pve-qemu-qoup/debian/patches/extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Fiona Ebner <f.ebner@proxmox.com>
Date: Thu, 16 May 2024 12:59:52 +0200
Subject: [PATCH] Revert "virtio-pci: fix use of a released vector"

This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0.

The fix causes some issues:
https://gitlab.com/qemu-project/qemu/-/issues/2321
https://gitlab.com/qemu-project/qemu/-/issues/2334

The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released
vector") is CVE-2024-4693 [0] and allows a malicious guest that
controls the boot process in the guest to crash its QEMU process.

The issues sound worse than the CVE, so revert until there is a proper
fix.

[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 hw/virtio/virtio-pci.c | 37 ++-----------------------------------
 1 file changed, 2 insertions(+), 35 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index cb159fd078..cb6940fc0e 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1424,38 +1424,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy,
     return offset;
 }
 
-static void virtio_pci_set_vector(VirtIODevice *vdev,
-                                  VirtIOPCIProxy *proxy,
-                                  int queue_no, uint16_t old_vector,
-                                  uint16_t new_vector)
-{
-    bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
-        msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();
-
-    if (new_vector == old_vector) {
-        return;
-    }
-
-    /*
-     * If the device uses irqfd and the vector changes after DRIVER_OK is
-     * set, we need to release the old vector and set up the new one.
-     * Otherwise just need to set the new vector on the device.
-     */
-    if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {
-        kvm_virtio_pci_vector_release_one(proxy, queue_no);
-    }
-    /* Set the new vector on the device. */
-    if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
-        vdev->config_vector = new_vector;
-    } else {
-        virtio_queue_set_vector(vdev, queue_no, new_vector);
-    }
-    /* If the new vector changed need to set it up. */
-    if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {
-        kvm_virtio_pci_vector_use_one(proxy, queue_no);
-    }
-}
-
 int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy,
                            uint8_t bar, uint64_t offset, uint64_t length,
                            uint8_t id)
@@ -1602,8 +1570,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
         } else {
             val = VIRTIO_NO_VECTOR;
         }
-        virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX,
-                              vdev->config_vector, val);
+        vdev->config_vector = val;
         break;
     case VIRTIO_PCI_COMMON_STATUS:
         if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {
@@ -1643,7 +1610,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
         } else {
             val = VIRTIO_NO_VECTOR;
         }
-        virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val);
+        virtio_queue_set_vector(vdev, vdev->queue_sel, val);
         break;
     case VIRTIO_PCI_COMMON_Q_ENABLE:
         if (val == 1) {
fixes for QEMU 9.0 Most importantly, fix forwards and backwards migration with VirtIO-GPU display. Other fixes are for a regression in pflash device (introduced in 8.2) and some fixes for x86(_64) TCG emulation. One of the patches needed to be adapted, because it removed a helper that is still in use in 9.0.0. There also is a revert for a fix in VirtIO PCI devices that turned out to cause some issues, see the revert itself for more details. Lastly, there is a change to move compatibility flags for a new VirtIO-net feature to the correct machine type. The feature was introduced in QEMU 8.2, but the compatibility flags got added to machine version 8.0 instead of 8.1. This breaks backwards migration with machine version 8.1 from a 8.2/9.0 binary to an 8.1 binary, in cases where the guest kernel enables the feature (e.g. Ubuntu 23.10). While that breaks migration with machine version 8.1 from an unpatched to a patched binary, Proxmox VE only ever had 8.2 on the test repository and 9.0 not yet in any public repository. An upstream developer suggested it is the proper fix [0]. Upstream submission [1]. [0]: https://lore.kernel.org/qemu-devel/CACGkMEtZrJuhof+hUGVRvLLQE+8nQE5XmSHpT0NAQ1EpnqfmsA@mail.gmail.com/T/#u [1]: https://lore.kernel.org/qemu-devel/20240517075336.104091-1-f.ebner@proxmox.com/T/#u Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> 2024-05-17 11:44:57 +03:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Fiona Ebner <f.ebner@proxmox.com>`
			`Date: Thu, 16 May 2024 12:59:52 +0200`
			`Subject: [PATCH] Revert "virtio-pci: fix use of a released vector"`

			`This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0.`

			`The fix causes some issues:`
			`https://gitlab.com/qemu-project/qemu/-/issues/2321`
			`https://gitlab.com/qemu-project/qemu/-/issues/2334`

			`The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released`
			`vector") is CVE-2024-4693 [0] and allows a malicious guest that`
			`controls the boot process in the guest to crash its QEMU process.`

			`The issues sound worse than the CVE, so revert until there is a proper`
			`fix.`

			`[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693`

			`Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>`
			`---`
			`hw/virtio/virtio-pci.c \| 37 ++-----------------------------------`
			`1 file changed, 2 insertions(+), 35 deletions(-)`

			`diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c`
			`index cb159fd078..cb6940fc0e 100644`
			`--- a/hw/virtio/virtio-pci.c`
			`+++ b/hw/virtio/virtio-pci.c`
			`@@ -1424,38 +1424,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy,`
			`return offset;`
			`}`

			`-static void virtio_pci_set_vector(VirtIODevice *vdev,`
			`- VirtIOPCIProxy *proxy,`
			`- int queue_no, uint16_t old_vector,`
			`- uint16_t new_vector)`
			`-{`
			`- bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&`
			`- msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();`
			`-`
			`- if (new_vector == old_vector) {`
			`- return;`
			`- }`
			`-`
			`- /*`
			`- * If the device uses irqfd and the vector changes after DRIVER_OK is`
			`- * set, we need to release the old vector and set up the new one.`
			`- * Otherwise just need to set the new vector on the device.`
			`- */`
			`- if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {`
			`- kvm_virtio_pci_vector_release_one(proxy, queue_no);`
			`- }`
			`- /* Set the new vector on the device. */`
			`- if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {`
			`- vdev->config_vector = new_vector;`
			`- } else {`
			`- virtio_queue_set_vector(vdev, queue_no, new_vector);`
			`- }`
			`- /* If the new vector changed need to set it up. */`
			`- if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {`
			`- kvm_virtio_pci_vector_use_one(proxy, queue_no);`
			`- }`
			`-}`
			`-`
			`int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy,`
			`uint8_t bar, uint64_t offset, uint64_t length,`
			`uint8_t id)`
			`@@ -1602,8 +1570,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,`
			`} else {`
			`val = VIRTIO_NO_VECTOR;`
			`}`
			`- virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX,`
			`- vdev->config_vector, val);`
			`+ vdev->config_vector = val;`
			`break;`
			`case VIRTIO_PCI_COMMON_STATUS:`
			`if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {`
			`@@ -1643,7 +1610,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,`
			`} else {`
			`val = VIRTIO_NO_VECTOR;`
			`}`
			`- virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val);`
			`+ virtio_queue_set_vector(vdev, vdev->queue_sel, val);`
			`break;`
			`case VIRTIO_PCI_COMMON_Q_ENABLE:`
			`if (val == 1) {`