qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead to guest crash

Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233] (From OE-Core rev: 1523fcbb6fef60d30c07377673fca265c5c9781c) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2022-11-29 16:38:32 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:06:37 +0000
commit: 5a4433a52ba3348f6e0841f5ef3829de12c5cecd (patch)
tree: fd334b39571c5c11fb5d2828a7b9709000896bdd
parent: 44c4df6fbad23031de0923a9e8dca6eb149b83ea (diff)
download: poky-5a4433a52ba3348f6e0841f5ef3829de12c5cecd.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 764f948a28..a915b54c1a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -113,6 +113,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2022-0216-2.patch \
           file://CVE-2021-3750.patch \
           file://CVE-2021-3638.patch \
+           file://CVE-2021-20196.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
new file mode 100644
index 0000000000..e9b815740f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
@@ -0,0 +1,62 @@
+From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Tue, 29 Nov 2022 15:57:13 +0530
+Subject: [PATCH] CVE-2021-20196
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
+CVE: CVE-2021-20196
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+---
+ hw/block/fdc.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index ac5d31e8..e128e975 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -58,6 +58,11 @@
+         }                                                       \
+     } while (0)
+ 
+/* Anonymous BlockBackend for empty drive */
+static BlockBackend *blk_create_empty_drive(void)
+{
+    return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
+}
+ 
+ /********************************************************/
+ /* qdev floppy bus                                      */
+@@ -1356,7 +1361,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+ 
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+-    return get_drv(fdctrl, fdctrl->cur_drv);
+    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
+
+    if (!cur_drv->blk) {
+        /*
+         * Kludge: empty drive line selected. Create an anonymous
+         * BlockBackend to avoid NULL deref with various BlockBackend
+         * API calls within this model (CVE-2021-20196).
+         * Due to the controller QOM model limitations, we don't
+         * attach the created to the controller device.
+         */
+        cur_drv->blk = blk_create_empty_drive();
+    }
+    return cur_drv;
+ }
+ 
+ /* Status A register : 0x00 (read-only) */
+-- 
+2.25.1
author	Vivek Kumbhar <vkumbhar@mvista.com>	2022-11-29 16:38:32 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:06:37 +0000
commit	5a4433a52ba3348f6e0841f5ef3829de12c5cecd (patch)
tree	fd334b39571c5c11fb5d2828a7b9709000896bdd
parent	44c4df6fbad23031de0923a9e8dca6eb149b83ea (diff)
download	poky-5a4433a52ba3348f6e0841f5ef3829de12c5cecd.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 764f948a28..a915b54c1a 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -113,6 +113,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
113	file://CVE-2022-0216-2.patch \	113	file://CVE-2022-0216-2.patch \
114	file://CVE-2021-3750.patch \	114	file://CVE-2021-3750.patch \
115	file://CVE-2021-3638.patch \	115	file://CVE-2021-3638.patch \
		116	file://CVE-2021-20196.patch \
116	"	117	"
117	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	118	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
118		119


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch new file mode 100644 index 0000000000..e9b815740f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
@@ -0,0 +1,62 @@
		1	From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001
		2	From: Vivek Kumbhar <vkumbhar@mvista.com>
		3	Date: Tue, 29 Nov 2022 15:57:13 +0530
		4	Subject: [PATCH] CVE-2021-20196
		5
		6	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
		7	CVE: CVE-2021-20196
		8	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		9
		10	hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
		11
		12	Guest might select another drive on the bus by setting the
		13	DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
		14	The current controller model doesn't expect a BlockBackend
		15	to be NULL. A simple way to fix CVE-2021-20196 is to create
		16	an empty BlockBackend when it is missing. All further
		17	accesses will be safely handled, and the controller state
		18	machines keep behaving correctly.
		19	---
		20	hw/block/fdc.c \| 19 ++++++++++++++++++-
		21	1 file changed, 18 insertions(+), 1 deletion(-)
		22
		23	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
		24	index ac5d31e8..e128e975 100644
		25	--- a/hw/block/fdc.c
		26	+++ b/hw/block/fdc.c
		27	@@ -58,6 +58,11 @@
		28	} \
		29	} while (0)
		30
		31	+/* Anonymous BlockBackend for empty drive */
		32	+static BlockBackend *blk_create_empty_drive(void)
		33	+{
		34	+ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
		35	+}
		36
		37	/********************************************************/
		38	/* qdev floppy bus */
		39	@@ -1356,7 +1361,19 @@ static FDrive get_drv(FDCtrl fdctrl, int unit)
		40
		41	static FDrive get_cur_drv(FDCtrl fdctrl)
		42	{
		43	- return get_drv(fdctrl, fdctrl->cur_drv);
		44	+ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
		45	+
		46	+ if (!cur_drv->blk) {
		47	+ /*
		48	+ * Kludge: empty drive line selected. Create an anonymous
		49	+ * BlockBackend to avoid NULL deref with various BlockBackend
		50	+ * API calls within this model (CVE-2021-20196).
		51	+ * Due to the controller QOM model limitations, we don't
		52	+ * attach the created to the controller device.
		53	+ */
		54	+ cur_drv->blk = blk_create_empty_drive();
		55	+ }
		56	+ return cur_drv;
		57	}
		58
		59	/* Status A register : 0x00 (read-only) */
		60	--
		61	2.25.1
		62