diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-07-27 13:25:44 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-08-08 16:23:34 +0100 |
commit | 25606f450dc91ef1a09cfa3d5117b1e1e4bcc6f2 (patch) | |
tree | 8cddc568936187cf24c70470babc8ec9e00ecb21 | |
parent | 9e7f4a7db257a865100e135f076cc31c14a71bd3 (diff) | |
download | poky-25606f450dc91ef1a09cfa3d5117b1e1e4bcc6f2.tar.gz |
qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash
Source: https://github.com/qemu/qemu
MR: 119832
Type: Security Fix
Disposition: Backport from https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c
ChangeID: 1246afd7bb950d2d5fe2e198961797c0fa14ac00
Description:
CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.
(From OE-Core rev: 7c3043df56b3090138fe56f8c06df5ca08cafd26)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch | 53 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4135619fc6..10b4280b23 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -98,6 +98,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
98 | file://CVE-2020-13253_4.patch \ | 98 | file://CVE-2020-13253_4.patch \ |
99 | file://CVE-2020-13253_5.patch \ | 99 | file://CVE-2020-13253_5.patch \ |
100 | file://CVE-2020-13791.patch \ | 100 | file://CVE-2020-13791.patch \ |
101 | file://CVE-2022-35414.patch \ | ||
101 | " | 102 | " |
102 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 103 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
103 | 104 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch new file mode 100644 index 0000000000..4196ebcf98 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 09a07b5b39c87423df9e8f6574c19a14d36beac5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 27 Jul 2022 10:34:12 +0530 | ||
4 | Subject: [PATCH] CVE-2022-35414 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] | ||
7 | CVE: CVE-2022-35414 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | exec.c | 13 ++++++++++++- | ||
11 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/exec.c b/exec.c | ||
14 | index 43c70ffb..2d6add46 100644 | ||
15 | --- a/exec.c | ||
16 | +++ b/exec.c | ||
17 | @@ -685,7 +685,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu) | ||
18 | |||
19 | /* Called from RCU critical section */ | ||
20 | MemoryRegionSection * | ||
21 | -address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, | ||
22 | +address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, | ||
23 | hwaddr *xlat, hwaddr *plen, | ||
24 | MemTxAttrs attrs, int *prot) | ||
25 | { | ||
26 | @@ -694,6 +694,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, | ||
27 | IOMMUMemoryRegionClass *imrc; | ||
28 | IOMMUTLBEntry iotlb; | ||
29 | int iommu_idx; | ||
30 | + hwaddr addr = orig_addr; | ||
31 | AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); | ||
32 | |||
33 | for (;;) { | ||
34 | @@ -737,6 +738,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, | ||
35 | return section; | ||
36 | |||
37 | translate_fail: | ||
38 | + /* | ||
39 | + * We should be given a page-aligned address -- certainly | ||
40 | + * tlb_set_page_with_attrs() does so. The page offset of xlat | ||
41 | + * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. | ||
42 | + * The page portion of xlat will be logged by memory_region_access_valid() | ||
43 | + * when this memory access is rejected, so use the original untranslated | ||
44 | + * physical address. | ||
45 | + */ | ||
46 | + assert((orig_addr & ~TARGET_PAGE_MASK) == 0); | ||
47 | + *xlat = orig_addr; | ||
48 | return &d->map.sections[PHYS_SECTION_UNASSIGNED]; | ||
49 | } | ||
50 | #endif | ||
51 | -- | ||
52 | 2.25.1 | ||
53 | |||