diff options
author | Yogita Urade <yogita.urade@windriver.com> | 2023-09-07 08:50:16 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-09-18 04:28:03 -1000 |
commit | 062cbf2be7c55a938caf0a3595a7bb99c0d6f2db (patch) | |
tree | 082ba2c7675233cf84e9c20935bffec77f55bcbf | |
parent | fb8ca2cbec23e407b9f585c09ae0e79ea67d70de (diff) | |
download | poky-062cbf2be7c55a938caf0a3595a7bb99c0d6f2db.tar.gz |
qemu: fix CVE-2021-3638
QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to
out-of-bounds write.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3638
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html
(From OE-Core rev: ebbdbb68a7804accd5430dd05f7899599ddbacd8)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch | 88 |
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d77c376bb6..5526eacb96 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -100,6 +100,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
100 | file://CVE-2020-14394.patch \ | 100 | file://CVE-2020-14394.patch \ |
101 | file://CVE-2023-3354.patch \ | 101 | file://CVE-2023-3354.patch \ |
102 | file://CVE-2023-3180.patch \ | 102 | file://CVE-2023-3180.patch \ |
103 | file://CVE-2021-3638.patch \ | ||
103 | " | 104 | " |
104 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 105 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
105 | 106 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..3cbb34c54c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From 205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 Mon Sep 17 00:00:00 2001 | ||
2 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
3 | Date: Thu, 10 Aug 2023 07:30:54 +0000 | ||
4 | Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt | ||
5 | (CVE-2021-3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 | ||
6 | Content-Transfer-Encoding: 8bit | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=UTF-8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | When building QEMU with DEBUG_ATI defined then running with | ||
12 | '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' | ||
13 | we get: | ||
14 | |||
15 | ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 | ||
16 | ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 | ||
17 | ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 | ||
18 | ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 | ||
19 | ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 | ||
20 | ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 | ||
21 | ati_mm_write 4 0x1420 DST_Y <- 0x3fff | ||
22 | ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff | ||
23 | ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff | ||
24 | ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff | ||
25 | ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ | ||
26 | ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000) | ||
27 | Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. | ||
28 | (gdb) bt | ||
29 | #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 | ||
30 | #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 | ||
31 | #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196 | ||
32 | #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843 | ||
33 | #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492 | ||
34 | |||
35 | Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced | ||
36 | the local dst_x and dst_y which adjust the (x, y) coordinates | ||
37 | depending on the direction in the SRCCOPY ROP3 operation, but | ||
38 | forgot to address the same issue for the PATCOPY, BLACKNESS and | ||
39 | WHITENESS operations, which also call pixman_fill(). | ||
40 | |||
41 | Fix that now by using the adjusted coordinates in the pixman_fill | ||
42 | call, and update the related debug printf(). | ||
43 | |||
44 | Reported-by: Qiang Liu <qiangliu@zju.edu.cn> | ||
45 | Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") | ||
46 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
47 | Tested-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
48 | Message-Id: <20210906153103.1661195-1-philmd@redhat.com> | ||
49 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
50 | |||
51 | CVE: CVE-2021-3638 | ||
52 | |||
53 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643] | ||
54 | |||
55 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
56 | --- | ||
57 | hw/display/ati_2d.c | 6 +++--- | ||
58 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
59 | |||
60 | diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c | ||
61 | index 4dc10ea79..692bec91d 100644 | ||
62 | --- a/hw/display/ati_2d.c | ||
63 | +++ b/hw/display/ati_2d.c | ||
64 | @@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) | ||
65 | DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", | ||
66 | s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, | ||
67 | s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, | ||
68 | - s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, | ||
69 | + s->regs.src_x, s->regs.src_y, dst_x, dst_y, | ||
70 | s->regs.dst_width, s->regs.dst_height, | ||
71 | (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), | ||
72 | (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); | ||
73 | @@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) | ||
74 | dst_stride /= sizeof(uint32_t); | ||
75 | DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", | ||
76 | dst_bits, dst_stride, bpp, | ||
77 | - s->regs.dst_x, s->regs.dst_y, | ||
78 | + dst_x, dst_y, | ||
79 | s->regs.dst_width, s->regs.dst_height, | ||
80 | filler); | ||
81 | pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, | ||
82 | - s->regs.dst_x, s->regs.dst_y, | ||
83 | + dst_x, dst_y, | ||
84 | s->regs.dst_width, s->regs.dst_height, | ||
85 | filler); | ||
86 | if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && | ||
87 | -- | ||
88 | 2.40.0 | ||