qemu: Fix CVE-2019-12068

(From OE-Core rev: 82c4fb091199b737722a60d517b694860b6e6ba8) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 81b375ac7851088a671317468a8e2eed69d4a827) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2019-10-17 10:52:27 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-29 09:08:17 +0000
commit: 70ccceb33a97c6bf59193cf3d9413f1e2115ae16 (patch)
tree: 1bfeeaa7ae552e6ec2e10c8c6f7fcf07484399c4
parent: 56ce08a9ed8428c314a64fd08ac9e99d6a0022db (diff)
download: poky-70ccceb33a97c6bf59193cf3d9413f1e2115ae16.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 88ae68a1e9..bb444b63d9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -28,6 +28,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0009-Fix-webkitgtk-builds.patch \
           file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
           file://CVE-2019-15890.patch \
+           file://CVE-2019-12068.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch
new file mode 100644
index 0000000000..f1655e407f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch
@@ -0,0 +1,108 @@
+From de594e47659029316bbf9391efb79da0a1a08e08 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 14 Aug 2019 17:35:21 +0530
+Subject: [PATCH] scsi: lsi: exit infinite loop while executing script
+ (CVE-2019-12068)
+When executing script in lsi_execute_script(), the LSI scsi adapter
+emulator advances 's->dsp' index to read next opcode. This can lead
+to an infinite loop if the next opcode is empty. Move the existing
+loop exit after 10k iterations so that it covers no-op opcodes as
+well.
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08]
+CVE: CVE-2019-12068
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ hw/scsi/lsi53c895a.c | 41 +++++++++++++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 222a286..ec53b14 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -186,6 +186,9 @@ static const char *names[] = {
+ /* Flag set if this is a tagged command.  */
+ #define LSI_TAG_VALID     (1 << 16)
+ 
+/* Maximum instructions to process. */
+#define LSI_MAX_INSN    10000
+
+ typedef struct lsi_request {
+     SCSIRequest *req;
+     uint32_t tag;
+@@ -1133,7 +1136,21 @@ static void lsi_execute_script(LSIState *s)
+ 
+     s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-    insn_processed++;
+    if (++insn_processed > LSI_MAX_INSN) {
+        /* Some windows drivers make the device spin waiting for a memory
+           location to change.  If we have been executed a lot of code then
+           assume this is the case and force an unexpected device disconnect.
+           This is apparently sufficient to beat the drivers into submission.
+         */
+        if (!(s->sien0 & LSI_SIST0_UDC)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "lsi_scsi: inf. loop with UDC masked");
+        }
+        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+        lsi_disconnect(s);
+        trace_lsi_execute_script_stop();
+        return;
+    }
+     insn = read_dword(s, s->dsp);
+     if (!insn) {
+         /* If we receive an empty opcode increment the DSP by 4 bytes
+@@ -1570,19 +1587,7 @@ again:
+             }
+         }
+     }
+-    if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
+-        /* Some windows drivers make the device spin waiting for a memory
+-           location to change.  If we have been executed a lot of code then
+-           assume this is the case and force an unexpected device disconnect.
+-           This is apparently sufficient to beat the drivers into submission.
+-         */
+-        if (!(s->sien0 & LSI_SIST0_UDC)) {
+-            qemu_log_mask(LOG_GUEST_ERROR,
+-                          "lsi_scsi: inf. loop with UDC masked");
+-        }
+-        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+-        lsi_disconnect(s);
+-    } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
+    if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
+         if (s->dcntl & LSI_DCNTL_SSM) {
+             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
+         } else {
+@@ -1970,6 +1975,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
+     case 0x2f: /* DSP[24:31] */
+         s->dsp &= 0x00ffffff;
+         s->dsp |= val << 24;
+        /*
+         * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
+         * instruction.  Is this correct?
+         */
+         if ((s->dmode & LSI_DMODE_MAN) == 0
+             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
+             lsi_execute_script(s);
+@@ -1988,6 +1997,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
+         break;
+     case 0x3b: /* DCNTL */
+         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
+        /*
+         * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
+         * instruction.  Is this correct?
+         */
+         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
+             lsi_execute_script(s);
+         break;
+-- 
+2.7.4
author	Changqing Li <changqing.li@windriver.com>	2019-10-17 10:52:27 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-29 09:08:17 +0000
commit	70ccceb33a97c6bf59193cf3d9413f1e2115ae16 (patch)
tree	1bfeeaa7ae552e6ec2e10c8c6f7fcf07484399c4
parent	56ce08a9ed8428c314a64fd08ac9e99d6a0022db (diff)
download	poky-70ccceb33a97c6bf59193cf3d9413f1e2115ae16.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 88ae68a1e9..bb444b63d9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -28,6 +28,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
28	file://0009-Fix-webkitgtk-builds.patch \	28	file://0009-Fix-webkitgtk-builds.patch \
29	file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \	29	file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
30	file://CVE-2019-15890.patch \	30	file://CVE-2019-15890.patch \
		31	file://CVE-2019-12068.patch \
31	"	32	"
32	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	33	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
33		34


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch new file mode 100644 index 0000000000..f1655e407f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch
@@ -0,0 +1,108 @@
		1	From de594e47659029316bbf9391efb79da0a1a08e08 Mon Sep 17 00:00:00 2001
		2	From: Paolo Bonzini <pbonzini@redhat.com>
		3	Date: Wed, 14 Aug 2019 17:35:21 +0530
		4	Subject: [PATCH] scsi: lsi: exit infinite loop while executing script
		5	(CVE-2019-12068)
		6
		7	When executing script in lsi_execute_script(), the LSI scsi adapter
		8	emulator advances 's->dsp' index to read next opcode. This can lead
		9	to an infinite loop if the next opcode is empty. Move the existing
		10	loop exit after 10k iterations so that it covers no-op opcodes as
		11	well.
		12
		13	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08]
		14	CVE: CVE-2019-12068
		15
		16	Reported-by: Bugs SysSec <bugs-syssec@rub.de>
		17	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		18	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		19	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		20
		21	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		22	---
		23	hw/scsi/lsi53c895a.c \| 41 +++++++++++++++++++++++++++--------------
		24	1 file changed, 27 insertions(+), 14 deletions(-)
		25
		26	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
		27	index 222a286..ec53b14 100644
		28	--- a/hw/scsi/lsi53c895a.c
		29	+++ b/hw/scsi/lsi53c895a.c
		30	@@ -186,6 +186,9 @@ static const char *names[] = {
		31	/* Flag set if this is a tagged command. */
		32	#define LSI_TAG_VALID (1 << 16)
		33
		34	+/* Maximum instructions to process. */
		35	+#define LSI_MAX_INSN 10000
		36	+
		37	typedef struct lsi_request {
		38	SCSIRequest *req;
		39	uint32_t tag;
		40	@@ -1133,7 +1136,21 @@ static void lsi_execute_script(LSIState *s)
		41
		42	s->istat1 \|= LSI_ISTAT1_SRUN;
		43	again:
		44	- insn_processed++;
		45	+ if (++insn_processed > LSI_MAX_INSN) {
		46	+ /* Some windows drivers make the device spin waiting for a memory
		47	+ location to change. If we have been executed a lot of code then
		48	+ assume this is the case and force an unexpected device disconnect.
		49	+ This is apparently sufficient to beat the drivers into submission.
		50	+ */
		51	+ if (!(s->sien0 & LSI_SIST0_UDC)) {
		52	+ qemu_log_mask(LOG_GUEST_ERROR,
		53	+ "lsi_scsi: inf. loop with UDC masked");
		54	+ }
		55	+ lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
		56	+ lsi_disconnect(s);
		57	+ trace_lsi_execute_script_stop();
		58	+ return;
		59	+ }
		60	insn = read_dword(s, s->dsp);
		61	if (!insn) {
		62	/* If we receive an empty opcode increment the DSP by 4 bytes
		63	@@ -1570,19 +1587,7 @@ again:
		64	}
		65	}
		66	}
		67	- if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
		68	- /* Some windows drivers make the device spin waiting for a memory
		69	- location to change. If we have been executed a lot of code then
		70	- assume this is the case and force an unexpected device disconnect.
		71	- This is apparently sufficient to beat the drivers into submission.
		72	- */
		73	- if (!(s->sien0 & LSI_SIST0_UDC)) {
		74	- qemu_log_mask(LOG_GUEST_ERROR,
		75	- "lsi_scsi: inf. loop with UDC masked");
		76	- }
		77	- lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
		78	- lsi_disconnect(s);
		79	- } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
		80	+ if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
		81	if (s->dcntl & LSI_DCNTL_SSM) {
		82	lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
		83	} else {
		84	@@ -1970,6 +1975,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
		85	case 0x2f: /* DSP[24:31] */
		86	s->dsp &= 0x00ffffff;
		87	s->dsp \|= val << 24;
		88	+ /*
		89	+ * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
		90	+ * instruction. Is this correct?
		91	+ */
		92	if ((s->dmode & LSI_DMODE_MAN) == 0
		93	&& (s->istat1 & LSI_ISTAT1_SRUN) == 0)
		94	lsi_execute_script(s);
		95	@@ -1988,6 +1997,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
		96	break;
		97	case 0x3b: /* DCNTL */
		98	s->dcntl = val & ~(LSI_DCNTL_PFF \| LSI_DCNTL_STD);
		99	+ /*
		100	+ * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
		101	+ * instruction. Is this correct?
		102	+ */
		103	if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
		104	lsi_execute_script(s);
		105	break;
		106	--
		107	2.7.4
		108