qemu: Backport fix for CVE-2023-0330

A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com Reference: https://gitlab.com/qemu-project/qemu/-/issues/556 qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) a2e1753b80 memory: prevent dma-reentracy issues Included second commit as well as commit log of a2e1753b80 says it resolves CVE-2023-0330 (From OE-Core rev: 45ce9885351a2344737170e6e810dc67ab3e7ea9) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-09-11 12:09:27 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-09-15 03:47:11 -1000
commit: 1b52dc06632a0a958bdfb30cf75cfa2dbbf426e8 (patch)
tree: c8d3e436702094f9aef7ec92970510e5ffe262ce
parent: b48424988af3fd3e82706e44d4831bf0e701f2be (diff)
download: poky-1b52dc06632a0a958bdfb30cf75cfa2dbbf426e8.tar.gz
3 files changed, 137 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3789d77046..2669ba4ec8 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3409-4.patch \
           file://CVE-2021-3409-5.patch \
           file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
-           file://CVE-2023-0330.patch \
+           file://CVE-2023-0330_1.patch \
+           file://CVE-2023-0330_2.patch \
           file://CVE-2023-3354.patch \
           file://CVE-2023-3180.patch \
           "
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
index 26e22b4c31..26e22b4c31 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
new file mode 100644
index 0000000000..3b45bc0411
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
@@ -0,0 +1,135 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Thu, 27 Apr 2023 17:10:06 -0400
+Subject: [PATCH] memory: prevent dma-reentracy issues
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA.  The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20230427211013.2994127-2-alxndr@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ include/exec/memory.h  |  5 +++++
+ include/hw/qdev-core.h |  7 +++++++
+ memory.c               | 16 ++++++++++++++++
+ 3 files changed, 28 insertions(+)
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 2b8bccdd..0c8cdb8e 100644
+--- a/include/exec/memory.h
+++ b/include/exec/memory.h
+@@ -378,6 +378,8 @@ struct MemoryRegion {
+     bool is_iommu;
+     RAMBlock *ram_block;
+     Object *owner;
+    /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
+    DeviceState *dev;
+ 
+     const MemoryRegionOps *ops;
+     void *opaque;
+@@ -400,6 +402,9 @@ struct MemoryRegion {
+     const char *name;
+     unsigned ioeventfd_nb;
+     MemoryRegionIoeventfd *ioeventfds;
+
+    /* For devices designed to perform re-entrant IO into their own IO MRs */
+    bool disable_reentrancy_guard;
+ };
+ 
+ struct IOMMUMemoryRegion {
+diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
+index 1518495b..206f0a70 100644
+--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
+@@ -138,6 +138,10 @@ struct NamedGPIOList {
+     QLIST_ENTRY(NamedGPIOList) node;
+ };
+ 
+typedef struct {
+    bool engaged_in_io;
+} MemReentrancyGuard;
+
+ /**
+  * DeviceState:
+  * @realized: Indicates whether the device has been fully constructed.
+@@ -163,6 +167,9 @@ struct DeviceState {
+     int num_child_bus;
+     int instance_id_alias;
+     int alias_required_for_version;
+
+    /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
+    MemReentrancyGuard mem_reentrancy_guard;
+ };
+ 
+ struct DeviceListener {
+diff --git a/memory.c b/memory.c
+index 8cafb86a..94ebcaf9 100644
+--- a/memory.c
+++ b/memory.c
+@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
+         access_size_max = 4;
+     }
+ 
+    /* Do not allow more than one simultaneous access to a device's IO Regions */
+    if (mr->dev && !mr->disable_reentrancy_guard &&
+       !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
+       if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
+           warn_report_once("Blocked re-entrant IO on MemoryRegion: "
+                            "%s at addr: 0x%" HWADDR_PRIX,
+                            memory_region_name(mr), addr);
+           return MEMTX_ACCESS_ERROR;
+       }
+       mr->dev->mem_reentrancy_guard.engaged_in_io = true;
+    }
+
+     /* FIXME: support unaligned access? */
+     access_size = MAX(MIN(size, access_size_max), access_size_min);
+     access_mask = MAKE_64BIT_MASK(0, access_size * 8);
+@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
+                         access_mask, attrs);
+         }
+     }
+    if (mr->dev) {
+       mr->dev->mem_reentrancy_guard.engaged_in_io = false;
+    }
+     return r;
+ }
+ 
+@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr,
+     }
+     mr->name = g_strdup(name);
+     mr->owner = owner;
+    mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
+     mr->ram_block = NULL;
+ 
+     if (name) {
+-- 
+2.25.1
author	Vijay Anusuri <vanusuri@mvista.com>	2023-09-11 12:09:27 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-09-15 03:47:11 -1000
commit	1b52dc06632a0a958bdfb30cf75cfa2dbbf426e8 (patch)
tree	c8d3e436702094f9aef7ec92970510e5ffe262ce
parent	b48424988af3fd3e82706e44d4831bf0e701f2be (diff)
download	poky-1b52dc06632a0a958bdfb30cf75cfa2dbbf426e8.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3789d77046..2669ba4ec8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
137	file://CVE-2021-3409-4.patch \	137	file://CVE-2021-3409-4.patch \
138	file://CVE-2021-3409-5.patch \	138	file://CVE-2021-3409-5.patch \
139	file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \	139	file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
140	file://CVE-2023-0330.patch \	140	file://CVE-2023-0330_1.patch \
		141	file://CVE-2023-0330_2.patch \
141	file://CVE-2023-3354.patch \	142	file://CVE-2023-3354.patch \
142	file://CVE-2023-3180.patch \	143	file://CVE-2023-3180.patch \
143	"	144	"


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch index 26e22b4c31..26e22b4c31 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch new file mode 100644 index 0000000000..3b45bc0411 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
@@ -0,0 +1,135 @@
		1	From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
		2	From: Alexander Bulekov <alxndr@bu.edu>
		3	Date: Thu, 27 Apr 2023 17:10:06 -0400
		4	Subject: [PATCH] memory: prevent dma-reentracy issues
		5
		6	Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
		7	This flag is set/checked prior to calling a device's MemoryRegion
		8	handlers, and set when device code initiates DMA. The purpose of this
		9	flag is to prevent two types of DMA-based reentrancy issues:
		10
		11	1.) mmio -> dma -> mmio case
		12	2.) bh -> dma write -> mmio case
		13
		14	These issues have led to problems such as stack-exhaustion and
		15	use-after-frees.
		16
		17	Summary of the problem from Peter Maydell:
		18	https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
		19
		20	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
		21	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
		22	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
		23	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
		24	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
		25	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
		26	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
		27	Resolves: CVE-2023-0330
		28
		29	Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
		30	Reviewed-by: Thomas Huth <thuth@redhat.com>
		31	Message-Id: <20230427211013.2994127-2-alxndr@bu.edu>
		32	[thuth: Replace warn_report() with warn_report_once()]
		33	Signed-off-by: Thomas Huth <thuth@redhat.com>
		34
		35	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
		36	CVE: CVE-2023-0330
		37	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		38	---
		39	include/exec/memory.h \| 5 +++++
		40	include/hw/qdev-core.h \| 7 +++++++
		41	memory.c \| 16 ++++++++++++++++
		42	3 files changed, 28 insertions(+)
		43
		44	diff --git a/include/exec/memory.h b/include/exec/memory.h
		45	index 2b8bccdd..0c8cdb8e 100644
		46	--- a/include/exec/memory.h
		47	+++ b/include/exec/memory.h
		48	@@ -378,6 +378,8 @@ struct MemoryRegion {
		49	bool is_iommu;
		50	RAMBlock *ram_block;
		51	Object *owner;
		52	+ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
		53	+ DeviceState *dev;
		54
		55	const MemoryRegionOps *ops;
		56	void *opaque;
		57	@@ -400,6 +402,9 @@ struct MemoryRegion {
		58	const char *name;
		59	unsigned ioeventfd_nb;
		60	MemoryRegionIoeventfd *ioeventfds;
		61	+
		62	+ /* For devices designed to perform re-entrant IO into their own IO MRs */
		63	+ bool disable_reentrancy_guard;
		64	};
		65
		66	struct IOMMUMemoryRegion {
		67	diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
		68	index 1518495b..206f0a70 100644
		69	--- a/include/hw/qdev-core.h
		70	+++ b/include/hw/qdev-core.h
		71	@@ -138,6 +138,10 @@ struct NamedGPIOList {
		72	QLIST_ENTRY(NamedGPIOList) node;
		73	};
		74
		75	+typedef struct {
		76	+ bool engaged_in_io;
		77	+} MemReentrancyGuard;
		78	+
		79	/**
		80	* DeviceState:
		81	* @realized: Indicates whether the device has been fully constructed.
		82	@@ -163,6 +167,9 @@ struct DeviceState {
		83	int num_child_bus;
		84	int instance_id_alias;
		85	int alias_required_for_version;
		86	+
		87	+ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
		88	+ MemReentrancyGuard mem_reentrancy_guard;
		89	};
		90
		91	struct DeviceListener {
		92	diff --git a/memory.c b/memory.c
		93	index 8cafb86a..94ebcaf9 100644
		94	--- a/memory.c
		95	+++ b/memory.c
		96	@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
		97	access_size_max = 4;
		98	}
		99
		100	+ /* Do not allow more than one simultaneous access to a device's IO Regions */
		101	+ if (mr->dev && !mr->disable_reentrancy_guard &&
		102	+ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
		103	+ if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
		104	+ warn_report_once("Blocked re-entrant IO on MemoryRegion: "
		105	+ "%s at addr: 0x%" HWADDR_PRIX,
		106	+ memory_region_name(mr), addr);
		107	+ return MEMTX_ACCESS_ERROR;
		108	+ }
		109	+ mr->dev->mem_reentrancy_guard.engaged_in_io = true;
		110	+ }
		111	+
		112	/* FIXME: support unaligned access? */
		113	access_size = MAX(MIN(size, access_size_max), access_size_min);
		114	access_mask = MAKE_64BIT_MASK(0, access_size * 8);
		115	@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
		116	access_mask, attrs);
		117	}
		118	}
		119	+ if (mr->dev) {
		120	+ mr->dev->mem_reentrancy_guard.engaged_in_io = false;
		121	+ }
		122	return r;
		123	}
		124
		125	@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr,
		126	}
		127	mr->name = g_strdup(name);
		128	mr->owner = owner;
		129	+ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
		130	mr->ram_block = NULL;
		131
		132	if (name) {
		133	--
		134	2.25.1
		135