diff options
Diffstat (limited to 'meta/recipes-devtools/qemu')
93 files changed, 6615 insertions, 26 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb index d83ee59375..5ae6a37f26 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb @@ -9,7 +9,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native" EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" -PACKAGECONFIG ??= "fdt alsa kvm" +PACKAGECONFIG ??= "fdt alsa kvm slirp" # Handle distros such as CentOS 5 32-bit that do not have kvm support PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}" diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 8f927bdf54..59ff69d51d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -35,27 +35,116 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-7039-2.patch \ file://CVE-2020-7039-3.patch \ file://0001-Add-enable-disable-udev.patch \ - file://CVE-2020-7211.patch \ - file://0001-qemu-Do-not-include-file-if-not-exists.patch \ + file://CVE-2020-7211.patch \ + file://0001-qemu-Do-not-include-file-if-not-exists.patch \ file://CVE-2020-11102.patch \ - file://CVE-2020-11869.patch \ - file://CVE-2020-13361.patch \ - file://CVE-2020-10761.patch \ - file://CVE-2020-10702.patch \ - file://CVE-2020-13659.patch \ - file://CVE-2020-13800.patch \ - file://CVE-2020-13362.patch \ - file://CVE-2020-15863.patch \ - file://CVE-2020-14364.patch \ - file://CVE-2020-14415.patch \ - file://CVE-2020-16092.patch \ - file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ - file://CVE-2019-20175.patch \ - file://CVE-2020-24352.patch \ - file://CVE-2020-25723.patch \ - file://CVE-2021-20203.patch \ - file://CVE-2021-3392.patch \ - " + file://CVE-2020-11869.patch \ + file://CVE-2020-13361.patch \ + file://CVE-2020-10761.patch \ + file://CVE-2020-10702.patch \ + file://CVE-2020-13659.patch \ + file://CVE-2020-13800.patch \ + file://CVE-2020-13362.patch \ + file://CVE-2020-15863.patch \ + file://CVE-2020-14364.patch \ + file://CVE-2020-14415.patch \ + file://CVE-2020-16092.patch \ + file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ + file://CVE-2019-20175.patch \ + file://CVE-2020-24352.patch \ + file://CVE-2020-25723.patch \ + file://CVE-2021-20203.patch \ + file://CVE-2021-3392.patch \ + file://CVE-2020-25085.patch \ + file://CVE-2020-25624_1.patch \ + file://CVE-2020-25624_2.patch \ + file://CVE-2020-25625.patch \ + file://CVE-2020-29443.patch \ + file://CVE-2021-20221.patch \ + file://CVE-2021-20181.patch \ + file://CVE-2021-3416_1.patch \ + file://CVE-2021-3416_2.patch \ + file://CVE-2021-3416_3.patch \ + file://CVE-2021-3416_5.patch \ + file://CVE-2021-3416_6.patch \ + file://CVE-2021-3416_7.patch \ + file://CVE-2021-3416_8.patch \ + file://CVE-2021-3416_9.patch \ + file://CVE-2021-3416_10.patch \ + file://CVE-2021-20257.patch \ + file://CVE-2021-3544.patch \ + file://CVE-2021-3544_2.patch \ + file://CVE-2021-3544_3.patch \ + file://CVE-2021-3544_4.patch \ + file://CVE-2021-3544_5.patch \ + file://CVE-2021-3545.patch \ + file://CVE-2021-3546.patch \ + file://CVE-2021-3527-1.patch \ + file://CVE-2021-3527-2.patch \ + file://CVE-2021-3582.patch \ + file://CVE-2021-3607.patch \ + file://CVE-2021-3608.patch \ + file://CVE-2020-12829_1.patch \ + file://CVE-2020-12829_2.patch \ + file://CVE-2020-12829_3.patch \ + file://CVE-2020-12829_4.patch \ + file://CVE-2020-12829_5.patch \ + file://CVE-2020-27617.patch \ + file://CVE-2020-28916.patch \ + file://CVE-2021-3682.patch \ + file://CVE-2020-13253_1.patch \ + file://CVE-2020-13253_2.patch \ + file://CVE-2020-13253_3.patch \ + file://CVE-2020-13253_4.patch \ + file://CVE-2020-13253_5.patch \ + file://CVE-2020-13791.patch \ + file://CVE-2022-35414.patch \ + file://CVE-2020-27821.patch \ + file://CVE-2020-13754-1.patch \ + file://CVE-2020-13754-2.patch \ + file://CVE-2020-13754-3.patch \ + file://CVE-2020-13754-4.patch \ + file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ + file://CVE-2021-3930.patch \ + file://CVE-2021-4206.patch \ + file://CVE-2021-4207.patch \ + file://CVE-2022-0216-1.patch \ + file://CVE-2022-0216-2.patch \ + file://CVE-2021-3750.patch \ + file://CVE-2021-3638.patch \ + file://CVE-2021-20196.patch \ + file://CVE-2021-3507.patch \ + file://hw-block-nvme-refactor-nvme_addr_read.patch \ + file://hw-block-nvme-handle-dma-errors.patch \ + file://CVE-2021-3929.patch \ + file://CVE-2022-4144.patch \ + file://CVE-2020-15859.patch \ + file://CVE-2020-15469-1.patch \ + file://CVE-2020-15469-2.patch \ + file://CVE-2020-15469-3.patch \ + file://CVE-2020-15469-4.patch \ + file://CVE-2020-15469-5.patch \ + file://CVE-2020-15469-6.patch \ + file://CVE-2020-15469-7.patch \ + file://CVE-2020-15469-8.patch \ + file://CVE-2020-35504.patch \ + file://CVE-2020-35505.patch \ + file://CVE-2022-26354.patch \ + file://CVE-2021-3409-1.patch \ + file://CVE-2021-3409-2.patch \ + file://CVE-2021-3409-3.patch \ + file://CVE-2021-3409-4.patch \ + file://CVE-2021-3409-5.patch \ + file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ + file://CVE-2023-0330.patch \ + file://CVE-2023-3354.patch \ + file://CVE-2023-3180.patch \ + file://CVE-2020-24165.patch \ + file://CVE-2023-5088.patch \ + file://9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch \ + file://CVE-2023-2861.patch \ + " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" @@ -72,6 +161,21 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_WHITELIST += "CVE-2018-18438" +# the issue introduced in v5.1.0-rc0 +CVE_CHECK_WHITELIST += "CVE-2020-27661" + +# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 +# https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +# this bug related to windows specific. +CVE_CHECK_WHITELIST += "CVE-2023-0664" + +# As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 +# RHEL specific issue +CVE_CHECK_WHITELIST += "CVE-2023-2680" + +# Affected only `qemu-kvm` shipped with Red Hat Enterprise Linux 8.3 release. +CVE_CHECK_WHITELIST += "CVE-2021-20295" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" @@ -210,6 +314,16 @@ PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs" PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" +PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" +PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" +# libnfs is currently provided by meta-kodi +PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs" +PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" +PACKAGECONFIG[vde] = "--enable-vde,--disable-vde" +# version 4.2.0 doesn't have an "internal" option for enable-slirp, so use "git" which uses the same configure code path +PACKAGECONFIG[slirp] = "--enable-slirp=git,--disable-slirp" +PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd" +PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma" INSANE_SKIP_${PN} = "arch" diff --git a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch index 3a7d7bbd33..3789f1edea 100644 --- a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch +++ b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch @@ -60,7 +60,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c -index 6f132c5f..8329950c 100644 +index 300c9765..2823db7d 100644 --- a/fsdev/virtfs-proxy-helper.c +++ b/fsdev/virtfs-proxy-helper.c @@ -13,7 +13,6 @@ @@ -71,9 +71,9 @@ index 6f132c5f..8329950c 100644 #include <sys/fsuid.h> #include <sys/vfs.h> #include <sys/ioctl.h> -@@ -27,7 +26,11 @@ - #include "9p-iov-marshal.h" +@@ -28,7 +27,11 @@ #include "hw/9pfs/9p-proxy.h" + #include "hw/9pfs/9p-util.h" #include "fsdev/9p-iov-marshal.h" - +/* @@ -84,3 +84,6 @@ index 6f132c5f..8329950c 100644 #define PROGNAME "virtfs-proxy-helper" #ifndef XFS_SUPER_MAGIC +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch new file mode 100644 index 0000000000..72d9c47bde --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch @@ -0,0 +1,63 @@ +From a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b Mon Sep 17 00:00:00 2001 +From: Omar Sandoval <osandov@fb.com> +Date: Thu, 14 May 2020 08:06:43 +0200 +Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions + +QEMU's local 9pfs server passes through O_NOATIME from the client. If +the QEMU process doesn't have permissions to use O_NOATIME (namely, it +does not own the file nor have the CAP_FOWNER capability), the open will +fail. This causes issues when from the client's point of view, it +believes it has permissions to use O_NOATIME (e.g., a process running as +root in the virtual machine). Additionally, overlayfs on Linux opens +files on the lower layer using O_NOATIME, so in this case a 9pfs mount +can't be used as a lower layer for overlayfs (cf. +https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c +and https://github.com/NixOS/nixpkgs/issues/54509). + +Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g., +network filesystems. open(2) notes that O_NOATIME "may not be effective +on all filesystems. One example is NFS, where the server maintains the +access time." This means that we can honor it when possible but fall +back to ignoring it. + +Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Signed-off-by: Omar Sandoval <osandov@fb.com> +Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com> +Signed-off-by: Greg Kurz <groug@kaod.org> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b] +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/9pfs/9p-util.h | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index 79ed6b233e5..546f46dc7dc 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags, + { + int fd, serrno, ret; + ++again: + fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK, + mode); + if (fd == -1) { ++ if (errno == EPERM && (flags & O_NOATIME)) { ++ /* ++ * The client passed O_NOATIME but we lack permissions to honor it. ++ * Rather than failing the open, fall back without O_NOATIME. This ++ * doesn't break the semantics on the client side, as the Linux ++ * open(2) man page notes that O_NOATIME "may not be effective on ++ * all filesystems". In particular, NFS and other network ++ * filesystems ignore it entirely. ++ */ ++ flags &= ~O_NOATIME; ++ goto again; ++ } + return -1; + } + +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch new file mode 100644 index 0000000000..6fee4f640d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch @@ -0,0 +1,164 @@ +From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Thu, 21 May 2020 21:39:44 +0200 +Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some places already use qemu_log_mask() to log unimplemented features +or errors but some others have printf() then abort(). Convert these to +qemu_log_mask() and avoid aborting to prevent guests to easily cause +denial of service. + +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-12829 dep#1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 30 deletions(-) + +diff --git a/hw/display/sm501.c b/hw/display/sm501.c +index acc692531a..bd3ccfe311 100644 +--- a/hw/display/sm501.c ++++ b/hw/display/sm501.c +@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s) + int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); + + if (addressing != 0x0) { +- printf("%s: only XY addressing is supported.\n", __func__); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n"); ++ return; + } + + if (rop_mode == 0) { +@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s) + + if ((s->twoD_source_base & 0x08000000) || + (s->twoD_destination_base & 0x08000000)) { +- printf("%s: only local memory is supported.\n", __func__); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); ++ return; + } + + switch (operation) { +@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s) + break; + + default: +- printf("non-implemented SM501 2D operation. %d\n", operation); +- abort(); +- break; ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", ++ operation); ++ return; + } + + if (dst_base >= get_fb_addr(s, crt) && +@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr, + break; + + default: +- printf("sm501 system config : not implemented register read." +- " addr=%x\n", (int)addr); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config" ++ "register read. addr=%" HWADDR_PRIx "\n", addr); + } + + return ret; +@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr, + break; + case SM501_ENDIAN_CONTROL: + if (value & 0x00000001) { +- printf("sm501 system config : big endian mode not implemented.\n"); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not" ++ " implemented.\n"); + } + break; + + default: +- printf("sm501 system config : not implemented register write." +- " addr=%x, val=%x\n", (int)addr, (uint32_t)value); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config" ++ "register write. addr=%" HWADDR_PRIx ++ ", val=%" PRIx64 "\n", addr, value); + } + } + +@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr, + break; + + default: +- printf("sm501 disp ctrl : not implemented register read." +- " addr=%x\n", (int)addr); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " ++ "read. addr=%" HWADDR_PRIx "\n", addr); + } + + return ret; +@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr, + break; + + default: +- printf("sm501 disp ctrl : not implemented register write." +- " addr=%x, val=%x\n", (int)addr, (unsigned)value); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " ++ "write. addr=%" HWADDR_PRIx ++ ", val=%" PRIx64 "\n", addr, value); + } + } + +@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr, + ret = 0; /* Should return interrupt status */ + break; + default: +- printf("sm501 disp ctrl : not implemented register read." +- " addr=%x\n", (int)addr); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " ++ "read. addr=%" HWADDR_PRIx "\n", addr); + } + + return ret; +@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr, + /* ignored, writing 0 should clear interrupt status */ + break; + default: +- printf("sm501 2d engine : not implemented register write." +- " addr=%x, val=%x\n", (int)addr, (unsigned)value); +- abort(); ++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register " ++ "write. addr=%" HWADDR_PRIx ++ ", val=%" PRIx64 "\n", addr, value); + } + } + +@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque) + draw_line = draw_line32_funcs[dst_depth_index]; + break; + default: +- printf("sm501 update display : invalid control register value.\n"); +- abort(); +- break; ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display" ++ "invalid control register value.\n"); ++ return; + } + + /* set up to draw hardware cursor */ +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch new file mode 100644 index 0000000000..e7258a43d3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch @@ -0,0 +1,139 @@ +From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Thu, 21 May 2020 21:39:44 +0200 +Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation + +This increases readability and cleans up some confusing naming. + +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-12829 dep#2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/display/sm501.c | 45 ++++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 23 deletions(-) + +diff --git a/hw/display/sm501.c b/hw/display/sm501.c +index bd3ccfe311..f42d05e1e4 100644 +--- a/hw/display/sm501.c ++++ b/hw/display/sm501.c +@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt) + static void sm501_2d_operation(SM501State *s) + { + /* obtain operation parameters */ +- int operation = (s->twoD_control >> 16) & 0x1f; ++ int cmd = (s->twoD_control >> 16) & 0x1F; + int rtl = s->twoD_control & 0x8000000; + int src_x = (s->twoD_source >> 16) & 0x01FFF; + int src_y = s->twoD_source & 0xFFFF; + int dst_x = (s->twoD_destination >> 16) & 0x01FFF; + int dst_y = s->twoD_destination & 0xFFFF; +- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF; +- int operation_height = s->twoD_dimension & 0xFFFF; ++ int width = (s->twoD_dimension >> 16) & 0x1FFF; ++ int height = s->twoD_dimension & 0xFFFF; + uint32_t color = s->twoD_foreground; +- int format_flags = (s->twoD_stretch >> 20) & 0x3; +- int addressing = (s->twoD_stretch >> 16) & 0xF; ++ int format = (s->twoD_stretch >> 20) & 0x3; + int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */ + /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ + int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; +@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s) + /* get frame buffer info */ + uint8_t *src = s->local_mem + src_base; + uint8_t *dst = s->local_mem + dst_base; +- int src_width = s->twoD_pitch & 0x1FFF; +- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF; ++ int src_pitch = s->twoD_pitch & 0x1FFF; ++ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; + int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; + int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); + +- if (addressing != 0x0) { ++ if ((s->twoD_stretch >> 16) & 0xF) { + qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n"); + return; + } +@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s) + return; + } + +- switch (operation) { ++ switch (cmd) { + case 0x00: /* copy area */ + #define COPY_AREA(_bpp, _pixel_type, rtl) { \ + int y, x, index_d, index_s; \ +- for (y = 0; y < operation_height; y++) { \ +- for (x = 0; x < operation_width; x++) { \ ++ for (y = 0; y < height; y++) { \ ++ for (x = 0; x < width; x++) { \ + _pixel_type val; \ + \ + if (rtl) { \ +- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \ +- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \ ++ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \ ++ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \ + } else { \ +- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \ +- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ ++ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \ ++ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ + } \ + if (rop_mode == 1 && rop == 5) { \ + /* Invert dest */ \ +@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s) + } \ + } \ + } +- switch (format_flags) { ++ switch (format) { + case 0: + COPY_AREA(1, uint8_t, rtl); + break; +@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s) + case 0x01: /* fill rectangle */ + #define FILL_RECT(_bpp, _pixel_type) { \ + int y, x; \ +- for (y = 0; y < operation_height; y++) { \ +- for (x = 0; x < operation_width; x++) { \ +- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ ++ for (y = 0; y < height; y++) { \ ++ for (x = 0; x < width; x++) { \ ++ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ + *(_pixel_type *)&dst[index] = (_pixel_type)color; \ + } \ + } \ + } + +- switch (format_flags) { ++ switch (format) { + case 0: + FILL_RECT(1, uint8_t); + break; +@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s) + + default: + qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", +- operation); ++ cmd); + return; + } + + if (dst_base >= get_fb_addr(s, crt) && + dst_base <= get_fb_addr(s, crt) + fb_len) { +- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width + +- dst_x + operation_width) * (1 << format_flags)); ++ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch + ++ dst_x + width) * (1 << format)); + if (dst_len) { + memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len); + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch new file mode 100644 index 0000000000..c647028cfe --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch @@ -0,0 +1,47 @@ +From 2824809b7f8f03ddc6e2b7e33e78c06022424298 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Thu, 21 May 2020 21:39:44 +0200 +Subject: [PATCH 3/5] sm501: Use BIT(x) macro to shorten constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-12829 dep#3 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/display/sm501.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/hw/display/sm501.c b/hw/display/sm501.c +index f42d05e1e4..97660090bb 100644 +--- a/hw/display/sm501.c ++++ b/hw/display/sm501.c +@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s) + { + /* obtain operation parameters */ + int cmd = (s->twoD_control >> 16) & 0x1F; +- int rtl = s->twoD_control & 0x8000000; ++ int rtl = s->twoD_control & BIT(27); + int src_x = (s->twoD_source >> 16) & 0x01FFF; + int src_y = s->twoD_source & 0xFFFF; + int dst_x = (s->twoD_destination >> 16) & 0x01FFF; +@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s) + } + } + +- if ((s->twoD_source_base & 0x08000000) || +- (s->twoD_destination_base & 0x08000000)) { ++ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) { + qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); + return; + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch new file mode 100644 index 0000000000..485af05e1e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch @@ -0,0 +1,100 @@ +From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Thu, 21 May 2020 21:39:44 +0200 +Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Make variables local to the block they are used in to make it clearer +which operation they are needed for. + +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-12829 dep#4 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/display/sm501.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/hw/display/sm501.c b/hw/display/sm501.c +index 97660090bb..5ed57703d8 100644 +--- a/hw/display/sm501.c ++++ b/hw/display/sm501.c +@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt) + + static void sm501_2d_operation(SM501State *s) + { +- /* obtain operation parameters */ + int cmd = (s->twoD_control >> 16) & 0x1F; + int rtl = s->twoD_control & BIT(27); +- int src_x = (s->twoD_source >> 16) & 0x01FFF; +- int src_y = s->twoD_source & 0xFFFF; +- int dst_x = (s->twoD_destination >> 16) & 0x01FFF; +- int dst_y = s->twoD_destination & 0xFFFF; +- int width = (s->twoD_dimension >> 16) & 0x1FFF; +- int height = s->twoD_dimension & 0xFFFF; +- uint32_t color = s->twoD_foreground; + int format = (s->twoD_stretch >> 20) & 0x3; + int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */ + /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ + int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; + int rop = s->twoD_control & 0xFF; +- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; ++ int dst_x = (s->twoD_destination >> 16) & 0x01FFF; ++ int dst_y = s->twoD_destination & 0xFFFF; ++ int width = (s->twoD_dimension >> 16) & 0x1FFF; ++ int height = s->twoD_dimension & 0xFFFF; + uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; +- +- /* get frame buffer info */ +- uint8_t *src = s->local_mem + src_base; + uint8_t *dst = s->local_mem + dst_base; +- int src_pitch = s->twoD_pitch & 0x1FFF; + int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; + int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; + int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); +@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s) + + switch (cmd) { + case 0x00: /* copy area */ ++ { ++ int src_x = (s->twoD_source >> 16) & 0x01FFF; ++ int src_y = s->twoD_source & 0xFFFF; ++ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; ++ uint8_t *src = s->local_mem + src_base; ++ int src_pitch = s->twoD_pitch & 0x1FFF; ++ + #define COPY_AREA(_bpp, _pixel_type, rtl) { \ + int y, x, index_d, index_s; \ + for (y = 0; y < height; y++) { \ +@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s) + break; + } + break; +- ++ } + case 0x01: /* fill rectangle */ ++ { ++ uint32_t color = s->twoD_foreground; ++ + #define FILL_RECT(_bpp, _pixel_type) { \ + int y, x; \ + for (y = 0; y < height; y++) { \ +@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s) + break; + } + break; +- ++ } + default: + qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", + cmd); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch new file mode 100644 index 0000000000..ab09e8b039 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch @@ -0,0 +1,266 @@ +From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Thu, 21 May 2020 21:39:44 +0200 +Subject: [PATCH 5/5] sm501: Replace hand written implementation with pixman + where possible + +Besides being faster this should also prevent malicious guests to +abuse 2D engine to overwrite data or cause a crash. + +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-12829 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/display/sm501.c | 207 ++++++++++++++++++++++++++------------------- + 1 file changed, 119 insertions(+), 88 deletions(-) + +diff --git a/hw/display/sm501.c b/hw/display/sm501.c +index 5ed57703d8..8bf4d111f4 100644 +--- a/hw/display/sm501.c ++++ b/hw/display/sm501.c +@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s) + /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ + int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; + int rop = s->twoD_control & 0xFF; +- int dst_x = (s->twoD_destination >> 16) & 0x01FFF; +- int dst_y = s->twoD_destination & 0xFFFF; +- int width = (s->twoD_dimension >> 16) & 0x1FFF; +- int height = s->twoD_dimension & 0xFFFF; ++ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF; ++ unsigned int dst_y = s->twoD_destination & 0xFFFF; ++ unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF; ++ unsigned int height = s->twoD_dimension & 0xFFFF; + uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; +- uint8_t *dst = s->local_mem + dst_base; +- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; ++ unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; + int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; + int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); + +@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s) + return; + } + +- if (rop_mode == 0) { +- if (rop != 0xcc) { +- /* Anything other than plain copies are not supported */ +- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not " +- "supported.\n", rop); +- } +- } else { +- if (rop2_source_is_pattern && rop != 0x5) { +- /* For pattern source, we support only inverse dest */ +- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and " +- "rop %x is not supported.\n", rop); +- } else { +- if (rop != 0x5 && rop != 0xc) { +- /* Anything other than plain copies or inverse dest is not +- * supported */ +- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not " +- "supported.\n", rop); +- } +- } +- } +- + if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) { + qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); + return; + } + ++ if (!dst_pitch) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n"); ++ return; ++ } ++ ++ if (!width || !height) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n"); ++ return; ++ } ++ ++ if (rtl) { ++ dst_x -= width - 1; ++ dst_y -= height - 1; ++ } ++ ++ if (dst_base >= get_local_mem_size(s) || dst_base + ++ (dst_x + width + (dst_y + height) * (dst_pitch + width)) * ++ (1 << format) >= get_local_mem_size(s)) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n"); ++ return; ++ } ++ + switch (cmd) { +- case 0x00: /* copy area */ ++ case 0: /* BitBlt */ + { +- int src_x = (s->twoD_source >> 16) & 0x01FFF; +- int src_y = s->twoD_source & 0xFFFF; ++ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF; ++ unsigned int src_y = s->twoD_source & 0xFFFF; + uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; +- uint8_t *src = s->local_mem + src_base; +- int src_pitch = s->twoD_pitch & 0x1FFF; +- +-#define COPY_AREA(_bpp, _pixel_type, rtl) { \ +- int y, x, index_d, index_s; \ +- for (y = 0; y < height; y++) { \ +- for (x = 0; x < width; x++) { \ +- _pixel_type val; \ +- \ +- if (rtl) { \ +- index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \ +- index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \ +- } else { \ +- index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \ +- index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ +- } \ +- if (rop_mode == 1 && rop == 5) { \ +- /* Invert dest */ \ +- val = ~*(_pixel_type *)&dst[index_d]; \ +- } else { \ +- val = *(_pixel_type *)&src[index_s]; \ +- } \ +- *(_pixel_type *)&dst[index_d] = val; \ +- } \ +- } \ +- } +- switch (format) { +- case 0: +- COPY_AREA(1, uint8_t, rtl); +- break; +- case 1: +- COPY_AREA(2, uint16_t, rtl); +- break; +- case 2: +- COPY_AREA(4, uint32_t, rtl); +- break; ++ unsigned int src_pitch = s->twoD_pitch & 0x1FFF; ++ ++ if (!src_pitch) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n"); ++ return; ++ } ++ ++ if (rtl) { ++ src_x -= width - 1; ++ src_y -= height - 1; ++ } ++ ++ if (src_base >= get_local_mem_size(s) || src_base + ++ (src_x + width + (src_y + height) * (src_pitch + width)) * ++ (1 << format) >= get_local_mem_size(s)) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "sm501: 2D op src is outside vram.\n"); ++ return; ++ } ++ ++ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) { ++ /* Invert dest, is there a way to do this with pixman? */ ++ unsigned int x, y, i; ++ uint8_t *d = s->local_mem + dst_base; ++ ++ for (y = 0; y < height; y++) { ++ i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format); ++ for (x = 0; x < width; x++, i += (1 << format)) { ++ switch (format) { ++ case 0: ++ d[i] = ~d[i]; ++ break; ++ case 1: ++ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i]; ++ break; ++ case 2: ++ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i]; ++ break; ++ } ++ } ++ } ++ } else { ++ /* Do copy src for unimplemented ops, better than unpainted area */ ++ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) || ++ (!rop_mode && rop != 0xcc)) { ++ qemu_log_mask(LOG_UNIMP, ++ "sm501: rop%d op %x%s not implemented\n", ++ (rop_mode ? 2 : 3), rop, ++ (rop2_source_is_pattern ? ++ " with pattern source" : "")); ++ } ++ /* Check for overlaps, this could be made more exact */ ++ uint32_t sb, se, db, de; ++ sb = src_base + src_x + src_y * (width + src_pitch); ++ se = sb + width + height * (width + src_pitch); ++ db = dst_base + dst_x + dst_y * (width + dst_pitch); ++ de = db + width + height * (width + dst_pitch); ++ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) { ++ /* regions may overlap: copy via temporary */ ++ int llb = width * (1 << format); ++ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t)); ++ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) * ++ height); ++ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp, ++ src_pitch * (1 << format) / sizeof(uint32_t), ++ tmp_stride, 8 * (1 << format), 8 * (1 << format), ++ src_x, src_y, 0, 0, width, height); ++ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base], ++ tmp_stride, ++ dst_pitch * (1 << format) / sizeof(uint32_t), ++ 8 * (1 << format), 8 * (1 << format), ++ 0, 0, dst_x, dst_y, width, height); ++ g_free(tmp); ++ } else { ++ pixman_blt((uint32_t *)&s->local_mem[src_base], ++ (uint32_t *)&s->local_mem[dst_base], ++ src_pitch * (1 << format) / sizeof(uint32_t), ++ dst_pitch * (1 << format) / sizeof(uint32_t), ++ 8 * (1 << format), 8 * (1 << format), ++ src_x, src_y, dst_x, dst_y, width, height); ++ } + } + break; + } +- case 0x01: /* fill rectangle */ ++ case 1: /* Rectangle Fill */ + { + uint32_t color = s->twoD_foreground; + +-#define FILL_RECT(_bpp, _pixel_type) { \ +- int y, x; \ +- for (y = 0; y < height; y++) { \ +- for (x = 0; x < width; x++) { \ +- int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ +- *(_pixel_type *)&dst[index] = (_pixel_type)color; \ +- } \ +- } \ +- } +- +- switch (format) { +- case 0: +- FILL_RECT(1, uint8_t); +- break; +- case 1: +- color = cpu_to_le16(color); +- FILL_RECT(2, uint16_t); +- break; +- case 2: ++ if (format == 2) { + color = cpu_to_le32(color); +- FILL_RECT(4, uint32_t); +- break; ++ } else if (format == 1) { ++ color = cpu_to_le16(color); + } ++ ++ pixman_fill((uint32_t *)&s->local_mem[dst_base], ++ dst_pitch * (1 << format) / sizeof(uint32_t), ++ 8 * (1 << format), dst_x, dst_y, width, height, color); + break; + } + default: +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch new file mode 100644 index 0000000000..7f8383987c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch @@ -0,0 +1,50 @@ +From 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Tue, 5 Jun 2018 22:28:51 -0300 +Subject: [PATCH 1/1] hw/sd/sdcard: Simplify realize() a bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +We don't need to check if sd->blk is set twice. + +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Message-Id: <20200630133912.9428-18-f4bug@amsat.org> + +Upstram-Status: Backport: +https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=6dd3a164f5b31c703c7d8372841ad3bd6a57de6d + +CVE: CVE-2020-13253 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/sd/sd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index 1cc16bf..edd60a0 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -2105,12 +2105,12 @@ static void sd_realize(DeviceState *dev, Error **errp) + return; + } + +- if (sd->blk && blk_is_read_only(sd->blk)) { +- error_setg(errp, "Cannot use read-only drive as SD card"); +- return; +- } +- + if (sd->blk) { ++ if (blk_is_read_only(sd->blk)) { ++ error_setg(errp, "Cannot use read-only drive as SD card"); ++ return; ++ } ++ + ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, + BLK_PERM_ALL, errp); + if (ret < 0) { +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch new file mode 100644 index 0000000000..53145d059f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch @@ -0,0 +1,112 @@ +From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Tue, 7 Jul 2020 13:02:34 +0200 +Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +QEMU allows to create SD card with unrealistic sizes. This could +work, but some guests (at least Linux) consider sizes that are not +a power of 2 as a firmware bug and fix the card size to the next +power of 2. + +While the possibility to use small SD card images has been seen as +a feature, it became a bug with CVE-2020-13253, where the guest is +able to do OOB read/write accesses past the image size end. + +In a pair of commits we will fix CVE-2020-13253 as: + + Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + + Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + + WP_VIOLATION errors are not modified: the error bit is set, we + stay in receive-data state, wait for a stop command. All further + data transfer is ignored. See the check on sd->card_status at the + beginning of sd_read_data() and sd_write_data(). + +While this is the correct behavior, in case QEMU create smaller SD +cards, guests still try to access past the image size end, and QEMU +considers this is an invalid address, thus "all further data transfer +is ignored". This is wrong and make the guest looping until +eventually timeouts. + +Fix by not allowing invalid SD card sizes (suggesting the expected +size as a hint): + + $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw + qemu-system-arm: Invalid SD card size: 60 MiB + SD card size has to be a power of 2, e.g. 64 MiB. + You can resize disk images with 'qemu-img resize <imagefile> <new-size>' + (note that this will lose data if you make the image smaller than it currently is). + +Cc: qemu-stable@nongnu.org +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Message-Id: <20200713183209.26308-8-f4bug@amsat.org> + +Upstram-Status: Backport: +https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 + +CVE: CVE-2020-13253 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/sd/sd.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index edd60a09c0..76d68359a4 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -32,6 +32,7 @@ + + #include "qemu/osdep.h" + #include "qemu/units.h" ++#include "qemu/cutils.h" + #include "hw/irq.h" + #include "hw/registerfields.h" + #include "sysemu/block-backend.h" +@@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp) + } + + if (sd->blk) { ++ int64_t blk_size; ++ + if (blk_is_read_only(sd->blk)) { + error_setg(errp, "Cannot use read-only drive as SD card"); + return; + } + ++ blk_size = blk_getlength(sd->blk); ++ if (blk_size > 0 && !is_power_of_2(blk_size)) { ++ int64_t blk_size_aligned = pow2ceil(blk_size); ++ char *blk_size_str; ++ ++ blk_size_str = size_to_str(blk_size); ++ error_setg(errp, "Invalid SD card size: %s", blk_size_str); ++ g_free(blk_size_str); ++ ++ blk_size_str = size_to_str(blk_size_aligned); ++ error_append_hint(errp, ++ "SD card size has to be a power of 2, e.g. %s.\n" ++ "You can resize disk images with" ++ " 'qemu-img resize <imagefile> <new-size>'\n" ++ "(note that this will lose data if you make the" ++ " image smaller than it currently is).\n", ++ blk_size_str); ++ g_free(blk_size_str); ++ ++ return; ++ } ++ + ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, + BLK_PERM_ALL, errp); + if (ret < 0) { +-- +2.32.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch new file mode 100644 index 0000000000..b512b2bd7f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch @@ -0,0 +1,86 @@ +From 794d68de2f021a6d3874df41d6bbe8590ec05207 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Mon, 13 Jul 2020 09:27:35 +0200 +Subject: [PATCH] hw/sd/sdcard: Update coding style to make checkpatch.pl happy +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +To make the next commit easier to review, clean this code first. + +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20200630133912.9428-3-f4bug@amsat.org> + +Upstram-Status: Backport: +https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=794d68de2f021a6d3874df41d6bbe8590ec05207 + +CVE: CVE-2020-13253 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +--- a/hw/sd/sd.c (revision b0ca999a43a22b38158a222233d3f5881648bb4f) ++++ b/hw/sd/sd.c (date 1647514442924) +@@ -1154,8 +1154,9 @@ + sd->data_start = addr; + sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ } + return sd_r1; + + default: +@@ -1170,8 +1171,9 @@ + sd->data_start = addr; + sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ } + return sd_r1; + + default: +@@ -1216,12 +1218,15 @@ + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; +- if (sd_wp_addr(sd, sd->data_start)) ++ } ++ if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; +- if (sd->csd[14] & 0x30) ++ } ++ if (sd->csd[14] & 0x30) { + sd->card_status |= WP_VIOLATION; ++ } + return sd_r1; + + default: +@@ -1240,12 +1245,15 @@ + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; +- if (sd_wp_addr(sd, sd->data_start)) ++ } ++ if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; +- if (sd->csd[14] & 0x30) ++ } ++ if (sd->csd[14] & 0x30) { + sd->card_status |= WP_VIOLATION; ++ } + return sd_r1; + + default: diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch new file mode 100644 index 0000000000..6b4c1ec050 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch @@ -0,0 +1,139 @@ +From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Thu, 4 Jun 2020 19:22:29 +0200 +Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is + invalid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only move the state machine to ReceivingData if there is no +pending error. This avoids later OOB access while processing +commands queued. + + "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" + + 4.3.3 Data Read + + Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + + 4.3.4 Data Write + + Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + +WP_VIOLATION errors are not modified: the error bit is set, we +stay in receive-data state, wait for a stop command. All further +data transfer is ignored. See the check on sd->card_status at the +beginning of sd_read_data() and sd_write_data(). + +Fixes: CVE-2020-13253 + +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Message-Id: <20200630133912.9428-6-f4bug@amsat.org> + +Upstram-Status: Backport: +https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd + +CVE: CVE-2020-13253 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/sd/sd.c | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index f4f76f8fd2..fad9cf1ee7 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + case 17: /* CMD17: READ_SINGLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: +- sd->state = sd_sendingdata_state; +- sd->data_start = addr; +- sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { ++ if (addr + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; + } ++ ++ sd->state = sd_sendingdata_state; ++ sd->data_start = addr; ++ sd->data_offset = 0; + return sd_r1; + + default: +@@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + case 18: /* CMD18: READ_MULTIPLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: +- sd->state = sd_sendingdata_state; +- sd->data_start = addr; +- sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { ++ if (addr + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; + } ++ ++ sd->state = sd_sendingdata_state; ++ sd->data_start = addr; ++ sd->data_offset = 0; + return sd_r1; + + default: +@@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++ if (addr + sd->blk_len > sd->size) { ++ sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; ++ } ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { +- sd->card_status |= ADDRESS_ERROR; +- } + if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; + } +@@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++ if (addr + sd->blk_len > sd->size) { ++ sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; ++ } ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { +- sd->card_status |= ADDRESS_ERROR; +- } + if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; + } +-- +2.32.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch new file mode 100644 index 0000000000..ffce610f79 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch @@ -0,0 +1,54 @@ +From 9157dd597d293ab7f599f4d96c3fe8a6e07c633d Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Wed, 3 Jun 2020 19:59:16 +0200 +Subject: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Only SCSD cards support Class 6 (Block Oriented Write Protection) +commands. + + "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" + + 4.3.14 Command Functional Difference in Card Capacity Types + + * Write Protected Group + + SDHC and SDXC do not support write-protected groups. Issuing + CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Message-Id: <20200630133912.9428-7-f4bug@amsat.org> + +Upstram-Status: Backport: +https://git.qemu.org/?p=qemu.git;a=commit;h=9157dd597d293ab7f599f4d96c3fe8a6e07c633d + +CVE: CVE-2020-13253 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/sd/sd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index 5137168..1cc16bf 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -920,6 +920,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + sd->multi_blk_cnt = 0; + } + ++ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { ++ /* Only Standard Capacity cards support class 6 commands */ ++ return sd_illegal; ++ } ++ + switch (req.cmd) { + /* Basic commands (Class 0 and Class 1) */ + case 0: /* CMD0: GO_IDLE_STATE */ +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch @@ -0,0 +1,91 @@ +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Wed, 10 Jun 2020 09:47:49 -0400 +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in + memory_region_access_valid" + +Memory API documentation documents valid .min_access_size and .max_access_size +fields and explains that any access outside these boundaries is blocked. + +This is what devices seem to assume. + +However this is not what the implementation does: it simply +ignores the boundaries unless there's an "accepts" callback. + +Naturally, this breaks a bunch of devices. + +Revert to the documented behaviour. + +Devices that want to allow any access can just drop the valid field, +or add the impl field to have accesses converted to appropriate +length. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson <rth@twiddle.net> +Fixes: CVE-2020-13754 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Message-Id: <20200610134731.1514409-1-mst@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + memory.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/memory.c b/memory.c +index 2f15a4b..9200b20 100644 +--- a/memory.c ++++ b/memory.c +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, + bool is_write, + MemTxAttrs attrs) + { +- int access_size_min, access_size_max; +- int access_size, i; +- +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ if (mr->ops->valid.accepts ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + return false; + } + +- if (!mr->ops->valid.accepts) { +- return true; +- } +- +- access_size_min = mr->ops->valid.min_access_size; +- if (!mr->ops->valid.min_access_size) { +- access_size_min = 1; ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ return false; + } + +- access_size_max = mr->ops->valid.max_access_size; ++ /* Treat zero as compatibility all valid */ + if (!mr->ops->valid.max_access_size) { +- access_size_max = 4; ++ return true; + } + +- access_size = MAX(MIN(size, access_size_max), access_size_min); +- for (i = 0; i < size; i += access_size) { +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, +- is_write, attrs)) { +- return false; +- } ++ if (size > mr->ops->valid.max_access_size ++ || size < mr->ops->valid.min_access_size) { ++ return false; + } +- + return true; + } + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch @@ -0,0 +1,69 @@ +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 +From: Michael Tokarev <mjt@tls.msk.ru> +Date: Mon, 20 Jul 2020 19:06:27 +0300 +Subject: [PATCH] acpi: accept byte and word access to core ACPI registers + +All ISA registers should be accessible as bytes, words or dwords +(if wide enough). Fix the access constraints for acpi-pm-evt, +acpi-pm-tmr & acpi-cnt registers. + +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") +Fixes: afafe4bbe0 (apci: switch cnt to memory api) +Fixes: 77d58b1e47 (apci: switch timer to memory api) +Fixes: b5a7c024d2 (apci: switch evt to memory api) +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ +Buglink: https://bugs.debian.org/964793 +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 +BugLink: https://bugs.launchpad.net/bugs/1886318 +Reported-By: Simon John <git@the-jedi.co.uk> +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/acpi/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index f6d9ec4..ac06db3 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_evt_ops = { + .read = acpi_pm_evt_read, + .write = acpi_pm_evt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_tmr_ops = { + .read = acpi_pm_tmr_read, + .write = acpi_pm_tmr_write, +- .valid.min_access_size = 4, ++ .impl.min_access_size = 4, ++ .valid.min_access_size = 1, + .valid.max_access_size = 4, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_cnt_ops = { + .read = acpi_pm_cnt_read, + .write = acpi_pm_cnt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch @@ -0,0 +1,65 @@ +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier <lvivier@redhat.com> +Date: Tue, 21 Jul 2020 10:33:22 +0200 +Subject: [PATCH] xhci: fix valid.max_access_size to access address registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow +64-bit mode access in "runtime" and "operational" MemoryRegionOps. + +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. + +XHCI specs: +"If the xHC supports 64-bit addressing (AC64 = â1â), then software +should write 64-bit registers using only Qword accesses. If a +system is incapable of issuing Qword accesses, then writes to the +64-bit address fields shall be performed using 2 Dword accesses; +low Dword-first, high-Dword second. If the xHC supports 32-bit +addressing (AC64 = â0â), then the high Dword of registers containing +64-bit address fields are unused and software should write addresses +using only Dword accesses" + +The problem has been detected with SLOF, as linux kernel always accesses +registers using 32-bit access even if AC64 is set and revealed by +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") + +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> +Signed-off-by: Laurent Vivier <lvivier@redhat.com> +Message-id: 20200721083322.90651-1-lvivier@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/usb/hcd-xhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index b330e36..67a18fe 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { + .read = xhci_oper_read, + .write = xhci_oper_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { + .read = xhci_runtime_read, + .write = xhci_runtime_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch new file mode 100644 index 0000000000..6bad07d03f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch @@ -0,0 +1,39 @@ +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@wdc.com> +Date: Tue, 30 Jun 2020 13:12:11 -0700 +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT + +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 +"memory: Revert "memory: accept mismatching sizes in +memory_region_access_valid"" broke most RISC-V boards as they do 64 bit +accesses to the CLINT and QEMU would trigger a fault. Fix this failure +by allowing 8 byte accesses. + +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> +Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/riscv/sifive_clint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c +index b11ffa0..669c21a 100644 +--- a/hw/riscv/sifive_clint.c ++++ b/hw/riscv/sifive_clint.c +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, +- .max_access_size = 4 ++ .max_access_size = 8 + } + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch new file mode 100644 index 0000000000..1e8278f7b7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch @@ -0,0 +1,44 @@ +Date: Thu, 4 Jun 2020 16:25:24 +0530 +From: Prasad J Pandit <pjp@fedoraproject.org> +Subject: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791) + +While reading PCI configuration bytes, a guest may send an +address towards the end of the configuration space. It may lead +to an OOB access issue. Add check to ensure 'address + size' is +within PCI configuration space. + +CVE: CVE-2020-13791 + +Upstream-Status: Submitted +https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00979.html + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Reported-by: Yi Ren <c4tren@gmail.com> +Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + hw/display/ati.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +Update v3: avoid modifying 'addr' variable + -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html + +diff --git a/hw/display/ati.c b/hw/display/ati.c +index 67604e68de..b4d0fd88b7 100644 +--- a/hw/display/ati.c ++++ b/hw/display/ati.c +@@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) + val = s->regs.crtc_pitch; + break; + case 0xf00 ... 0xfff: +- val = pci_default_read_config(&s->dev, addr - 0xf00, size); ++ if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) { ++ val = pci_default_read_config(&s->dev, addr - 0xf00, size); ++ } + break; + case CUR_OFFSET: + val = s->regs.cur_offset; +-- +2.26.2 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch new file mode 100644 index 0000000000..20f39f0a26 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch @@ -0,0 +1,50 @@ +From 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:25 +0530 +Subject: [PATCH] hw/pci-host: add pci-intack write method + +Add pci-intack mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200811114133.672647-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu +https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-1.patch?h=ubuntu/focal-security +Upstream commit https://github.com/qemu/qemu/commit/520f26fc6d17b71a43eaf620e834b3bdf316f3d3 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/pci-host/prep.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/hw/pci-host/prep.c ++++ b/hw/pci-host/prep.c +@@ -26,6 +26,7 @@ + #include "qemu/osdep.h" + #include "qemu-common.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qapi/error.h" + #include "hw/pci/pci.h" + #include "hw/pci/pci_bus.h" +@@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void * + return pic_read_irq(isa_pic); + } + ++static void raven_intack_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++} ++ + static const MemoryRegionOps raven_intack_ops = { + .read = raven_intack_read, ++ .write = raven_intack_write, + .valid = { + .max_access_size = 1, + }, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch new file mode 100644 index 0000000000..d6715d337c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch @@ -0,0 +1,69 @@ +From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:26 +0530 +Subject: [PATCH] pci-host: designware: add pcie-msi read method + +Add pcie-msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200811114133.672647-3-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/pci-host/designware.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c +index f9fb97a..bde3a34 100644 +--- a/hw/pci-host/designware.c ++++ b/hw/pci-host/designware.c +@@ -21,6 +21,7 @@ + #include "qemu/osdep.h" + #include "qapi/error.h" + #include "qemu/module.h" ++#include "qemu/log.h" + #include "hw/pci/msi.h" + #include "hw/pci/pci_bridge.h" + #include "hw/pci/pci_host.h" +@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) + return DESIGNWARE_PCIE_HOST(bus->parent); + } + ++static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, ++ unsigned size) ++{ ++ /* ++ * Attempts to read from the MSI address are undefined in ++ * the PCI specifications. For this hardware, the datasheet ++ * specifies that a read from the magic address is simply not ++ * intercepted by the MSI controller, and will go out to the ++ * AHB/AXI bus like any other PCI-device-initiated DMA read. ++ * This is not trivial to implement in QEMU, so since ++ * well-behaved guests won't ever ask a PCI device to DMA from ++ * this address we just log the missing functionality. ++ */ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++ return 0; ++} ++ + static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + uint64_t val, unsigned len) + { +@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps designware_pci_host_msi_ops = { ++ .read = designware_pcie_root_msi_read, + .write = designware_pcie_root_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch new file mode 100644 index 0000000000..85abe8ff32 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch @@ -0,0 +1,49 @@ +From 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:27 +0530 +Subject: [PATCH] vfio: add quirk device write method + +Add vfio quirk device mmio write method to avoid NULL pointer +dereference issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Acked-by: Alex Williamson <alex.williamson@redhat.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200811114133.672647-4-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/24202d2b561c3b4c48bd28383c8c34b4ac66c2bf] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/vfio/pci-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -13,6 +13,7 @@ + #include "qemu/osdep.h" + #include "exec/memop.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qemu/error-report.h" + #include "qemu/main-loop.h" + #include "qemu/module.h" +@@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read( + return data; + } + ++static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); ++} ++ + static const MemoryRegionOps vfio_ati_3c3_quirk = { + .read = vfio_ati_3c3_quirk_read, ++ .write = vfio_ati_3c3_quirk_write, + .endianness = DEVICE_LITTLE_ENDIAN, + }; + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch new file mode 100644 index 0000000000..52fac8a051 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch @@ -0,0 +1,53 @@ +From f867cebaedbc9c43189f102e4cdfdff05e88df7f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:28 +0530 +Subject: [PATCH] prep: add ppc-parity write method + +Add ppc-parity mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Acked-by: David Gibson <david@gibson.dropbear.id.au> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-Id: <20200811114133.672647-5-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/f867cebaedbc9c43189f102e4cdfdff05e88df7f] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/ppc/prep_systemio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c +index 4e48ef2..b2bd783 100644 +--- a/hw/ppc/prep_systemio.c ++++ b/hw/ppc/prep_systemio.c +@@ -23,6 +23,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "hw/irq.h" + #include "hw/isa/isa.h" + #include "hw/qdev-properties.h" +@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, + return val; + } + ++static void ppc_parity_error_writel(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); ++} ++ + static const MemoryRegionOps ppc_parity_error_ops = { + .read = ppc_parity_error_readl, ++ .write = ppc_parity_error_writel, + .valid = { + .min_access_size = 4, + .max_access_size = 4, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch new file mode 100644 index 0000000000..49c6c5e3e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch @@ -0,0 +1,53 @@ +From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:29 +0530 +Subject: [PATCH] nvram: add nrf51_soc flash read method + +Add nrf51_soc mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-Id: <20200811114133.672647-6-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/nvram/nrf51_nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c +index f2283c1..7b3460d 100644 +--- a/hw/nvram/nrf51_nvm.c ++++ b/hw/nvram/nrf51_nvm.c +@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + }; + ++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) ++{ ++ /* ++ * This is a rom_device MemoryRegion which is always in ++ * romd_mode (we never put it in MMIO mode), so reads always ++ * go directly to RAM and never come here. ++ */ ++ g_assert_not_reached(); ++} + + static void flash_write(void *opaque, hwaddr offset, uint64_t value, + unsigned int size) +@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, + + + static const MemoryRegionOps flash_ops = { ++ .read = flash_read, + .write = flash_write, + .valid.min_access_size = 4, + .valid.max_access_size = 4, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch new file mode 100644 index 0000000000..115be68295 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch @@ -0,0 +1,61 @@ +Backport of: + +From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:30 +0530 +Subject: [PATCH] spapr_pci: add spapr msi read method + +Add spapr msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Acked-by: David Gibson <david@gibson.dropbear.id.au> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200811114133.672647-7-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/ppc/spapr_pci.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -52,6 +52,7 @@ + #include "sysemu/kvm.h" + #include "sysemu/hostmem.h" + #include "sysemu/numa.h" ++#include "qemu/log.h" + + /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ + #define RTAS_QUERY_FN 0 +@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin + return route; + } + ++static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); ++ return 0; ++} ++ + /* + * MSI/MSIX memory region implementation. + * The handler handles both MSI and MSIX. +@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque + } + + static const MemoryRegionOps spapr_msi_ops = { +- /* There is no .read as the read result is undefined by PCI spec */ +- .read = NULL, ++ /* ++ * .read result is undefined by PCI spec. ++ * define .read method to avoid assert failure in memory_region_init_io ++ */ ++ .read = spapr_msi_read, + .write = spapr_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN + }; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch new file mode 100644 index 0000000000..7d8ec32251 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch @@ -0,0 +1,50 @@ +From 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:31 +0530 +Subject: [PATCH] tz-ppc: add dummy read/write methods + +Add tz-ppc-dummy mmio read/write methods to avoid assert failure +during initialisation. + +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-Id: <20200811114133.672647-8-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-7.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/2c9fb3b784000c1df32231e1c2464bb2e3fc4620 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/misc/tz-ppc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c +index 6431257..36495c6 100644 +--- a/hw/misc/tz-ppc.c ++++ b/hw/misc/tz-ppc.c +@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, + g_assert_not_reached(); + } + ++static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ ++static void tz_ppc_dummy_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ + static const MemoryRegionOps tz_ppc_dummy_ops = { ++ /* define r/w methods to avoid assert failure in memory_region_init_io */ ++ .read = tz_ppc_dummy_read, ++ .write = tz_ppc_dummy_write, + .valid.accepts = tz_ppc_dummy_accepts, + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch new file mode 100644 index 0000000000..7857ba266e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch @@ -0,0 +1,44 @@ +From 735754aaa15a6ed46db51fd731e88331c446ea54 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:32 +0530 +Subject: [PATCH] imx7-ccm: add digprog mmio write method + +Add digprog mmio write method to avoid assert failure during +initialisation. + +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200811114133.672647-9-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-8.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/735754aaa15a6ed46db51fd731e88331c446ea54] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/misc/imx7_ccm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c +index 02fc1ae..075159e 100644 +--- a/hw/misc/imx7_ccm.c ++++ b/hw/misc/imx7_ccm.c +@@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { + }, + }; + ++static void imx7_digprog_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Guest write to read-only ANALOG_DIGPROG register\n"); ++} ++ + static const struct MemoryRegionOps imx7_digprog_ops = { + .read = imx7_set_clr_tog_read, ++ .write = imx7_digprog_write, + .endianness = DEVICE_NATIVE_ENDIAN, + .impl = { + .min_access_size = 4, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch new file mode 100644 index 0000000000..0f43adeea8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch @@ -0,0 +1,39 @@ +From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 22 Jul 2020 16:57:46 +0800 +Subject: [PATCH] net: forbid the reentrant RX + +The memory API allows DMA into NIC's MMIO area. This means the NIC's +RX routine must be reentrant. Instead of auditing all the NIC, we can +simply detect the reentrancy and return early. The queue->delivering +is set and cleared by qemu_net_queue_deliver() for other queue helpers +to know whether the delivering in on going (NIC's receive is being +called). We can check it and return early in qemu_net_queue_flush() to +forbid reentrant RX. + +Signed-off-by: Jason Wang <jasowang@redhat.com> + +CVE: CVE-2020-15859 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + net/queue.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/queue.c b/net/queue.c +index 0164727..19e32c8 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from) + + bool qemu_net_queue_flush(NetQueue *queue) + { ++ if (queue->delivering) ++ return false; ++ + while (!QTAILQ_EMPTY(&queue->packets)) { + NetPacket *packet; + int ret; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch new file mode 100644 index 0000000000..e0a27331a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch @@ -0,0 +1,94 @@ +CVE: CVE-2020-24165 +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org> +Date: Fri, 14 Feb 2020 14:49:52 +0000 +Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The bug describes a race whereby cpu_exec_step_atomic can acquire a TB +which is invalidated by a tb_flush before we execute it. This doesn't +affect the other cpu_exec modes as a tb_flush by it's nature can only +occur on a quiescent system. The race was described as: + + B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code + B3. tcg_tb_alloc obtains a new TB + + C3. TB obtained with tb_lookup__cpu_state or tb_gen_code + (same TB as B2) + + A3. start_exclusive critical section entered + A4. do_tb_flush is called, TB memory freed/re-allocated + A5. end_exclusive exits critical section + + B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code + B3. tcg_tb_alloc reallocates TB from B2 + + C4. start_exclusive critical section entered + C5. cpu_tb_exec executes the TB code that was free in A4 + +The simplest fix is to widen the exclusive period to include the TB +lookup. As a result we can drop the complication of checking we are in +the exclusive region before we end it. + +Cc: Yifan <me@yifanlu.com> +Buglink: https://bugs.launchpad.net/qemu/+bug/1863025 +Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Alex Bennée <alex.bennee@linaro.org> +Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org> +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +--- + accel/tcg/cpu-exec.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c +index 2560c90eec79..d95c4848a47b 100644 +--- a/accel/tcg/cpu-exec.c ++++ b/accel/tcg/cpu-exec.c +@@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu) + uint32_t cf_mask = cflags & CF_HASH_MASK; + + if (sigsetjmp(cpu->jmp_env, 0) == 0) { ++ start_exclusive(); ++ + tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask); + if (tb == NULL) { + mmap_lock(); +@@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu) + mmap_unlock(); + } + +- start_exclusive(); +- + /* Since we got here, we know that parallel_cpus must be true. */ + parallel_cpus = false; + cc->cpu_exec_enter(cpu); +@@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu) + qemu_plugin_disable_mem_helpers(cpu); + } + +- if (cpu_in_exclusive_context(cpu)) { +- /* We might longjump out of either the codegen or the +- * execution, so must make sure we only end the exclusive +- * region if we started it. +- */ +- parallel_cpus = true; +- end_exclusive(); +- } ++ ++ /* ++ * As we start the exclusive region before codegen we must still ++ * be in the region if we longjump out of either the codegen or ++ * the execution. ++ */ ++ g_assert(cpu_in_exclusive_context(cpu)); ++ parallel_cpus = true; ++ end_exclusive(); + } + + struct tb_desc { diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch new file mode 100644 index 0000000000..be19256cef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch @@ -0,0 +1,46 @@ +From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Tue, 1 Sep 2020 15:22:06 +0200 +Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'Transfer Block Size' field is 12-bit wide. + +See section '2.2.2. Block Size Register (Offset 004h)' in datasheet. + +Two different bug reproducer available: +- https://bugs.launchpad.net/qemu/+bug/1892960 +- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 + +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20200901140411.112150-3-f4bug@amsat.org> + +Upstream-Status: Backport +CVE: CVE-2020-25085 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/sd/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/sd/sdhci.c +=================================================================== +--- qemu-4.2.0.orig/hw/sd/sdhci.c ++++ qemu-4.2.0/hw/sd/sdhci.c +@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset, + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { +- MASKED_WRITE(s->blksize, mask, value); ++ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); + } + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch new file mode 100644 index 0000000000..a46b5be193 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch @@ -0,0 +1,87 @@ +From fbec359e9279ce78908b9f2af2c264e7448336af Mon Sep 17 00:00:00 2001 +From: Guenter Roeck <linux@roeck-us.net> +Date: Mon, 17 Feb 2020 12:48:10 -0800 +Subject: [PATCH] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI + to include file + +We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it +to its include file. + +Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> +Message-id: 20200217204812.9857-2-linux@roeck-us.net +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport +CVE: CVE-2020-25624 patch #1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/usb/hcd-ohci.c | 15 --------------- + hw/usb/hcd-ohci.h | 16 ++++++++++++++++ + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 8a94bd004a..1e6e85e86a 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -1870,21 +1870,6 @@ void ohci_sysbus_die(struct OHCIState *ohci) + ohci_bus_stop(ohci); + } + +-#define TYPE_SYSBUS_OHCI "sysbus-ohci" +-#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI) +- +-typedef struct { +- /*< private >*/ +- SysBusDevice parent_obj; +- /*< public >*/ +- +- OHCIState ohci; +- char *masterbus; +- uint32_t num_ports; +- uint32_t firstport; +- dma_addr_t dma_offset; +-} OHCISysBusState; +- + static void ohci_realize_pxa(DeviceState *dev, Error **errp) + { + OHCISysBusState *s = SYSBUS_OHCI(dev); +diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h +index 16e3f1e13a..5c8819aedf 100644 +--- a/hw/usb/hcd-ohci.h ++++ b/hw/usb/hcd-ohci.h +@@ -22,6 +22,7 @@ + #define HCD_OHCI_H + + #include "sysemu/dma.h" ++#include "hw/usb.h" + + /* Number of Downstream Ports on the root hub: */ + #define OHCI_MAX_PORTS 15 +@@ -90,6 +91,21 @@ typedef struct OHCIState { + void (*ohci_die)(struct OHCIState *ohci); + } OHCIState; + ++#define TYPE_SYSBUS_OHCI "sysbus-ohci" ++#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI) ++ ++typedef struct { ++ /*< private >*/ ++ SysBusDevice parent_obj; ++ /*< public >*/ ++ ++ OHCIState ohci; ++ char *masterbus; ++ uint32_t num_ports; ++ uint32_t firstport; ++ dma_addr_t dma_offset; ++} OHCISysBusState; ++ + extern const VMStateDescription vmstate_ohci_state; + + void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports, +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch new file mode 100644 index 0000000000..8c1275b2f4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch @@ -0,0 +1,101 @@ +From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 15 Sep 2020 23:52:58 +0530 +Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables + +While servicing the OHCI transfer descriptors(TD), OHCI host +controller derives variables 'start_addr', 'end_addr', 'len' +etc. from values supplied by the host controller driver. +Host controller driver may supply values such that using +above variables leads to out-of-bounds access issues. +Add checks to avoid them. + +AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 + READ of size 2 at 0x7ffd53af76a0 thread T0 + #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 + #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 + #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 + #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 + #4 timerlist_run_timers ../util/qemu-timer.c:572 + #5 qemu_clock_run_timers ../util/qemu-timer.c:586 + #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 + #7 main_loop_wait ../util/main-loop.c:527 + #8 qemu_main_loop ../softmmu/vl.c:1676 + #9 main ../softmmu/main.c:50 + +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Reported-by: Yongkang Jia <j_kangel@163.com> +Reported-by: Yi Ren <yunye.ry@alibaba-inc.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20200915182259.68522-2-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-25624 patch #2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 1e6e85e86a..9dc59101f9 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } + + start_offset = iso_td.offset[relative_frame_number]; +- next_offset = iso_td.offset[relative_frame_number + 1]; ++ if (relative_frame_number < frame_count) { ++ next_offset = iso_td.offset[relative_frame_number + 1]; ++ } else { ++ next_offset = iso_td.be; ++ } + + if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || + ((relative_frame_number < frame_count) && +@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } + } else { + /* Last packet in the ISO TD */ +- end_addr = iso_td.be; ++ end_addr = next_offset; ++ } ++ ++ if (start_addr > end_addr) { ++ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); ++ return 1; + } + + if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { +@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + } else { + len = end_addr - start_addr + 1; + } ++ if (len > sizeof(ohci->usb_buf)) { ++ len = sizeof(ohci->usb_buf); ++ } + + if (len && dir != OHCI_TD_DIR_IN) { + if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, +@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) + if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { + len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); + } else { ++ if (td.cbp > td.be) { ++ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); ++ ohci_die(ohci); ++ return 1; ++ } + len = (td.be - td.cbp) + 1; + } ++ if (len > sizeof(ohci->usb_buf)) { ++ len = sizeof(ohci->usb_buf); ++ } + + pktlen = len; + if (len && dir != OHCI_TD_DIR_IN) { +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch new file mode 100644 index 0000000000..374d7c4562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch @@ -0,0 +1,42 @@ +From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 15 Sep 2020 23:52:59 +0530 +Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire + +While servicing OHCI transfer descriptors(TD), ohci_service_iso_td +retires a TD if it has passed its time frame. It does not check if +the TD was already processed once and holds an error code in TD_CC. +It may happen if the TD list has a loop. Add check to avoid an +infinite loop condition. + +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-id: 20200915182259.68522-3-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-25625 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/usb/hcd-ohci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 9dc59101f9..8b912e95d3 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + the next ISO TD of the same ED */ + trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number, + frame_count); ++ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) { ++ /* avoid infinite loop */ ++ return 1; ++ } + OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN); + ed->head &= ~OHCI_DPTR_MASK; + ed->head |= (iso_td.next & OHCI_DPTR_MASK); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch new file mode 100644 index 0000000000..7bfc2beecb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch @@ -0,0 +1,49 @@ +From 7564bf7701f00214cdc8a678a9f7df765244def1 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 21 Oct 2020 11:35:50 +0530 +Subject: [PATCH] net: remove an assert call in eth_get_gso_type + +eth_get_gso_type() routine returns segmentation offload type based on +L3 protocol type. It calls g_assert_not_reached if L3 protocol is +unknown, making the following return statement unreachable. Remove the +g_assert call, it maybe triggered by a guest user. + +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upsteram-Status: Backport +CVE: CVE-2020-27617 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + net/eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/eth.c b/net/eth.c +index 0c1d413ee2..1e0821c5f8 100644 +--- a/net/eth.c ++++ b/net/eth.c +@@ -16,6 +16,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "net/eth.h" + #include "net/checksum.h" + #include "net/tap.h" +@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) + return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; + } + } +- +- /* Unsupported offload */ +- g_assert_not_reached(); ++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, " ++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); + + return VIRTIO_NET_HDR_GSO_NONE | ecn_state; + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch new file mode 100644 index 0000000000..e26bc31bbb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch @@ -0,0 +1,73 @@ +From 15222d4636d742f3395fd211fad0cd7e36d9f43e Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 16 Aug 2022 10:07:01 +0530 +Subject: [PATCH] CVE-2020-27821 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442] +CVE: CVE-2020-27821 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +memory: clamp cached translation in case it points to an MMIO region + +In using the address_space_translate_internal API, address_space_cache_init +forgot one piece of advice that can be found in the code for +address_space_translate_internal: + + /* MMIO registers can be expected to perform full-width accesses based only + * on their address, without considering adjacent registers that could + * decode to completely different MemoryRegions. When such registers + * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO + * regions overlap wildly. For this reason we cannot clamp the accesses + * here. + * + * If the length is small (as is the case for address_space_ldl/stl), + * everything works fine. If the incoming length is large, however, + * the caller really has to do the clamping through memory_access_size. + */ + +address_space_cache_init is exactly one such case where "the incoming length +is large", therefore we need to clamp the resulting length---not to +memory_access_size though, since we are not doing an access yet, but to +the size of the resulting section. This ensures that subsequent accesses +to the cached MemoryRegionSection will be in range. + +With this patch, the enclosed testcase notices that the used ring does +not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" +error. + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + exec.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/exec.c b/exec.c +index 2d6add46..1360051a 100644 +--- a/exec.c ++++ b/exec.c +@@ -3632,6 +3632,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, + AddressSpaceDispatch *d; + hwaddr l; + MemoryRegion *mr; ++ Int128 diff; + + assert(len > 0); + +@@ -3640,6 +3641,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, + d = flatview_to_dispatch(cache->fv); + cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true); + ++ /* ++ * cache->xlat is now relative to cache->mrs.mr, not to the section itself. ++ * Take that into account to compute how many bytes are there between ++ * cache->xlat and the end of the section. ++ */ ++ diff = int128_sub(cache->mrs.size, ++ int128_make64(cache->xlat - cache->mrs.offset_within_region)); ++ l = int128_get64(int128_min(diff, int128_make64(l))); ++ + mr = cache->mrs.mr; + memory_region_ref(mr); + if (memory_access_is_direct(mr, is_write)) { +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch new file mode 100644 index 0000000000..756b1c1495 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch @@ -0,0 +1,48 @@ +From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 11 Nov 2020 18:36:36 +0530 +Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor + +While receiving packets via e1000e_write_packet_to_guest() routine, +'desc_offset' is advanced only when RX descriptor is processed. And +RX descriptor is not processed if it has NULL buffer address. +This may lead to an infinite loop condition. Increament 'desc_offset' +to process next descriptor in the ring to avoid infinite loop. + +Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-28916 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/net/e1000e_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c +index d8b9e4b2f4..095c01ebc6 100644 +--- a/hw/net/e1000e_core.c ++++ b/hw/net/e1000e_core.c +@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, + (const char *) &fcs_pad, e1000x_fcs_len(core->mac)); + } + } +- desc_offset += desc_size; +- if (desc_offset >= total_size) { +- is_last = true; +- } + } else { /* as per intel docs; skip descriptors with null buf addr */ + trace_e1000e_rx_null_descriptor(); + } ++ desc_offset += desc_size; ++ if (desc_offset >= total_size) { ++ is_last = true; ++ } + + e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, + rss_info, do_ps ? ps_hdr_len : 0, &bastate.written); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..1528d5c2fd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch @@ -0,0 +1,45 @@ +From 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 1 Dec 2020 13:09:26 +0100 +Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range + +A case was reported where s->io_buffer_index can be out of range. +The report skimped on the details but it seems to be triggered +by s->lba == -1 on the READ/READ CD paths (e.g. by sending an +ATAPI command with LBA = 0xFFFFFFFF). For now paper over it +with assertions. The first one ensures that there is no overflow +when incrementing s->io_buffer_index, the second checks for the +buffer overrun. + +Note that the buffer overrun is only a read, so I am not sure +if the assertion failure is actually less harmful than the overrun. + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Message-id: 20201201120926.56559-1-pbonzini@redhat.com +Reviewed-by: Kevin Wolf <kwolf@redhat.com> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport +CVE: CVE-2020-29443 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/ide/atapi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index 14a2b0bb2f..e79157863f 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s) + s->packet_transfer_size -= size; + s->elementary_transfer_size -= size; + s->io_buffer_index += size; ++ assert(size <= s->io_buffer_total_len); ++ assert(s->io_buffer_index <= s->io_buffer_total_len); + + /* Some adapters process PIO data right away. In that case, we need + * to avoid mutual recursion between ide_transfer_start +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch new file mode 100644 index 0000000000..97d32589d8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch @@ -0,0 +1,51 @@ +Backport of: + +From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 7 Apr 2021 20:57:50 +0100 +Subject: [PATCH] esp: always check current_req is not NULL before use in DMA + callbacks + +After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel +callback which resets both current_req and current_dev to NULL. If any data +is left in the transfer buffer (async_len != 0) then the next TI (Transfer +Information) command will attempt to reference the NULL pointer causing a +segfault. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> + +CVE: CVE-2020-35504 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/scsi/esp.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s) + do_cmd(s, s->cmdbuf); + return; + } ++ ++ if (!s->current_req) { ++ return; ++ } ++ + s->dma_left -= len; + s->async_buf += len; + s->async_len -= len; +@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s) + do_cmd(s, s->cmdbuf); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch new file mode 100644 index 0000000000..40c0b1e74f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch @@ -0,0 +1,45 @@ +Backport of: + +From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 7 Apr 2021 20:57:55 +0100 +Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +When about to execute a SCSI command, ensure that cmdfifo is not empty and +current_dev is non-NULL. This can happen if the guest tries to execute a TI +(Transfer Information) command without issuing one of the select commands +first. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> + +CVE: CVE-2020-35505 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com> +--- + hw/scsi/esp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index c7d701bf..c2a67bc8 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch new file mode 100644 index 0000000000..1b8c77f838 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch @@ -0,0 +1,81 @@ +From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001 +From: Greg Kurz <groug@kaod.org> +Date: Thu, 14 Jan 2021 17:04:12 +0100 +Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + +Depending on the client activity, the server can be asked to open a huge +number of file descriptors and eventually hit RLIMIT_NOFILE. This is +currently mitigated using a reclaim logic : the server closes the file +descriptors of idle fids, based on the assumption that it will be able +to re-open them later. This assumption doesn't hold of course if the +client requests the file to be unlinked. In this case, we loop on the +entire fid list and mark all related fids as unreclaimable (the reclaim +logic will just ignore them) and, of course, we open or re-open their +file descriptors if needed since we're about to unlink the file. + +This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual +opening of a file can cause the coroutine to yield, another client +request could possibly add a new fid that we may want to mark as +non-reclaimable as well. The loop is thus restarted if the re-open +request was actually transmitted to the backend. This is achieved +by keeping a reference on the first fid (head) before traversing +the list. + +This is wrong in several ways: +- a potential clunk request from the client could tear the first + fid down and cause the reference to be stale. This leads to a + use-after-free error that can be detected with ASAN, using a + custom 9p client +- fids are added at the head of the list : restarting from the + previous head will always miss fids added by a some other + potential request + +All these problems could be avoided if fids were being added at the +end of the list. This can be achieved with a QSIMPLEQ, but this is +probably too much change for a bug fix. For now let's keep it +simple and just restart the loop from the current head. + +Fixes: CVE-2021-20181 +Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 +Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com> +Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> +Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> +Signed-off-by: Greg Kurz <groug@kaod.org> + +Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305] +CVE: CVE-2021-20181 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/9pfs/9p.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 94df440fc..6026b51a1 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + { + int err; + V9fsState *s = pdu->s; +- V9fsFidState *fidp, head_fid; ++ V9fsFidState *fidp; + +- head_fid.next = s->fid_list; ++again: + for (fidp = s->fid_list; fidp; fidp = fidp->next) { + if (fidp->path.size != path->size) { + continue; +@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + * switched to the worker thread + */ + if (err == 0) { +- fidp = &head_fid; ++ goto again; + } + } + } +-- +2.29.2 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch new file mode 100644 index 0000000000..e9b815740f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch @@ -0,0 +1,62 @@ +From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar <vkumbhar@mvista.com> +Date: Tue, 29 Nov 2022 15:57:13 +0530 +Subject: [PATCH] CVE-2021-20196 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233] +CVE: CVE-2021-20196 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> + +hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. +--- + hw/block/fdc.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index ac5d31e8..e128e975 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -58,6 +58,11 @@ + } \ + } while (0) + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} + + /********************************************************/ + /* qdev floppy bus */ +@@ -1356,7 +1361,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +- return get_drv(fdctrl, fdctrl->cur_drv); ++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); ++ ++ if (!cur_drv->blk) { ++ /* ++ * Kludge: empty drive line selected. Create an anonymous ++ * BlockBackend to avoid NULL deref with various BlockBackend ++ * API calls within this model (CVE-2021-20196). ++ * Due to the controller QOM model limitations, we don't ++ * attach the created to the controller device. ++ */ ++ cur_drv->blk = blk_create_empty_drive(); ++ } ++ return cur_drv; + } + + /* Status A register : 0x00 (read-only) */ +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch new file mode 100644 index 0000000000..46c9ab4184 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch @@ -0,0 +1,67 @@ +From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Sun, 31 Jan 2021 11:34:01 +0100 +Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the ARM Generic Interrupt Controller Architecture specification +(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, +not 10: + + - 4.3 Distributor register descriptions + - 4.3.15 Software Generated Interrupt Register, GICD_SG + + - Table 4-21 GICD_SGIR bit assignments + + The Interrupt ID of the SGI to forward to the specified CPU + interfaces. The value of this field is the Interrupt ID, in + the range 0-15, for example a value of 0b0011 specifies + Interrupt ID 3. + +Correct the irq mask to fix an undefined behavior (which eventually +lead to a heap-buffer-overflow, see [Buglink]): + + $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio + [I 1612088147.116987] OPENED + [R +0.278293] writel 0x8000f00 0xff4affb0 + ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 + +This fixes a security issue when running with KVM on Arm with +kernel-irqchip=off. (The default is kernel-irqchip=on, which is +unaffected, and which is also the correct choice for performance.) + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20221 +Fixes: 9ee6e8bb853 ("ARMv7 support.") +Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Message-id: 20210131103401.217160-1-f4bug@amsat.org +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport +CVE: CVE-2021-20221 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/intc/arm_gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/intc/arm_gic.c +=================================================================== +--- qemu-4.2.0.orig/hw/intc/arm_gic.c ++++ qemu-4.2.0/hw/intc/arm_gic.c +@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque + int target_cpu; + + cpu = gic_get_current_cpu(s); +- irq = value & 0x3ff; ++ irq = value & 0xf; + switch ((value >> 24) & 3) { + case 0: + mask = (value >> 16) & ALL_CPU_MASK; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch new file mode 100644 index 0000000000..7175b24e99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch @@ -0,0 +1,55 @@ +From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:45:28 +0800 +Subject: [PATCH] e1000: fail early for evil descriptor + +During procss_tx_desc(), driver can try to chain data descriptor with +legacy descriptor, when will lead underflow for the following +calculation in process_tx_desc() for bytes: + + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +This will lead a infinite loop. So check and fail early if tp->size if +greater or equal to msh. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] +CVE: CVE-2021-20257 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/e1000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index cf22c4f07..c3564c7ce 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + msh = tp->tso_props.hdr_len + tp->tso_props.mss; + do { + bytes = split_size; ++ if (tp->size >= msh) { ++ goto eop; ++ } + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + tp->size += split_size; + } + ++eop: + if (!(txd_lower & E1000_TXD_CMD_EOP)) + return; + if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { +-- +2.29.2 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch new file mode 100644 index 0000000000..d53383247e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch @@ -0,0 +1,85 @@ +From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:35 +0800 +Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +At the end of sdhci_send_command(), it starts a data transfer if the +command register indicates data is associated. But the data transfer +should only be initiated when the command execution has succeeded. + +With this fix, the following reproducer: + +outl 0xcf8 0x80001810 +outl 0xcfc 0xe1068000 +outl 0xcf8 0x80001804 +outw 0xcfc 0x7 +write 0xe106802c 0x1 0x0f +write 0xe1068004 0xc 0x2801d10101fffffbff28a384 +write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f +write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 +write 0xe1068003 0x1 0xfe + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ + -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive \ + -monitor none -serial none -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Acked-by: Alistair Francis <alistair.francis@wdc.com> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +CVE: CVE-2021-3409 CVE-2020-17380 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/sd/sdhci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat + SDRequest request; + uint8_t response[16]; + int rlen; ++ bool timeout = false; + + s->errintsts = 0; + s->acmd12errsts = 0; +@@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat + trace_sdhci_response16(s->rspreg[3], s->rspreg[2], + s->rspreg[1], s->rspreg[0]); + } else { ++ timeout = true; + trace_sdhci_error("timeout waiting for command response"); + if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { + s->errintsts |= SDHC_EIS_CMDTIMEOUT; +@@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat + + sdhci_update_irq(s); + +- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { ++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + s->data_count = 0; + sdhci_data_transfer(s); + } diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch new file mode 100644 index 0000000000..dc00f76ec9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch @@ -0,0 +1,103 @@ +From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:36 +0800 +Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when + transfer is in progress +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Per "SD Host Controller Standard Specification Version 7.00" +chapter 2.2.1 SDMA System Address Register: + +This register can be accessed only if no transaction is executing +(i.e., after a transaction has stopped). + +With this fix, the following reproducer: + +outl 0xcf8 0x80001010 +outl 0xcfc 0xfbefff00 +outl 0xcf8 0x80001001 +outl 0xcfc 0x06000000 +write 0xfbefff2c 0x1 0x05 +write 0xfbefff0f 0x1 0x37 +write 0xfbefff0a 0x1 0x01 +write 0xfbefff0f 0x1 0x29 +write 0xfbefff0f 0x1 0x02 +write 0xfbefff0f 0x1 0x03 +write 0xfbefff04 0x1 0x01 +write 0xfbefff05 0x1 0x01 +write 0xfbefff07 0x1 0x02 +write 0xfbefff0c 0x1 0x33 +write 0xfbefff0e 0x1 0x20 +write 0xfbefff0f 0x1 0x00 +write 0xfbefff2a 0x1 0x01 +write 0xfbefff0c 0x1 0x00 +write 0xfbefff03 0x1 0x00 +write 0xfbefff05 0x1 0x00 +write 0xfbefff2a 0x1 0x02 +write 0xfbefff0c 0x1 0x32 +write 0xfbefff01 0x1 0x01 +write 0xfbefff02 0x1 0x01 +write 0xfbefff03 0x1 0x01 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +CVE: CVE-2021-3409 CVE-2020-17380 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/sd/sdhci.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset, + + switch (offset & ~0x3) { + case SDHC_SYSAD: +- s->sdmasysad = (s->sdmasysad & mask) | value; +- MASKED_WRITE(s->sdmasysad, mask, value); +- /* Writing to last byte of sdmasysad might trigger transfer */ +- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && +- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { +- if (s->trnmod & SDHC_TRNS_MULTI) { +- sdhci_sdma_transfer_multi_blocks(s); +- } else { +- sdhci_sdma_transfer_single_block(s); ++ if (!TRANSFERRING_DATA(s->prnsts)) { ++ s->sdmasysad = (s->sdmasysad & mask) | value; ++ MASKED_WRITE(s->sdmasysad, mask, value); ++ /* Writing to last byte of sdmasysad might trigger transfer */ ++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && ++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { ++ if (s->trnmod & SDHC_TRNS_MULTI) { ++ sdhci_sdma_transfer_multi_blocks(s); ++ } else { ++ sdhci_sdma_transfer_single_block(s); ++ } + } + } + break; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch new file mode 100644 index 0000000000..d06ac0ed3c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch @@ -0,0 +1,71 @@ +Backport of: + +From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:37 +0800 +Subject: [PATCH] hw/sd: sdhci: Correctly set the controller status for ADMA +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +When an ADMA transfer is started, the codes forget to set the +controller status to indicate a transfer is in progress. + +With this fix, the following 2 reproducers: + +https://paste.debian.net/plain/1185136 +https://paste.debian.net/plain/1185141 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +CVE: CVE-2021-3409 CVE-2020-17380 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/bc6f28995ff88f5d82c38afcfd65406f0ae375aa ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/sd/sdhci.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -776,8 +776,9 @@ static void sdhci_do_adma(SDHCIState *s) + + switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { + case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ +- ++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; + if (s->trnmod & SDHC_TRNS_READ) { ++ s->prnsts |= SDHC_DOING_READ; + while (length) { + if (s->data_count == 0) { + for (n = 0; n < block_size; n++) { +@@ -807,6 +808,7 @@ static void sdhci_do_adma(SDHCIState *s) + } + } + } else { ++ s->prnsts |= SDHC_DOING_WRITE; + while (length) { + begin = s->data_count; + if ((length + begin) < block_size) { diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch new file mode 100644 index 0000000000..2e49e3bc18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch @@ -0,0 +1,52 @@ +Backport of: + +From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:38 +0800 +Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE + register is writable +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The codes to limit the maximum block size is only necessary when +SDHC_BLKSIZE register is writable. + +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +CVE: CVE-2021-3409 CVE-2020-17380 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/sd/sdhci.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset, + if (!TRANSFERRING_DATA(s->prnsts)) { + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); +- } + +- /* Limit block size to the maximum buffer size */ +- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { +- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \ +- "the maximum buffer 0x%x", __func__, s->blksize, +- s->buf_maxsz); ++ /* Limit block size to the maximum buffer size */ ++ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " ++ "the maximum buffer 0x%x\n", __func__, s->blksize, ++ s->buf_maxsz); + +- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ } + } + + break; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch new file mode 100644 index 0000000000..7b436809e9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch @@ -0,0 +1,93 @@ +From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:39 +0800 +Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when + a different block size is programmed +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the block size is programmed to a different value from the +previous one, reset the data pointer of s->fifo_buffer[] so that +s->fifo_buffer[] can be filled in using the new block size in +the next transfer. + +With this fix, the following reproducer: + +outl 0xcf8 0x80001010 +outl 0xcfc 0xe0000000 +outl 0xcf8 0x80001001 +outl 0xcfc 0x06000000 +write 0xe000002c 0x1 0x05 +write 0xe0000005 0x1 0x02 +write 0xe0000007 0x1 0x01 +write 0xe0000028 0x1 0x10 +write 0x0 0x1 0x23 +write 0x2 0x1 0x08 +write 0xe000000c 0x1 0x01 +write 0xe000000e 0x1 0x20 +write 0xe000000f 0x1 0x00 +write 0xe000000c 0x1 0x32 +write 0xe0000004 0x2 0x0200 +write 0xe0000028 0x1 0x00 +write 0xe0000003 0x1 0x40 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +CVE: CVE-2021-3409 CVE-2020-17380 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/sd/sdhci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset, + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { ++ uint16_t blksize = s->blksize; ++ + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); + +@@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset, + + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + } ++ ++ /* ++ * If the block size is programmed to a different value from ++ * the previous one, reset the data pointer of s->fifo_buffer[] ++ * so that s->fifo_buffer[] can be filled in using the new block ++ * size in the next transfer. ++ */ ++ if (blksize != s->blksize) { ++ s->data_count = 0; ++ } + } + + break; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch new file mode 100644 index 0000000000..5bacd67481 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch @@ -0,0 +1,177 @@ +From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 11:44:36 +0800 +Subject: [PATCH 01/10] net: introduce qemu_receive_packet() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some NIC supports loopback mode and this is done by calling +nc->info->receive() directly which in fact suppresses the effort of +reentrancy check that is done in qemu_net_queue_send(). + +Unfortunately we can't use qemu_net_queue_send() here since for +loopback there's no sender as peer, so this patch introduce a +qemu_receive_packet() which is used for implementing loopback mode +for a NIC with this check. + +NIC that supports loopback mode will be converted to this helper. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + include/net/net.h | 5 +++++ + include/net/queue.h | 8 ++++++++ + net/net.c | 38 +++++++++++++++++++++++++++++++------- + net/queue.c | 22 ++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 7 deletions(-) + +diff --git a/include/net/net.h b/include/net/net.h +index 778fc787c..03f058ecb 100644 +--- a/include/net/net.h ++++ b/include/net/net.h +@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); + void qemu_del_net_client(NetClientState *nc); + typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); + void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); ++int qemu_can_receive_packet(NetClientState *nc); + int qemu_can_send_packet(NetClientState *nc); + ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, + int iovcnt); + ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, + int iovcnt, NetPacketSent *sent_cb); + ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet_iov(NetClientState *nc, ++ const struct iovec *iov, ++ int iovcnt); + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); + ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, + int size, NetPacketSent *sent_cb); +diff --git a/include/net/queue.h b/include/net/queue.h +index c0269bb1d..9f2f289d7 100644 +--- a/include/net/queue.h ++++ b/include/net/queue.h +@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, + + void qemu_del_net_queue(NetQueue *queue); + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size); ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt); ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +diff --git a/net/net.c b/net/net.c +index 6a2c3d956..5e15e5d27 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) + #endif + } + ++int qemu_can_receive_packet(NetClientState *nc) ++{ ++ if (nc->receive_disabled) { ++ return 0; ++ } else if (nc->info->can_receive && ++ !nc->info->can_receive(nc)) { ++ return 0; ++ } ++ return 1; ++} ++ + int qemu_can_send_packet(NetClientState *sender) + { + int vm_running = runstate_is_running(); +@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender) + return 1; + } + +- if (sender->peer->receive_disabled) { +- return 0; +- } else if (sender->peer->info->can_receive && +- !sender->peer->info->can_receive(sender->peer)) { +- return 0; +- } +- return 1; ++ return qemu_can_receive_packet(sender->peer); + } + + static ssize_t filter_receive_iov(NetClientState *nc, +@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + return qemu_send_packet_async(nc, buf, size, NULL); + } + ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive(nc->incoming_queue, buf, size); ++} ++ ++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, ++ int iovcnt) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); ++} ++ + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) + { + return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, +diff --git a/net/queue.c b/net/queue.c +index 19e32c80f..c872d51df 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, + return ret; + } + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver(queue, NULL, 0, data, size); ++} ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); ++} ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +-- +2.29.2 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch new file mode 100644 index 0000000000..fdb4894e44 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch @@ -0,0 +1,41 @@ +From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Mon, 1 Mar 2021 14:35:30 -0500 +Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/lan9118.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/net/lan9118.c +=================================================================== +--- qemu-4.2.0.orig/hw/net/lan9118.c ++++ qemu-4.2.0/hw/net/lan9118.c +@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state * + /* FIXME: Honor TX disable, and allow queueing of packets. */ + if (s->phy_control & 0x4000) { + /* This assumes the receive routine doesn't touch the VLANClient. */ +- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } else { + qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch new file mode 100644 index 0000000000..5e53e20bac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch @@ -0,0 +1,42 @@ +From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 12:13:22 +0800 +Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/e1000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index d7d05ae30..cf22c4f07 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) + + NetClientState *nc = qemu_get_queue(s->nic); + if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.29.2 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch new file mode 100644 index 0000000000..3fc469e3e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch @@ -0,0 +1,43 @@ +From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 12:57:40 +0800 +Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for + loopback packet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/dp8393x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c +index 205c0decc..533a8304d 100644 +--- a/hw/net/dp8393x.c ++++ b/hw/net/dp8393x.c +@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) + s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; + if (nc->info->can_receive(nc)) { + s->loopback_packet = 1; +- nc->info->receive(nc, s->tx_buffer, tx_len); ++ qemu_receive_packet(nc, s->tx_buffer, tx_len); + } + } else { + /* Transmit packet */ +-- +2.29.2 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch new file mode 100644 index 0000000000..93202ebcef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch @@ -0,0 +1,42 @@ +From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:14:35 +0800 +Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/sungem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/net/sungem.c +=================================================================== +--- qemu-4.2.0.orig/hw/net/sungem.c ++++ qemu-4.2.0/hw/net/sungem.c +@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMSta + NetClientState *nc = qemu_get_queue(s->nic); + + if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch new file mode 100644 index 0000000000..40b4bd96e7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch @@ -0,0 +1,40 @@ +From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:27:52 +0800 +Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_receive_iov() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/net_tx_pkt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/net/net_tx_pkt.c +=================================================================== +--- qemu-4.2.0.orig/hw/net/net_tx_pkt.c ++++ qemu-4.2.0/hw/net/net_tx_pkt.c +@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(stru + NetClientState *nc, const struct iovec *iov, int iov_cnt) + { + if (pkt->is_loopback) { +- nc->info->receive_iov(nc, iov, iov_cnt); ++ qemu_receive_packet_iov(nc, iov, iov_cnt); + } else { + qemu_sendv_packet(nc, iov, iov_cnt); + } diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch new file mode 100644 index 0000000000..b3b702cca4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch @@ -0,0 +1,42 @@ +From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Fri, 26 Feb 2021 13:47:53 -0500 +Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/net/rtl8139.c +=================================================================== +--- qemu-4.2.0.orig/hw/net/rtl8139.c ++++ qemu-4.2.0/hw/net/rtl8139.c +@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81 + } + + DPRINTF("+++ transmit loopback mode\n"); +- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); ++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); + + if (iov) { + g_free(buf2); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch new file mode 100644 index 0000000000..ed716468dc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch @@ -0,0 +1,44 @@ +From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Mon, 1 Mar 2021 10:33:34 -0500 +Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/pcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index f3f18d859..dcd3fc494 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1250,7 +1250,7 @@ txagain: + if (BCR_SWSTYLE(s) == 1) + add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); + s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); + s->looptest = 0; + } else { + if (s->nic) { +-- +2.29.2 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch new file mode 100644 index 0000000000..f4a985604e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch @@ -0,0 +1,41 @@ +From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Mon, 1 Mar 2021 14:33:43 -0500 +Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/cadence_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-4.2.0/hw/net/cadence_gem.c +=================================================================== +--- qemu-4.2.0.orig/hw/net/cadence_gem.c ++++ qemu-4.2.0/hw/net/cadence_gem.c +@@ -1225,7 +1225,7 @@ static void gem_transmit(CadenceGEMState + /* Send the packet somewhere */ + if (s->phy_loop || (s->regs[GEM_NWCTRL] & + GEM_NWCTRL_LOCALLOOP)) { +- gem_receive(qemu_get_queue(s->nic), tx_packet, ++ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet, + total_bytes); + } else { + qemu_send_packet(qemu_get_queue(s->nic), tx_packet, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch new file mode 100644 index 0000000000..4ff3413f8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch @@ -0,0 +1,87 @@ +From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 18 Nov 2021 12:57:32 +0100 +Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the 82078 datasheet, if the end-of-track (EOT byte in +the FIFO) is more than the number of sectors per side, the +command is terminated unsuccessfully: + +* 5.2.5 DATA TRANSFER TERMINATION + + The 82078 supports terminal count explicitly through + the TC pin and implicitly through the underrun/over- + run and end-of-track (EOT) functions. For full sector + transfers, the EOT parameter can define the last + sector to be transferred in a single or multisector + transfer. If the last sector to be transferred is a par- + tial sector, the host can stop transferring the data in + mid-sector, and the 82078 will continue to complete + the sector as if a hardware TC was received. The + only difference between these implicit functions and + TC is that they return "abnormal termination" result + status. Such status indications can be ignored if they + were expected. + +* 6.1.3 READ TRACK + + This command terminates when the EOT specified + number of sectors have been read. If the 82078 + does not find an I D Address Mark on the diskette + after the second· occurrence of a pulse on the + INDX# pin, then it sets the IC code in Status Regis- + ter 0 to "01" (Abnormal termination), sets the MA bit + in Status Register 1 to "1", and terminates the com- + mand. + +* 6.1.6 VERIFY + + Refer to Table 6-6 and Table 6-7 for information + concerning the values of MT and EC versus SC and + EOT value. + +* Table 6·6. Result Phase Table + +* Table 6-7. Verify Command Result Phase Table + +Fix by aborting the transfer when EOT > # Sectors Per Side. + +Cc: qemu-stable@nongnu.org +Cc: Hervé Poussineau <hpoussin@reactos.org> +Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211118115733.4038610-2-philmd@redhat.com> +Reviewed-by: Hanna Reitz <hreitz@redhat.com> +Signed-off-by: Kevin Wolf <kwolf@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367] +CVE: CVE-2021-3507 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + hw/block/fdc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 347875a0cdae..57bb355794a9 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) + int tmp; + fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); + tmp = (fdctrl->fifo[6] - ks + 1); ++ if (tmp < 0) { ++ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); ++ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); ++ fdctrl->fifo[3] = kt; ++ fdctrl->fifo[4] = kh; ++ fdctrl->fifo[5] = ks; ++ return; ++ } + if (fdctrl->fifo[0] & 0x80) + tmp += fdctrl->fifo[6]; + fdctrl->data_len *= tmp; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 0000000000..77a5385692 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch @@ -0,0 +1,42 @@ +From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> + +Upstream-Status: Backport +https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c +CVE: CVE-2021-3527 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dc..e56802f89a 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch new file mode 100644 index 0000000000..6371aced12 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch @@ -0,0 +1,59 @@ +From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 May 2021 15:29:12 +0200 +Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use autofree heap allocation instead. + +Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> + +Upstream-Status: Backport +https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 +CVE: CVE-2021-3527 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + hw/usb/redirect.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 17f06f3417..6a75b0dc4a 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, + .endpoint = ep, + .length = p->iov.size + }; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, +@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, + usbredirparser_send_bulk_packet(dev->parser, p->id, + &bulk_packet, NULL, 0); + } else { +- uint8_t buf[size]; ++ g_autofree uint8_t *buf = g_malloc(size); + usb_packet_copy(p, buf, size); + usbredir_log_data(dev, "bulk data out:", buf, size); + usbredirparser_send_bulk_packet(dev->parser, p->id, +@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, + USBPacket *p, uint8_t ep) + { + struct usb_redir_interrupt_packet_header interrupt_packet; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + + DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, + p->iov.size, p->id); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch new file mode 100644 index 0000000000..1b4fcbfb60 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch @@ -0,0 +1,29 @@ +vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang <liq3ea@163.com> +Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: default avatarLi Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +[vhost-user-gpu does not exist in 4.2.0] +CVE: CVE-2021-3544 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c +@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch new file mode 100644 index 0000000000..36cbb127f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch @@ -0,0 +1,39 @@ +vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) + + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang <liq3ea@163.com> +virtio-gpu fix: 204f01b3 + + ("virtio-gpu: fix memory leak + in resource attach backing") + Signed-off-by: default avatarLi Qiang <liq3ea@163.com> + Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> + Message-Id: <20210516030403.107723-4-liq3ea@163.com> + Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +[vhost-user-gpu does not exist in 4.2.0 context] +CVE: CVE-2021-3544 +Signed-off-by: Armin Kuster <akuster@mvista.com> + + +Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c +@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch new file mode 100644 index 0000000000..c534f4c24f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch @@ -0,0 +1,39 @@ +vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) + +If the guest trigger following sequences, the attach_backing will be leaked: + +vg_resource_create_2d +vg_resource_attach_backing +vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c + +("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") +Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: default avatarLi Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2021-3544 +[vhost-user-gpu does not exist in the 4.2.0] +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c +@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch new file mode 100644 index 0000000000..96e36eb854 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch @@ -0,0 +1,46 @@ +vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) + +The 'res->iov' will be leaked if the guest trigger following sequences: + +virgl_cmd_create_resource_2d +virgl_resource_attach_backing +virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c + +("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" +Signed-off-by: default avatarLi Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2021-3544 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); ++ + virgl_renderer_resource_unref(unref.resource_id); + } + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch new file mode 100644 index 0000000000..e592ce50e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch @@ -0,0 +1,47 @@ +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:01 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2021-3544 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch new file mode 100644 index 0000000000..fcdda64437 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch @@ -0,0 +1,41 @@ +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:56 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak +in getting capset info dispatch") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2021-3545 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +@@ -132,6 +132,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch new file mode 100644 index 0000000000..f8da428233 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch @@ -0,0 +1,47 @@ +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:02 -0700 +Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2021-3546 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +=================================================================== +--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c ++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c +@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch new file mode 100644 index 0000000000..7a88e29384 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch @@ -0,0 +1,47 @@ +From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel@redhat.com> +Date: Wed, 16 Jun 2021 14:06:00 +0300 +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) + +Ensure mremap boundaries not trusting the guest kernel to +pass the correct buffer length. + +Fixes: CVE-2021-3582 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3582 +Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index f59879e257..da7ddfa548 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, + return NULL; + } + ++ length = ROUND_UP(length, TARGET_PAGE_SIZE); ++ if (nchunks * TARGET_PAGE_SIZE != length) { ++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, ++ (unsigned long)length); ++ return NULL; ++ } ++ + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory"); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch new file mode 100644 index 0000000000..0547c74484 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch @@ -0,0 +1,43 @@ +From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:46:34 +0300 +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) + +Check the guest passed a non zero page count +for pvrdma device ring buffers. + +Fixes: CVE-2021-3607 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630114634.2168872-1-marcel@redhat.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3607 +Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 84ae8024fc..7c0c3551a8 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + uint64_t *dir, *tbl; + int rc = 0; + ++ if (!num_pages) { ++ rdma_error_report("Ring pages count must be strictly positive"); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch new file mode 100644 index 0000000000..7055ec3d23 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch @@ -0,0 +1,40 @@ +From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:52:46 +0300 +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Do not unmap uninitialized dma addresses. + +Fixes: CVE-2021-3608 +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630115246.2178219-1-marcel@redhat.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3608 +Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c +=================================================================== +--- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c ++++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c +@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c + atomic_set(&ring->ring_state->cons_head, 0); + */ + ring->npages = npages; +- ring->pages = g_malloc(npages * sizeof(void *)); ++ ring->pages = g_malloc0(npages * sizeof(void *)); + + for (i = 0; i < npages; i++) { + if (!tbl[i]) { diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..6e7af8540a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch @@ -0,0 +1,80 @@ +From b68d13531d8882ba66994b9f767b6a8f822464f3 Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar <vkumbhar@mvista.com> +Date: Fri, 11 Nov 2022 12:43:26 +0530 +Subject: [PATCH] CVE-2021-3638 + +Upstream-Status: Backport [https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html] +CVE: CVE-2021-3638 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> + +When building QEMU with DEBUG_ATI defined then running with +'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' +we get: + + ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 + ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 + ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 + ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 + ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 + ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 + ati_mm_write 4 0x1420 DST_Y <- 0x3fff + ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff + ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff + ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 +rop:0xff + ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ + ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, +y:16383, w:16383, h:16383, xor:0xff000000) + Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. + (gdb) bt + #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 + #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 + #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at +hw/display/ati_2d.c:196 + #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, +data=1073692671, size=4) at hw/display/ati.c:843 + #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, +addr=5512, ..., size=4, ...) at softmmu/memory.c:492 + +Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced +the local dst_x and dst_y which adjust the (x, y) coordinates +depending on the direction in the SRCCOPY ROP3 operation, but +forgot to address the same issue for the PATCOPY, BLACKNESS and +WHITENESS operations, which also call pixman_fill(). + +Fix that now by using the adjusted coordinates in the pixman_fill +call, and update the related debug printf(). +--- + hw/display/ati_2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 4dc10ea7..692bec91 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); +@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride /= sizeof(uint32_t); + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", + dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch new file mode 100644 index 0000000000..50a49233d3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch @@ -0,0 +1,41 @@ +From 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 22 Jul 2021 09:27:56 +0200 +Subject: [PATCH] usbredir: fix free call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +data might point into the middle of a larger buffer, there is a separate +free_on_destroy pointer passed into bufp_alloc() to handle that. It is +only used in the normal workflow though, not when dropping packets due +to the queue being full. Fix that. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210722072756.647673-1-kraxel@redhat.com> + +CVE: CVE-2021-3682 +Upstream-Status: Backport [5e796671e6b8d5de4b0b423dce1b3eba144a92c9] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/usb/redirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 4ec9326e05..1ec909a63a 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, + if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { + if (dev->endpoint[EP2I(ep)].bufpq_size > + dev->endpoint[EP2I(ep)].bufpq_target_size) { +- free(data); ++ free(free_on_destroy); + return -1; + } + dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,67 @@ +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reported-by: Chen Zhe <chenzhe@huawei.com> +Reported-by: Tan Jingguo <tanjingguo@huawei.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a +CVE: CVE-2021-3713 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/usb/dev-uas.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index 6d6d1073..0b8cd4dd 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + QTAILQ_FOREACH(st, &uas->results, next) { + if (st->stream == p->stream) { +@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++ error_report("%s: invalid stream %d", __func__, p->stream); ++ p->status = USB_RET_STALL; ++ return; + } + + static void usb_uas_unrealize(USBDevice *dev, Error **errp) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..b291ade4e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,124 @@ +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 +CVE: CVE-2021-3748 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 16d20cdee52a..f205331dcf8c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++ size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +- size_t offset, i, guest_offset; ++ size_t offset, i, guest_offset, j; ++ ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++ if (i == VIRTQUEUE_MAX_SIZE) { ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++ err = size; ++ goto err; ++ } ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +- return -1; ++ err = -1; ++ goto err; + } + + if (elem->in_num < 1) { +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +- return -1; ++ err = -1; ++ goto err; + } + + sg = elem->in_sg; +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +- return size; ++ err = size; ++ goto err; + } + +- /* signal other side */ +- virtqueue_fill(q->rx_vq, elem, total, i++); +- g_free(elem); ++ elems[i] = elem; ++ lens[i] = total; ++ i++; + } + + if (mhdr_cnt) { +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + &mhdr.num_buffers, sizeof mhdr.num_buffers); + } + ++ for (j = 0; j < i; j++) { ++ /* signal other side */ ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++ g_free(elems[j]); ++ } ++ + virtqueue_flush(q->rx_vq, i); + virtio_notify(vdev, q->rx_vq); + + return size; ++ ++err: ++ for (j = 0; j < i; j++) { ++ g_free(elems[j]); ++ } ++ ++ return err; + } + + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch new file mode 100644 index 0000000000..43630e71fb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch @@ -0,0 +1,180 @@ +From 1938fbc7ec197e2612ab2ce36dd69bff19208aa5 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Mon, 10 Oct 2022 17:44:41 +0530 +Subject: [PATCH] CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] +CVE: CVE-2021-3750 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + exec.c | 55 +++++++++++++++++++++++++++++++------- + hw/intc/arm_gicv3_redist.c | 4 +-- + include/exec/memattrs.h | 9 +++++++ + 3 files changed, 56 insertions(+), 12 deletions(-) + +diff --git a/exec.c b/exec.c +index 1360051a..10581d8d 100644 +--- a/exec.c ++++ b/exec.c +@@ -39,6 +39,7 @@ + #include "qemu/config-file.h" + #include "qemu/error-report.h" + #include "qemu/qemu-print.h" ++#include "qemu/log.h" + #if defined(CONFIG_USER_ONLY) + #include "qemu.h" + #else /* !CONFIG_USER_ONLY */ +@@ -3118,6 +3119,33 @@ static bool prepare_mmio_access(MemoryRegion *mr) + return release_lock; + } + ++/** +++ * flatview_access_allowed +++ * @mr: #MemoryRegion to be accessed +++ * @attrs: memory transaction attributes +++ * @addr: address within that memory region +++ * @len: the number of bytes to access +++ * +++ * Check if a memory transaction is allowed. +++ * +++ * Returns: true if transaction is allowed, false if denied. +++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -3131,7 +3159,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + bool release_lock = false; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -3173,14 +3204,14 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +- MemTxResult result = MEMTX_OK; + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); +- result = flatview_write_continue(fv, addr, attrs, buf, len, +- addr1, l, mr); +- +- return result; ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } ++ return flatview_write_continue(fv, addr, attrs, buf, len, ++ addr1, l, mr); + } + + /* Called within RCU critical section. */ +@@ -3195,7 +3226,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, + bool release_lock = false; + + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -3238,6 +3272,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +@@ -3474,12 +3511,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, + MemTxAttrs attrs) + { + FlatView *fv; +- bool result; + + RCU_READ_LOCK_GUARD(); + fv = address_space_to_flatview(as); +- result = flatview_access_valid(fv, addr, len, is_write, attrs); +- return result; ++ return flatview_access_valid(fv, addr, len, is_write, attrs); + } + + static hwaddr +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d..44368e28 100644 +--- a/hw/intc/arm_gicv3_redist.c ++++ b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h +index 95f2d20d..9fb98bc1 100644 +--- a/include/exec/memattrs.h ++++ b/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + /* Invert endianness for this page */ +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..a1862f1226 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch @@ -0,0 +1,81 @@ +From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001 +From: Gaurav Gupta <gauragup@cisco.com> +Date: Wed, 29 Mar 2023 14:36:16 -0700 +Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type: + text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the +device itself. This still allows DMA to MMIO regions of other devices +(e.g. doing P2P DMA to the controller memory buffer of another NVMe +device). + +Fixes: CVE-2021-3929 +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> +Reviewed-by: Keith Busch <kbusch@kernel.org> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Klaus Jensen <k.jensen@samsung.com> + +Upstream-Status: Backport +[https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385] +CVE: CVE-2021-3929 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +Signed-off-by: Gaurav Gupta <gauragup@cisco.com> +--- + hw/block/nvme.c | 23 +++++++++++++++++++++++ + hw/block/nvme.h | 1 + + 2 files changed, 24 insertions(+) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index bda446d..ae9b19f 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) + return addr >= low && addr < hi; + } + ++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr hi, lo; ++ ++ /* ++ * The purpose of this check is to guard against invalid "local" access to ++ * the iomem (i.e. controller registers). Thus, we check against the range ++ * covered by the 'bar0' MemoryRegion since that is currently composed of ++ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, ++ * that if the device model is ever changed to allow the CMB to be located ++ * in BAR0 as well, then this must be changed. ++ */ ++ lo = n->bar0.addr; ++ hi = lo + int128_get64(n->bar0.size); ++ ++ return addr >= lo && addr < hi; ++} ++ + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { ++ ++ if (nvme_addr_is_iomem(n, addr)) { ++ return NVME_DATA_TRAS_ERROR; ++ } ++ + if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { + memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); + return 0; +diff --git a/hw/block/nvme.h b/hw/block/nvme.h +index 557194e..5a2b119 100644 +--- a/hw/block/nvme.h ++++ b/hw/block/nvme.h +@@ -59,6 +59,7 @@ typedef struct NvmeNamespace { + + typedef struct NvmeCtrl { + PCIDevice parent_obj; ++ MemoryRegion bar0; + MemoryRegion iomem; + MemoryRegion ctrl_mem; + NvmeBar bar; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..b1b5558647 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 +CVE: CVE-2021-3930 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/scsi/scsi-disk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e8a547dbb7..d4914178ea 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++ assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++ if (page == MODE_PAGE_ALLS) { ++ return -1; ++ } ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, &p, 0); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a +CVE: CVE-2021-4206 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 98c83474ad..45d06cbe25 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..8418246247 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch @@ -0,0 +1,43 @@ +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb +CVE: CVE-2021-4207 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch new file mode 100644 index 0000000000..6a7ce0e26c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch @@ -0,0 +1,42 @@ +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index c8773f73f7..99ea42d49b 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch @@ -0,0 +1,52 @@ +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/scsi/lsi53c895a.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 99ea42d49b..ad5f5e5f39 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch new file mode 100644 index 0000000000..fc4d6cf3df --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch @@ -0,0 +1,57 @@ +Backport of: + +From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella <sgarzare@redhat.com> +Date: Mon, 28 Feb 2022 10:50:58 +0100 +Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error + +In vhost_vsock_common_send_transport_reset(), if an element popped from +the virtqueue is invalid, we should call virtqueue_detach_element() to +detach it from the virtqueue before freeing its memory. + +Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") +Fixes: CVE-2022-26354 +Cc: qemu-stable@nongnu.org +Reported-by: VictorV <vv474172261@gmail.com> +Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> +Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +CVE: CVE-2022-26354 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/virtio/vhost-vsock-common.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/hw/virtio/vhost-vsock.c ++++ b/hw/virtio/vhost-vsock.c +@@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r + if (elem->out_num) { + error_report("invalid vhost-vsock event virtqueue element with " + "out buffers"); +- goto out; ++ goto err; + } + + if (iov_from_buf(elem->in_sg, elem->in_num, 0, + &event, sizeof(event)) != sizeof(event)) { + error_report("vhost-vsock event virtqueue element is too short"); +- goto out; ++ goto err; + } + + virtqueue_push(vq, elem, sizeof(event)); + virtio_notify(VIRTIO_DEVICE(vsock), vq); + +-out: ++ g_free(elem); ++ return; ++ ++err: ++ virtqueue_detach_element(vq, elem, 0); + g_free(elem); + } + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch new file mode 100644 index 0000000000..4196ebcf98 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch @@ -0,0 +1,53 @@ +From 09a07b5b39c87423df9e8f6574c19a14d36beac5 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 27 Jul 2022 10:34:12 +0530 +Subject: [PATCH] CVE-2022-35414 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] +CVE: CVE-2022-35414 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + exec.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 43c70ffb..2d6add46 100644 +--- a/exec.c ++++ b/exec.c +@@ -685,7 +685,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu) + + /* Called from RCU critical section */ + MemoryRegionSection * +-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, ++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, + hwaddr *xlat, hwaddr *plen, + MemTxAttrs attrs, int *prot) + { +@@ -694,6 +694,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + IOMMUMemoryRegionClass *imrc; + IOMMUTLBEntry iotlb; + int iommu_idx; ++ hwaddr addr = orig_addr; + AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); + + for (;;) { +@@ -737,6 +738,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + return section; + + translate_fail: ++ /* ++ * We should be given a page-aligned address -- certainly ++ * tlb_set_page_with_attrs() does so. The page offset of xlat ++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. ++ * The page portion of xlat will be logged by memory_region_access_valid() ++ * when this memory access is rejected, so use the original untranslated ++ * physical address. ++ */ ++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); ++ *xlat = orig_addr; + return &d->map.sections[PHYS_SECTION_UNASSIGNED]; + } + #endif +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..3f0d5fbd5c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch @@ -0,0 +1,103 @@ +From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:40 +0100 +Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt + (CVE-2022-4144) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Have qxl_get_check_slot_offset() return false if the requested +buffer size does not fit within the slot memory region. + +Similarly qxl_phys2virt() now returns NULL in such case, and +qxl_dirty_one_surface() aborts. + +This avoids buffer overrun in the host pointer returned by +memory_region_get_ram_ptr(). + +Fixes: CVE-2022-4144 (out-of-bounds read) +Reported-by: Wenxu Yin (@awxylitol) +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-5-philmd@linaro.org> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] +CVE: CVE-2022-4144 +Comments: Deleted patch hunk in qxl.h,as it contains change +in comments which is not present in current version of qemu. + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + hw/display/qxl.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index cd7eb39d..6bc8385b 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) + + /* can be also called from spice server thread context */ + static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, +- uint32_t *s, uint64_t *o) ++ uint32_t *s, uint64_t *o, ++ size_t size_requested) + { + uint64_t phys = le64_to_cpu(pqxl); + uint32_t slot = (phys >> (64 - 8)) & 0xff; + uint64_t offset = phys & 0xffffffffffff; ++ uint64_t size_available; + + if (slot >= NUM_MEMSLOTS) { + qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, +@@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + slot, offset, qxl->guest_slots[slot].size); + return false; + } ++ size_available = memory_region_size(qxl->guest_slots[slot].mr); ++ if (qxl->guest_slots[slot].offset + offset >= size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" > region size %"PRIu64"\n", ++ slot, qxl->guest_slots[slot].offset + offset, ++ size_available); ++ return false; ++ } ++ size_available -= qxl->guest_slots[slot].offset + offset; ++ if (size_requested > size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" size %zu: " ++ "overrun by %"PRIu64" bytes\n", ++ slot, offset, size_requested, ++ size_requested - size_available); ++ return false; ++ } + + *s = slot; + *o = offset; +@@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) + offset = le64_to_cpu(pqxl) & 0xffffffffffff; + return (void *)(intptr_t)offset; + case MEMSLOT_GROUP_GUEST: +- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { ++ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + return NULL; + } + ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); +@@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + uint32_t slot; + bool rc; + +- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); +- assert(rc == true); + size = (uint64_t)height * abs(stride); ++ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); ++ assert(rc == true); + trace_qxl_surfaces_dirty(qxl->id, offset, size); + qxl_set_dirty(qxl->guest_slots[slot].mr, + qxl->guest_slots[slot].offset + offset, +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..26e22b4c31 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch @@ -0,0 +1,77 @@ +[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not + exist for this release] +From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 22 May 2023 11:10:11 +0200 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 6 deletions(-) + +--- qemu-4.2.orig/hw/scsi/lsi53c895a.c ++++ qemu-4.2/hw/scsi/lsi53c895a.c +@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1597,6 +1606,8 @@ again: + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..70b7d6c562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -0,0 +1,178 @@ +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 +From: Christian Schoenebeck <qemu_oss@crudebyte.com> +Date: Wed, 7 Jun 2023 18:29:33 +0200 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen <ywsPlz@gmail.com> +Reported-by: Jietao Xiao <shawtao1125@gmail.com> +Reported-by: Jinku Li <jkli@xidian.edu.cn> +Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> +Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda] +CVE: CVE-2023-2861 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 6f132c5f..300c9765 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -350,6 +351,28 @@ static void resetugid(int suid, int sgid) + } + } + ++/* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ + /* + * send response in two parts + * 1) ProxyHeader +@@ -694,7 +717,7 @@ static int do_create(struct iovec *iovec) + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -719,7 +742,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index 546f46dc..79fdd2a3 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,12 +13,16 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else + #define O_PATH_9P_UTIL 0 + #endif + ++#define qemu_fstat fstat ++ + static inline void close_preserve_errno(int fd) + { + int serrno = errno; +@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (qemu_fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -56,6 +92,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch new file mode 100644 index 0000000000..7144bdca46 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch @@ -0,0 +1,49 @@ +From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001 +From: zhenwei pi <pizhenwei@bytedance.com> +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei <arei.gonglei@huawei.com> +Cc: Mauro Matteo Cascella <mcascell@redhat.com> +Cc: Yiming Tao <taoym@zju.edu.cn> +Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980] +CVE: CVE-2023-3180 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 44faf5a522b..13aec771e11 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..2942e84cac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch @@ -0,0 +1,87 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Tue, 20 Jun 2023 09:45:34 +0100 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen <jiangyegen@huawei.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] +CVE: CVE-2023-3354 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index fdbdf12f..e49e2831 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -49,6 +49,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 7ec8ceff..8b32fbde 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch new file mode 100644 index 0000000000..db02210fa4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch @@ -0,0 +1,114 @@ +From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001 +From: Fiona Ebner <f.ebner@proxmox.com> +Date: Wed, 6 Sep 2023 15:09:21 +0200 +Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there is a pending DMA operation during ide_bus_reset(), the fact +that the IDEState is already reset before the operation is canceled +can be problematic. In particular, ide_dma_cb() might be called and +then use the reset IDEState which contains the signature after the +reset. When used to construct the IO operation this leads to +ide_get_sector() returning 0 and nsector being 1. This is particularly +bad, because a write command will thus destroy the first sector which +often contains a partition table or similar. + +Traces showing the unsolicited write happening with IDEState +0x5595af6949d0 being used after reset: + +> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 +> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port +> ide_reset IDEstate 0x5595af6949d0 +> ide_reset IDEstate 0x5595af694da8 +> ide_bus_reset_aio aio_cancel +> dma_aio_cancel dbs=0x7f64600089a0 +> dma_blk_cb dbs=0x7f64600089a0 ret=0 +> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 +> ahci_populate_sglist ahci(0x5595af6923f0)[0] +> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 +> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE +> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 +> dma_blk_cb dbs=0x7f6420802010 ret=0 + +> (gdb) p *qiov +> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, +> iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", +> size = 512}}} +> (gdb) bt +> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, +> cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010) +> at ../block/block-backend.c:1682 +> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>) +> at ../softmmu/dma-helpers.c:179 +> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>, +> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, +> cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0, +> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 +> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0) +> at ../softmmu/dma-helpers.c:280 +> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>) +> at ../hw/ide/core.c:953 +> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) +> at ../softmmu/dma-helpers.c:107 +> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 +> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) +> at ../block/block-backend.c:1527 +> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 +> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 +> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>, +> i1=<optimized out>) at ../util/coroutine-ucontext.c:177 + +Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Tested-by: simon.rowe@nutanix.com +Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e] +CVE: CVE-2023-5088 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/ide/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index b5e0dcd29b2..63ba665f3d2 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s) + + void ide_bus_reset(IDEBus *bus) + { +- bus->unit = 0; +- bus->cmd = 0; +- ide_reset(&bus->ifs[0]); +- ide_reset(&bus->ifs[1]); +- ide_clear_hob(bus); +- +- /* pending async DMA */ ++ /* pending async DMA - needs the IDEState before it is reset */ + if (bus->dma->aiocb) { + trace_ide_bus_reset_aio(); + blk_aio_cancel(bus->dma->aiocb); + bus->dma->aiocb = NULL; + } + ++ bus->unit = 0; ++ bus->cmd = 0; ++ ide_reset(&bus->ifs[0]); ++ ide_reset(&bus->ifs[1]); ++ ide_clear_hob(bus); ++ + /* reset dma provider too */ + if (bus->dma->ops->reset) { + bus->dma->ops->reset(bus->dma); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch new file mode 100644 index 0000000000..0fdae8351a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch @@ -0,0 +1,146 @@ +From ea2a7c7676d8eb9d1458eaa4b717df46782dcb3a Mon Sep 17 00:00:00 2001 +From: Gaurav Gupta <gauragup@cisco.com> +Date: Wed, 29 Mar 2023 14:07:17 -0700 +Subject: [PATCH 2/2] hw/block/nvme: handle dma errors + +Handling DMA errors gracefully is required for the device to pass the +block/011 test ("disable PCI device while doing I/O") in the blktests +suite. + +With this patch the device sets the Controller Fatal Status bit in the +CSTS register when failing to read from a submission queue or writing to +a completion queue; expecting the host to reset the controller. + +If DMA errors occur at any other point in the execution of the command +(say, while mapping the PRPs), the command is aborted with a Data +Transfer Error status code. + +Signed-off-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Gaurav Gupta <gauragup@cisco.com> +--- + hw/block/nvme.c | 41 +++++++++++++++++++++++++++++++---------- + hw/block/trace-events | 3 +++ + 2 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index e6f24a6..bda446d 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -60,14 +60,14 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) + return addr >= low && addr < hi; + } + +-static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) ++static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { + memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); +- return; ++ return 0; + } + +- pci_dma_read(&n->parent_obj, addr, buf, size); ++ return pci_dma_read(&n->parent_obj, addr, buf, size); + } + + static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid) +@@ -152,6 +152,7 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + hwaddr trans_len = n->page_size - (prp1 % n->page_size); + trans_len = MIN(len, trans_len); + int num_prps = (len >> n->page_bits) + 1; ++ int ret; + + if (unlikely(!prp1)) { + trace_nvme_err_invalid_prp(); +@@ -178,7 +179,11 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + + nents = (len + n->page_size - 1) >> n->page_bits; + prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t); +- nvme_addr_read(n, prp2, (void *)prp_list, prp_trans); ++ ret = nvme_addr_read(n, prp2, (void *)prp_list, prp_trans); ++ if (ret) { ++ trace_pci_nvme_err_addr_read(prp2); ++ return NVME_DATA_TRAS_ERROR; ++ } + while (len != 0) { + uint64_t prp_ent = le64_to_cpu(prp_list[i]); + +@@ -191,8 +196,12 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + i = 0; + nents = (len + n->page_size - 1) >> n->page_bits; + prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t); +- nvme_addr_read(n, prp_ent, (void *)prp_list, +- prp_trans); ++ ret = nvme_addr_read(n, prp_ent, (void *)prp_list, ++ prp_trans); ++ if (ret) { ++ trace_pci_nvme_err_addr_read(prp_ent); ++ return NVME_DATA_TRAS_ERROR; ++ } + prp_ent = le64_to_cpu(prp_list[i]); + } + +@@ -286,6 +295,7 @@ static void nvme_post_cqes(void *opaque) + NvmeCQueue *cq = opaque; + NvmeCtrl *n = cq->ctrl; + NvmeRequest *req, *next; ++ int ret; + + QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next) { + NvmeSQueue *sq; +@@ -295,15 +305,21 @@ static void nvme_post_cqes(void *opaque) + break; + } + +- QTAILQ_REMOVE(&cq->req_list, req, entry); + sq = req->sq; + req->cqe.status = cpu_to_le16((req->status << 1) | cq->phase); + req->cqe.sq_id = cpu_to_le16(sq->sqid); + req->cqe.sq_head = cpu_to_le16(sq->head); + addr = cq->dma_addr + cq->tail * n->cqe_size; ++ ret = pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe, ++ sizeof(req->cqe)); ++ if (ret) { ++ trace_pci_nvme_err_addr_write(addr); ++ trace_pci_nvme_err_cfs(); ++ n->bar.csts = NVME_CSTS_FAILED; ++ break; ++ } ++ QTAILQ_REMOVE(&cq->req_list, req, entry); + nvme_inc_cq_tail(cq); +- pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe, +- sizeof(req->cqe)); + QTAILQ_INSERT_TAIL(&sq->req_list, req, entry); + } + if (cq->tail != cq->head) { +@@ -888,7 +904,12 @@ static void nvme_process_sq(void *opaque) + + while (!(nvme_sq_empty(sq) || QTAILQ_EMPTY(&sq->req_list))) { + addr = sq->dma_addr + sq->head * n->sqe_size; +- nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd)); ++ if (nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd))) { ++ trace_pci_nvme_err_addr_read(addr); ++ trace_pci_nvme_err_cfs(); ++ n->bar.csts = NVME_CSTS_FAILED; ++ break; ++ } + nvme_inc_sq_head(sq); + + req = QTAILQ_FIRST(&sq->req_list); +diff --git a/hw/block/trace-events b/hw/block/trace-events +index c03e80c..4e4ad4e 100644 +--- a/hw/block/trace-events ++++ b/hw/block/trace-events +@@ -60,6 +60,9 @@ nvme_mmio_shutdown_set(void) "shutdown bit set" + nvme_mmio_shutdown_cleared(void) "shutdown bit cleared" + + # nvme traces for error conditions ++pci_nvme_err_addr_read(uint64_t addr) "addr 0x%"PRIx64"" ++pci_nvme_err_addr_write(uint64_t addr) "addr 0x%"PRIx64"" ++pci_nvme_err_cfs(void) "controller fatal status" + nvme_err_invalid_dma(void) "PRP/SGL is too small for transfer size" + nvme_err_invalid_prplist_ent(uint64_t prplist) "PRP list entry is null or not page aligned: 0x%"PRIx64"" + nvme_err_invalid_prp2_align(uint64_t prp2) "PRP2 is not page aligned: 0x%"PRIx64"" +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch new file mode 100644 index 0000000000..66ada52efb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch @@ -0,0 +1,55 @@ +From 55428706d5b0b8889b8e009eac77137bb556a4f0 Mon Sep 17 00:00:00 2001 +From: Klaus Jensen <k.jensen@samsung.com> +Date: Tue, 9 Jun 2020 21:03:17 +0200 +Subject: [PATCH 1/2] hw/block/nvme: refactor nvme_addr_read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Pull the controller memory buffer check to its own function. The check +will be used on its own in later patches. + +Signed-off-by: Klaus Jensen <k.jensen@samsung.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> +Reviewed-by: Keith Busch <kbusch@kernel.org> +Message-Id: <20200609190333.59390-7-its@irrelevant.dk> +Signed-off-by: Kevin Wolf <kwolf@redhat.com> +--- + hw/block/nvme.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index 12d8254..e6f24a6 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -52,14 +52,22 @@ + + static void nvme_process_sq(void *opaque); + ++static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr low = n->ctrl_mem.addr; ++ hwaddr hi = n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size); ++ ++ return addr >= low && addr < hi; ++} ++ + static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { +- if (n->cmbsz && addr >= n->ctrl_mem.addr && +- addr < (n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size))) { ++ if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { + memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); +- } else { +- pci_dma_read(&n->parent_obj, addr, buf, size); ++ return; + } ++ ++ pci_dma_read(&n->parent_obj, addr, buf, size); + } + + static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid) +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch new file mode 100644 index 0000000000..f380be486c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch @@ -0,0 +1,236 @@ +From 5a44a01c9eca6507be45d107c27377a3e8d0ee8c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:39 +0100 +Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently qxl_phys2virt() doesn't check for buffer overrun. +In order to do so in the next commit, pass the buffer size +as argument. + +For QXLCursor in qxl_render_cursor() -> qxl_cursor() we +verify the size of the chunked data ahead, checking we can +access 'sizeof(QXLCursor) + chunk->data_size' bytes. +Since in the SPICE_CURSOR_TYPE_MONO case the cursor is +assumed to fit in one chunk, no change are required. +In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in +qxl_unpack_chunks(). + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Acked-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-4-philmd@linaro.org> + +Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch: + +/qxl.c: In function 'qxl_phys2virt': +| /home/hitendra/work/yocto-work/cgx-data/dunfell-3.1/x86-generic-64-5.4-3.1-cgx/project/tmp/work/i586-montavistamllib32-linux/lib32-qemu/4.2.0-r0.8/qemu-4.2.0/hw/display/qxl.c:1508:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'? +| 1508 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { +| | ^~~~ +| | gsize + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc && https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + hw/display/qxl-logger.c | 22 +++++++++++++++++++--- + hw/display/qxl-render.c | 20 ++++++++++++++++---- + hw/display/qxl.c | 17 +++++++++++------ + hw/display/qxl.h | 3 ++- + 4 files changed, 48 insertions(+), 14 deletions(-) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 2ec6d8fa..031ddfec 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id) + QXLImage *image; + QXLImageDescriptor *desc; + +- image = qxl_phys2virt(qxl, addr, group_id); ++ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); + if (!image) { + return 1; + } +@@ -216,7 +216,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id) + cmd->u.set.position.y, + cmd->u.set.visible ? "yes" : "no", + cmd->u.set.shape); +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, ++ sizeof(QXLCursor)); + if (!cursor) { + return 1; + } +@@ -238,6 +239,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + { + bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; + void *data; ++ size_t datasz; + int ret; + + if (!qxl->cmdlog) { +@@ -249,7 +251,20 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_name(qxl_type, ext->cmd.type), + compat ? "(compat)" : ""); + +- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ switch (ext->cmd.type) { ++ case QXL_CMD_DRAW: ++ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); ++ break; ++ case QXL_CMD_SURFACE: ++ datasz = sizeof(QXLSurfaceCmd); ++ break; ++ case QXL_CMD_CURSOR: ++ datasz = sizeof(QXLCursorCmd); ++ break; ++ default: ++ goto out; ++ } ++ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); + if (!data) { + return 1; + } +@@ -271,6 +286,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_log_cmd_cursor(qxl, data, ext->group_id); + break; + } ++out: + fprintf(stderr, "\n"); + return 0; + } +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d532e157..a65a6d64 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) + qxl->guest_primary.resized = 0; + qxl->guest_primary.data = qxl_phys2virt(qxl, + qxl->guest_primary.surface.mem, +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, ++ qxl->guest_primary.abs_stride ++ * height); + if (!qxl->guest_primary.data) { + return; + } +@@ -222,7 +224,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, + if (offset == size) { + return; + } +- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); ++ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, ++ sizeof(QXLDataChunk) + chunk->data_size); + if (!chunk) { + return; + } +@@ -289,7 +292,8 @@ fail: + /* called from spice server thread context only */ + int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + QXLCursor *cursor; + QEMUCursor *c; + +@@ -308,7 +312,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + } + switch (cmd->type) { + case QXL_CURSOR_SET: +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id); ++ /* First read the QXLCursor to get QXLDataChunk::data_size ... */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor)); ++ if (!cursor) { ++ return 1; ++ } ++ /* Then read including the chunked data following QXLCursor. */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor) + cursor->chunk.data_size); + if (!cursor) { + return 1; + } +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 6bc8385b..858d3e93 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -275,7 +275,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) + QXL_IO_MONITORS_CONFIG_ASYNC)); + } + +- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST); ++ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST, ++ sizeof(QXLMonitorsConfig)); + if (cfg != NULL && cfg->count == 1) { + qxl->guest_primary.resized = 1; + qxl->guest_head0_width = cfg->heads[0].width; +@@ -460,7 +461,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + switch (le32_to_cpu(ext->cmd.type)) { + case QXL_CMD_SURFACE: + { +- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLSurfaceCmd)); + + if (!cmd) { + return 1; +@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + } + case QXL_CMD_CURSOR: + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + + if (!cmd) { + return 1; +@@ -674,7 +677,8 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) + * + * https://cgit.freedesktop.org/spice/win32/qxl-wddm-dod/commit/?id=f6e099db39e7d0787f294d5fd0dce328b5210faa + */ +- void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCommandRing)); + if (msg != NULL && ( + msg < (void *)qxl->vga.vram_ptr || + msg > ((void *)qxl->vga.vram_ptr + qxl->vga.vram_size))) { +@@ -1494,7 +1498,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + } + + /* can be also called from spice server thread context */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, ++ size_t size) + { + uint64_t offset; + uint32_t slot; +@@ -1994,7 +1999,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl) + } + + cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i], +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd)); + assert(cmd); + assert(cmd->type == QXL_SURFACE_CMD_CREATE); + qxl_dirty_one_surface(qxl, cmd->u.surface_create.data, +diff --git a/hw/display/qxl.h b/hw/display/qxl.h +index 80eb0d26..fcfd133a 100644 +--- a/hw/display/qxl.h ++++ b/hw/display/qxl.h +@@ -147,7 +147,8 @@ typedef struct PCIQXLDevice { + #define QXL_DEFAULT_REVISION QXL_REVISION_STABLE_V12 + + /* qxl.c */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id, ++ size_t size); + void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) + GCC_FMT_ATTR(2, 3); + +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu_4.2.0.bb b/meta/recipes-devtools/qemu/qemu_4.2.0.bb index 9c76144749..05449afe4e 100644 --- a/meta/recipes-devtools/qemu/qemu_4.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_4.2.0.bb @@ -24,7 +24,8 @@ do_install_append_class-nativesdk() { } PACKAGECONFIG ??= " \ - fdt sdl kvm \ + fdt sdl kvm slirp \ ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ " -PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm" +PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm slirp" |