qemu: fix CVE-2020-27821

memory: clamp cached translation in case it points to an MMIO region (From OE-Core rev: df92b3359743ed1837fa57df8035d121f5c5676b) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2021-05-03 10:10:12 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-04 22:48:16 +0100
commit: 9f31c9ebeb1d717f5473e444886793161845bc89 (patch)
tree: e82fca8971e3d6396cc702010b56763ed13d1932 /meta/recipes-devtools/qemu
parent: 7cb612add714800c3f9245ecccd7fba4ebee6c59 (diff)
download: poky-9f31c9ebeb1d717f5473e444886793161845bc89.tar.gz
2 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 062d7907cf..d120b0822f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -55,6 +55,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3416_10.patch \
           file://CVE-2021-20257.patch \
           file://CVE-2021-3392.patch \
+           file://CVE-2020-27821.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
new file mode 100644
index 0000000000..58622f0487
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
@@ -0,0 +1,143 @@
+From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 09:29:56 -0500
+Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an
+ MMIO region
+In using the address_space_translate_internal API, address_space_cache_init
+forgot one piece of advice that can be found in the code for
+address_space_translate_internal:
+    /* MMIO registers can be expected to perform full-width accesses based only
+     * on their address, without considering adjacent registers that could
+     * decode to completely different MemoryRegions.  When such registers
+     * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
+     * regions overlap wildly.  For this reason we cannot clamp the accesses
+     * here.
+     *
+     * If the length is small (as is the case for address_space_ldl/stl),
+     * everything works fine.  If the incoming length is large, however,
+     * the caller really has to do the clamping through memory_access_size.
+     */
+address_space_cache_init is exactly one such case where "the incoming length
+is large", therefore we need to clamp the resulting length---not to
+memory_access_size though, since we are not doing an access yet, but to
+the size of the resulting section.  This ensures that subsequent accesses
+to the cached MemoryRegionSection will be in range.
+With this patch, the enclosed testcase notices that the used ring does
+not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
+error.
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442]
+CVE: CVE-2020-27821
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ softmmu/physmem.c       | 10 ++++++++
+ tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 3027747c0..2cd1de4a2 100644
+--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
+@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+     AddressSpaceDispatch *d;
+     hwaddr l;
+     MemoryRegion *mr;
+    Int128 diff;
+ 
+     assert(len > 0);
+ 
+@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+     d = flatview_to_dispatch(cache->fv);
+     cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
+ 
+    /*
+     * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
+     * Take that into account to compute how many bytes are there between
+     * cache->xlat and the end of the section.
+     */
+    diff = int128_sub(cache->mrs.size,
+                     int128_make64(cache->xlat - cache->mrs.offset_within_region));
+    l = int128_get64(int128_min(diff, int128_make64(l)));
+
+     mr = cache->mrs.mr;
+     memory_region_ref(mr);
+     if (memory_access_is_direct(mr, is_write)) {
+diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
+index 9cb4c42bd..28739248e 100644
+--- a/tests/qtest/fuzz-test.c
+++ b/tests/qtest/fuzz-test.c
+@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
+     qtest_outl(s, 0x5d02, 0xebed205d);
+ }
+ 
+/*
+ * Here a MemoryRegionCache pointed to an MMIO region but had a
+ * larger size than the underlying region.
+ */
+static void test_mmio_oob_from_memory_region_cache(void)
+{
+    QTestState *s;
+
+    s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
+                  "-device virtio-scsi,num_queues=8,addr=03.0 ");
+
+    qtest_outl(s, 0xcf8, 0x80001811);
+    qtest_outb(s, 0xcfc, 0x6e);
+    qtest_outl(s, 0xcf8, 0x80001824);
+    qtest_outl(s, 0xcf8, 0x80001813);
+    qtest_outl(s, 0xcfc, 0xa080000);
+    qtest_outl(s, 0xcf8, 0x80001802);
+    qtest_outl(s, 0xcfc, 0x5a175a63);
+    qtest_outb(s, 0x6e08, 0x9e);
+    qtest_writeb(s, 0x9f003, 0xff);
+    qtest_writeb(s, 0x9f004, 0x01);
+    qtest_writeb(s, 0x9e012, 0x0e);
+    qtest_writeb(s, 0x9e01b, 0x0e);
+    qtest_writeb(s, 0x9f006, 0x01);
+    qtest_writeb(s, 0x9f008, 0x01);
+    qtest_writeb(s, 0x9f00a, 0x01);
+    qtest_writeb(s, 0x9f00c, 0x01);
+    qtest_writeb(s, 0x9f00e, 0x01);
+    qtest_writeb(s, 0x9f010, 0x01);
+    qtest_writeb(s, 0x9f012, 0x01);
+    qtest_writeb(s, 0x9f014, 0x01);
+    qtest_writeb(s, 0x9f016, 0x01);
+    qtest_writeb(s, 0x9f018, 0x01);
+    qtest_writeb(s, 0x9f01a, 0x01);
+    qtest_writeb(s, 0x9f01c, 0x01);
+    qtest_writeb(s, 0x9f01e, 0x01);
+    qtest_writeb(s, 0x9f020, 0x01);
+    qtest_writeb(s, 0x9f022, 0x01);
+    qtest_writeb(s, 0x9f024, 0x01);
+    qtest_writeb(s, 0x9f026, 0x01);
+    qtest_writeb(s, 0x9f028, 0x01);
+    qtest_writeb(s, 0x9f02a, 0x01);
+    qtest_writeb(s, 0x9f02c, 0x01);
+    qtest_writeb(s, 0x9f02e, 0x01);
+    qtest_writeb(s, 0x9f030, 0x01);
+    qtest_outb(s, 0x6e10, 0x00);
+    qtest_quit(s);
+}
+
+ int main(int argc, char **argv)
+ {
+     const char *arch = qtest_get_arch();
+@@ -58,6 +107,8 @@ int main(int argc, char **argv)
+                        test_lp1878263_megasas_zero_iov_cnt);
+         qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
+                        test_lp1878642_pci_bus_get_irq_level_assert);
+        qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
+                       test_mmio_oob_from_memory_region_cache);
+     }
+ 
+     return g_test_run();
+-- 
+2.29.2
author	Sakib Sajal <sakib.sajal@windriver.com>	2021-05-03 10:10:12 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-04 22:48:16 +0100
commit	9f31c9ebeb1d717f5473e444886793161845bc89 (patch)
tree	e82fca8971e3d6396cc702010b56763ed13d1932 /meta/recipes-devtools/qemu
parent	7cb612add714800c3f9245ecccd7fba4ebee6c59 (diff)
download	poky-9f31c9ebeb1d717f5473e444886793161845bc89.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 062d7907cf..d120b0822f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -55,6 +55,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
55	file://CVE-2021-3416_10.patch \	55	file://CVE-2021-3416_10.patch \
56	file://CVE-2021-20257.patch \	56	file://CVE-2021-20257.patch \
57	file://CVE-2021-3392.patch \	57	file://CVE-2021-3392.patch \
		58	file://CVE-2020-27821.patch \
58	"	59	"
59	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	60	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
60		61


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch new file mode 100644 index 0000000000..58622f0487 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
@@ -0,0 +1,143 @@
		1	From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001
		2	From: Paolo Bonzini <pbonzini@redhat.com>
		3	Date: Tue, 1 Dec 2020 09:29:56 -0500
		4	Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an
		5	MMIO region
		6
		7	In using the address_space_translate_internal API, address_space_cache_init
		8	forgot one piece of advice that can be found in the code for
		9	address_space_translate_internal:
		10
		11	/* MMIO registers can be expected to perform full-width accesses based only
		12	* on their address, without considering adjacent registers that could
		13	* decode to completely different MemoryRegions. When such registers
		14	* exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
		15	* regions overlap wildly. For this reason we cannot clamp the accesses
		16	* here.
		17	*
		18	* If the length is small (as is the case for address_space_ldl/stl),
		19	* everything works fine. If the incoming length is large, however,
		20	* the caller really has to do the clamping through memory_access_size.
		21	*/
		22
		23	address_space_cache_init is exactly one such case where "the incoming length
		24	is large", therefore we need to clamp the resulting length---not to
		25	memory_access_size though, since we are not doing an access yet, but to
		26	the size of the resulting section. This ensures that subsequent accesses
		27	to the cached MemoryRegionSection will be in range.
		28
		29	With this patch, the enclosed testcase notices that the used ring does
		30	not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
		31	error.
		32
		33	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		34
		35	Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442]
		36	CVE: CVE-2020-27821
		37
		38	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		39	---
		40	softmmu/physmem.c \| 10 ++++++++
		41	tests/qtest/fuzz-test.c \| 51 +++++++++++++++++++++++++++++++++++++++++
		42	2 files changed, 61 insertions(+)
		43
		44	diff --git a/softmmu/physmem.c b/softmmu/physmem.c
		45	index 3027747c0..2cd1de4a2 100644
		46	--- a/softmmu/physmem.c
		47	+++ b/softmmu/physmem.c
		48	@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
		49	AddressSpaceDispatch *d;
		50	hwaddr l;
		51	MemoryRegion *mr;
		52	+ Int128 diff;
		53
		54	assert(len > 0);
		55
		56	@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
		57	d = flatview_to_dispatch(cache->fv);
		58	cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
		59
		60	+ /*
		61	+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
		62	+ * Take that into account to compute how many bytes are there between
		63	+ * cache->xlat and the end of the section.
		64	+ */
		65	+ diff = int128_sub(cache->mrs.size,
		66	+ int128_make64(cache->xlat - cache->mrs.offset_within_region));
		67	+ l = int128_get64(int128_min(diff, int128_make64(l)));
		68	+
		69	mr = cache->mrs.mr;
		70	memory_region_ref(mr);
		71	if (memory_access_is_direct(mr, is_write)) {
		72	diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
		73	index 9cb4c42bd..28739248e 100644
		74	--- a/tests/qtest/fuzz-test.c
		75	+++ b/tests/qtest/fuzz-test.c
		76	@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
		77	qtest_outl(s, 0x5d02, 0xebed205d);
		78	}
		79
		80	+/*
		81	+ * Here a MemoryRegionCache pointed to an MMIO region but had a
		82	+ * larger size than the underlying region.
		83	+ */
		84	+static void test_mmio_oob_from_memory_region_cache(void)
		85	+{
		86	+ QTestState *s;
		87	+
		88	+ s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
		89	+ "-device virtio-scsi,num_queues=8,addr=03.0 ");
		90	+
		91	+ qtest_outl(s, 0xcf8, 0x80001811);
		92	+ qtest_outb(s, 0xcfc, 0x6e);
		93	+ qtest_outl(s, 0xcf8, 0x80001824);
		94	+ qtest_outl(s, 0xcf8, 0x80001813);
		95	+ qtest_outl(s, 0xcfc, 0xa080000);
		96	+ qtest_outl(s, 0xcf8, 0x80001802);
		97	+ qtest_outl(s, 0xcfc, 0x5a175a63);
		98	+ qtest_outb(s, 0x6e08, 0x9e);
		99	+ qtest_writeb(s, 0x9f003, 0xff);
		100	+ qtest_writeb(s, 0x9f004, 0x01);
		101	+ qtest_writeb(s, 0x9e012, 0x0e);
		102	+ qtest_writeb(s, 0x9e01b, 0x0e);
		103	+ qtest_writeb(s, 0x9f006, 0x01);
		104	+ qtest_writeb(s, 0x9f008, 0x01);
		105	+ qtest_writeb(s, 0x9f00a, 0x01);
		106	+ qtest_writeb(s, 0x9f00c, 0x01);
		107	+ qtest_writeb(s, 0x9f00e, 0x01);
		108	+ qtest_writeb(s, 0x9f010, 0x01);
		109	+ qtest_writeb(s, 0x9f012, 0x01);
		110	+ qtest_writeb(s, 0x9f014, 0x01);
		111	+ qtest_writeb(s, 0x9f016, 0x01);
		112	+ qtest_writeb(s, 0x9f018, 0x01);
		113	+ qtest_writeb(s, 0x9f01a, 0x01);
		114	+ qtest_writeb(s, 0x9f01c, 0x01);
		115	+ qtest_writeb(s, 0x9f01e, 0x01);
		116	+ qtest_writeb(s, 0x9f020, 0x01);
		117	+ qtest_writeb(s, 0x9f022, 0x01);
		118	+ qtest_writeb(s, 0x9f024, 0x01);
		119	+ qtest_writeb(s, 0x9f026, 0x01);
		120	+ qtest_writeb(s, 0x9f028, 0x01);
		121	+ qtest_writeb(s, 0x9f02a, 0x01);
		122	+ qtest_writeb(s, 0x9f02c, 0x01);
		123	+ qtest_writeb(s, 0x9f02e, 0x01);
		124	+ qtest_writeb(s, 0x9f030, 0x01);
		125	+ qtest_outb(s, 0x6e10, 0x00);
		126	+ qtest_quit(s);
		127	+}
		128	+
		129	int main(int argc, char **argv)
		130	{
		131	const char *arch = qtest_get_arch();
		132	@@ -58,6 +107,8 @@ int main(int argc, char **argv)
		133	test_lp1878263_megasas_zero_iov_cnt);
		134	qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
		135	test_lp1878642_pci_bus_get_irq_level_assert);
		136	+ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
		137	+ test_mmio_oob_from_memory_region_cache);
		138	}
		139
		140	return g_test_run();
		141	--
		142	2.29.2
		143