]> git.proxmox.com Git - pve-qemu.git/blob - debian/patches/extra/0006-Revert-virtio-pci-fix-use-of-a-released-vector.patch
bump version to 9.0.2-2
[pve-qemu.git] / debian / patches / extra / 0006-Revert-virtio-pci-fix-use-of-a-released-vector.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Fiona Ebner <f.ebner@proxmox.com>
3 Date: Thu, 16 May 2024 12:59:52 +0200
4 Subject: [PATCH] Revert "virtio-pci: fix use of a released vector"
5
6 This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0.
7
8 The fix causes some issues:
9 https://gitlab.com/qemu-project/qemu/-/issues/2321
10 https://gitlab.com/qemu-project/qemu/-/issues/2334
11
12 The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released
13 vector") is CVE-2024-4693 [0] and allows a malicious guest that
14 controls the boot process in the guest to crash its QEMU process.
15
16 The issues sound worse than the CVE, so revert until there is a proper
17 fix.
18
19 [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693
20
21 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
22 ---
23 hw/virtio/virtio-pci.c | 37 ++-----------------------------------
24 1 file changed, 2 insertions(+), 35 deletions(-)
25
26 diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
27 index e04218a9fb..fd66713848 100644
28 --- a/hw/virtio/virtio-pci.c
29 +++ b/hw/virtio/virtio-pci.c
30 @@ -1410,38 +1410,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy,
31 return offset;
32 }
33
34 -static void virtio_pci_set_vector(VirtIODevice *vdev,
35 - VirtIOPCIProxy *proxy,
36 - int queue_no, uint16_t old_vector,
37 - uint16_t new_vector)
38 -{
39 - bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
40 - msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();
41 -
42 - if (new_vector == old_vector) {
43 - return;
44 - }
45 -
46 - /*
47 - * If the device uses irqfd and the vector changes after DRIVER_OK is
48 - * set, we need to release the old vector and set up the new one.
49 - * Otherwise just need to set the new vector on the device.
50 - */
51 - if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {
52 - kvm_virtio_pci_vector_release_one(proxy, queue_no);
53 - }
54 - /* Set the new vector on the device. */
55 - if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
56 - vdev->config_vector = new_vector;
57 - } else {
58 - virtio_queue_set_vector(vdev, queue_no, new_vector);
59 - }
60 - /* If the new vector changed need to set it up. */
61 - if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {
62 - kvm_virtio_pci_vector_use_one(proxy, queue_no);
63 - }
64 -}
65 -
66 int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy,
67 uint8_t bar, uint64_t offset, uint64_t length,
68 uint8_t id)
69 @@ -1588,8 +1556,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
70 } else {
71 val = VIRTIO_NO_VECTOR;
72 }
73 - virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX,
74 - vdev->config_vector, val);
75 + vdev->config_vector = val;
76 break;
77 case VIRTIO_PCI_COMMON_STATUS:
78 if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {
79 @@ -1629,7 +1596,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
80 } else {
81 val = VIRTIO_NO_VECTOR;
82 }
83 - virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val);
84 + virtio_queue_set_vector(vdev, vdev->queue_sel, val);
85 break;
86 case VIRTIO_PCI_COMMON_Q_ENABLE:
87 if (val == 1) {