summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel BORNAZ <daniel.bornaz@enea.com>2014-07-17 14:24:11 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-07-19 00:09:02 +0100
commitee2b26fe759d1d8a0f78c94f1a4f3cfe30ff3c5d (patch)
tree6de973953c8749b57d06d0980951859300afca66
parent348102a03d84ba0965556cd88d6e3df70c44eb74 (diff)
downloadpoky-ee2b26fe759d1d8a0f78c94f1a4f3cfe30ff3c5d.tar.gz
qemu: security patch for CVE-2014-3471
Qemu PCIe bus support is vulnerable to a use-after-free flaw. It could occur via guest, when it tries to hotplug/hotunplug devices on the guest. A user able to add & delete Virtio block devices on a guest could use this flaw to crash the Qemu instance resulting in DoS. Originated-by: Marcel Apfelbaum <address@hidden> Updated the qemu recipe to include the security patch. Upstream-Status: Submitted (From OE-Core rev: a84e1749b489cee5ea219799c35e29b6edead30f) Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch74
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.0.0.bb6
2 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch
new file mode 100644
index 0000000000..c7035b2bf7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch
@@ -0,0 +1,74 @@
1The current code is broken: it does surprise removal which crashes guests.
2
3Reimplemented the steps:
4 - Hotplug triggers both 'present detect change' and
5 'attention button pressed'.
6
7 - Hotunplug starts by triggering 'attention button pressed',
8 then waits for the OS to power off the device and only
9 then detaches it.
10
11Fixes CVE-2014-3471.
12
13Originated-by: Marcel Apfelbaum <address@hidden>
14Updated-by: Daniel BORNAZ <daniel.bornaz@enea.com>
15
16--- a/hw/pci/pcie.c 2014-04-17 15:44:44.000000000 +0200
17+++ b/hw/pci/pcie.c 2014-07-15 13:03:16.905070562 +0200
18@@ -258,7 +258,8 @@ void pcie_cap_slot_hotplug_cb(HotplugHan
19
20 pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
21 PCI_EXP_SLTSTA_PDS);
22- pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC);
23+ pcie_cap_slot_event(PCI_DEVICE(hotplug_dev),
24+ PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP);
25 }
26
27 void pcie_cap_slot_hot_unplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
28@@ -268,10 +269,7 @@ void pcie_cap_slot_hot_unplug_cb(Hotplug
29
30 pcie_cap_slot_hotplug_common(PCI_DEVICE(hotplug_dev), dev, &exp_cap, errp);
31
32- object_unparent(OBJECT(dev));
33- pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
34- PCI_EXP_SLTSTA_PDS);
35- pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC);
36+ pcie_cap_slot_push_attention_button(PCI_DEVICE(hotplug_dev));
37 }
38
39 /* pci express slot for pci express root/downstream port
40@@ -352,6 +350,11 @@ void pcie_cap_slot_reset(PCIDevice *dev)
41 hotplug_event_update_event_status(dev);
42 }
43
44+static void pcie_unplug_device(PCIBus *bus, PCIDevice *dev, void *opaque)
45+{
46+ object_unparent(OBJECT(dev));
47+}
48+
49 void pcie_cap_slot_write_config(PCIDevice *dev,
50 uint32_t addr, uint32_t val, int len)
51 {
52@@ -376,6 +379,22 @@ void pcie_cap_slot_write_config(PCIDevic
53 sltsta);
54 }
55
56+ /*
57+ * If the slot is polulated, power indicator is off and power
58+ * controller is off, it is safe to detach the devices.
59+ */
60+ if ((sltsta & PCI_EXP_SLTSTA_PDS) && (val & PCI_EXP_SLTCTL_PCC) &&
61+ ((val & PCI_EXP_SLTCTL_PIC_OFF) == PCI_EXP_SLTCTL_PIC_OFF)) {
62+ PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev));
63+ pci_for_each_device(sec_bus, pci_bus_num(sec_bus),
64+ pcie_unplug_device, NULL);
65+
66+ pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
67+ PCI_EXP_SLTSTA_PDS);
68+ pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
69+ PCI_EXP_SLTSTA_PDC);
70+ }
71+
72 hotplug_event_notify(dev);
73
74 /*
diff --git a/meta/recipes-devtools/qemu/qemu_2.0.0.bb b/meta/recipes-devtools/qemu/qemu_2.0.0.bb
index b8ce62428b..9a530a6fb5 100644
--- a/meta/recipes-devtools/qemu/qemu_2.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.0.0.bb
@@ -4,7 +4,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
4 file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" 4 file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913"
5 5
6SRC_URI += "file://qemu-enlarge-env-entry-size.patch \ 6SRC_URI += "file://qemu-enlarge-env-entry-size.patch \
7 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch" 7 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
8 file://pcie_better_hotplug_support.patch \
9 "
10
11
8 12
9SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 13SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
10SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2" 14SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2"