-pci: fix use of a released vector" | |
5 | ||
6 | This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0. | |
7 | ||
8 | The fix causes some issues: | |
9 | https://gitlab.com/qemu-project/qemu/-/issues/2321 | |
10 | https://gitlab.com/qemu-project/qemu/-/issues/2334 | |
11 | ||
12 | The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released | |
13 | vector") is CVE-2024-4693 [0] and allows a malicious guest that | |
14 | controls the boot process in the guest to crash its QEMU process. | |
15 | ||
16 | The issues sound worse than the CVE, so revert until there is a proper | |
17 | fix. | |
18 | ||
19 | [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693 | |
20 | ||
21 | Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> | |
22 | --- | |
23 | hw/virtio/virtio-pci.c | 37 ++----------------------------------- | |
24 | 1 file changed, 2 insertions(+), 35 deletions(-) | |
25 | ||
26 | diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c | |
27 | index cb159fd078..cb6940fc0e 100644 | |
28 | --- a/hw/virtio/virtio-pci.c | |
29 | +++ b/hw/virtio/virtio-pci.c | |
30 | @@ -1424,38 +1424,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy, | |
31 | return offset; | |
32 | } | |
33 | ||
34 | -static void virtio_pci_set_vector(VirtIODevice *vdev, | |
35 | - VirtIOPCIProxy *proxy, | |
36 | - int queue_no, uint16_t old_vector, | |
37 | - uint16_t new_vector) | |
38 | -{ | |
39 | - bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) && | |
40 | - msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled(); | |
41 | - | |
42 | - if (new_vector == old_vector) { | |
43 | - return; | |
44 | - } | |
45 | - | |
46 | - /* | |
47 | - * If the device uses irqfd and the vector changes after DRIVER_OK is | |
48 | - * set, we need to release the old vector and set up the new one. | |
49 | - * Otherwise just need to set the new vector on the device. | |
50 | - */ | |
51 | - if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) { | |
52 | - kvm_virtio_pci_vector_release_one(proxy, queue_no); | |
53 | - } | |
54 | - /* Set the new vector on the device. */ | |
55 | - if (queue_no == VIRTIO_CONFIG_IRQ_IDX) { | |
56 | - vdev->config_vector = new_vector; | |
57 | - } else { | |
58 | - virtio_queue_set_vector(vdev, queue_no, new_vector); | |
59 | - } | |
60 | - /* If the new vector changed need to set it up. */ | |
61 | - if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) { | |
62 | - kvm_virtio_pci_vector_use_one(proxy, queue_no); | |
63 | - } | |
64 | -} | |
65 | - | |
66 | int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy, | |
67 | uint8_t bar, uint64_t offset, uint64_t length, | |
68 | uint8_t id) | |
69 | @@ -1602,8 +1570,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr, | |
70 | } else { | |
71 | val = VIRTIO_NO_VECTOR; | |
72 | } | |
73 | - virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX, | |
74 | - vdev->config_vector, val); | |
75 | + vdev->config_vector = val; | |
76 | break; | |
77 | case VIRTIO_PCI_COMMON_STATUS: | |
78 | if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) { | |
79 | @@ -1643,7 +1610,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr, | |
80 | } else { | |
81 | val = VIRTIO_NO_VECTOR; | |
82 | } | |
83 | - virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val); | |
84 | + virtio_queue_set_vector(vdev, vdev->queue_sel, val); | |
85 | break; | |
86 | case VIRTIO_PCI_COMMON_Q_ENABLE: | |
87 | if (val == 1) { |