diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-07-03 17:32:03 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-07-07 23:15:10 +0100 |
commit | bf175f82ceebd85377857554100cb23653490bde (patch) | |
tree | 194edcfe6a780c47a03c8b0c70e54b8c8f9c7ef4 /meta/recipes-devtools | |
parent | 2a6fa8877d06119115b5d4d08b14f050c8a09ac2 (diff) | |
download | poky-bf175f82ceebd85377857554100cb23653490bde.tar.gz |
qemu: fix CVE-2020-10702/10761/13362/13659/13800
fix these CVE:
CVE-2020-10702
CVE-2020-10761
CVE-2020-13362
CVE-2020-13659
CVE-2020-13800
(From OE-Core rev: 98c4642c526259fc664723145a1d6026b491032d)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 5 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | 52 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch | 150 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | 52 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch | 55 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | 60 |
6 files changed, 374 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3e5006937b..24b0379de4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -39,6 +39,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
39 | file://CVE-2020-11102.patch \ | 39 | file://CVE-2020-11102.patch \ |
40 | file://CVE-2020-11869.patch \ | 40 | file://CVE-2020-11869.patch \ |
41 | file://CVE-2020-13361.patch \ | 41 | file://CVE-2020-13361.patch \ |
42 | file://CVE-2020-10761.patch \ | ||
43 | file://CVE-2020-10702.patch \ | ||
44 | file://CVE-2020-13659.patch \ | ||
45 | file://CVE-2020-13800.patch \ | ||
46 | file://CVE-2020-13362.patch \ | ||
42 | " | 47 | " |
43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 48 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
44 | 49 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch new file mode 100644 index 0000000000..0931489af4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vincent Dehors <vincent.dehors@smile.fr> | ||
3 | Date: Thu, 23 Jan 2020 15:22:38 +0000 | ||
4 | Subject: [PATCH] target/arm: Fix PAuth sbox functions | ||
5 | |||
6 | In the PAC computation, sbox was applied over wrong bits. | ||
7 | As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. | ||
8 | |||
9 | Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was | ||
10 | used to verify one computation of the pauth_computepac() function which | ||
11 | uses sbox2. | ||
12 | |||
13 | Launchpad: https://bugs.launchpad.net/bugs/1859713 | ||
14 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
15 | Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr> | ||
16 | Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr> | ||
17 | Message-id: 20200116230809.19078-2-richard.henderson@linaro.org | ||
18 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9] | ||
22 | CVE: CVE-2020-10702 | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | target/arm/pauth_helper.c | 4 ++-- | ||
26 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c | ||
29 | index d3194f2..0a5f41e 100644 | ||
30 | --- a/target/arm/pauth_helper.c | ||
31 | +++ b/target/arm/pauth_helper.c | ||
32 | @@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) | ||
33 | uint64_t o = 0; | ||
34 | int b; | ||
35 | |||
36 | - for (b = 0; b < 64; b += 16) { | ||
37 | + for (b = 0; b < 64; b += 4) { | ||
38 | o |= (uint64_t)sub[(i >> b) & 0xf] << b; | ||
39 | } | ||
40 | return o; | ||
41 | @@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) | ||
42 | uint64_t o = 0; | ||
43 | int b; | ||
44 | |||
45 | - for (b = 0; b < 64; b += 16) { | ||
46 | + for (b = 0; b < 64; b += 4) { | ||
47 | o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; | ||
48 | } | ||
49 | return o; | ||
50 | -- | ||
51 | 1.8.3.1 | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch new file mode 100644 index 0000000000..e5e336a2ee --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch | |||
@@ -0,0 +1,150 @@ | |||
1 | From 5c4fe018c025740fef4a0a4421e8162db0c3eefd Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Blake <eblake@redhat.com> | ||
3 | Date: Mon, 8 Jun 2020 13:26:37 -0500 | ||
4 | Subject: [PATCH] nbd/server: Avoid long error message assertions | ||
5 | CVE-2020-10761 | ||
6 | |||
7 | Ever since commit 36683283 (v2.8), the server code asserts that error | ||
8 | strings sent to the client are well-formed per the protocol by not | ||
9 | exceeding the maximum string length of 4096. At the time the server | ||
10 | first started sending error messages, the assertion could not be | ||
11 | triggered, because messages were completely under our control. | ||
12 | However, over the years, we have added latent scenarios where a client | ||
13 | could trigger the server to attempt an error message that would | ||
14 | include the client's information if it passed other checks first: | ||
15 | |||
16 | - requesting NBD_OPT_INFO/GO on an export name that is not present | ||
17 | (commit 0cfae925 in v2.12 echoes the name) | ||
18 | |||
19 | - requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is | ||
20 | not present (commit e7b1948d in v2.12 echoes the name) | ||
21 | |||
22 | At the time, those were still safe because we flagged names larger | ||
23 | than 256 bytes with a different message; but that changed in commit | ||
24 | 93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD | ||
25 | string limit. (That commit also failed to change the magic number | ||
26 | 4096 in nbd_negotiate_send_rep_err to the just-introduced named | ||
27 | constant.) So with that commit, long client names appended to server | ||
28 | text can now trigger the assertion, and thus be used as a denial of | ||
29 | service attack against a server. As a mitigating factor, if the | ||
30 | server requires TLS, the client cannot trigger the problematic paths | ||
31 | unless it first supplies TLS credentials, and such trusted clients are | ||
32 | less likely to try to intentionally crash the server. | ||
33 | |||
34 | We may later want to further sanitize the user-supplied strings we | ||
35 | place into our error messages, such as scrubbing out control | ||
36 | characters, but that is less important to the CVE fix, so it can be a | ||
37 | later patch to the new nbd_sanitize_name. | ||
38 | |||
39 | Consideration was given to changing the assertion in | ||
40 | nbd_negotiate_send_rep_verr to instead merely log a server error and | ||
41 | truncate the message, to avoid leaving a latent path that could | ||
42 | trigger a future CVE DoS on any new error message. However, this | ||
43 | merely complicates the code for something that is already (correctly) | ||
44 | flagging coding errors, and now that we are aware of the long message | ||
45 | pitfall, we are less likely to introduce such errors in the future, | ||
46 | which would make such error handling dead code. | ||
47 | |||
48 | Reported-by: Xueqiang Wei <xuwei@redhat.com> | ||
49 | CC: qemu-stable@nongnu.org | ||
50 | Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761 | ||
51 | Fixes: 93676c88d7 | ||
52 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
53 | Message-Id: <20200610163741.3745251-2-eblake@redhat.com> | ||
54 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
55 | |||
56 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/5c4fe018c025740fef4a0a4421e8162db0c3eefd] | ||
57 | CVE: CVE-2020-10761 | ||
58 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
59 | --- | ||
60 | nbd/server.c | 23 ++++++++++++++++++++--- | ||
61 | tests/qemu-iotests/143 | 4 ++++ | ||
62 | tests/qemu-iotests/143.out | 2 ++ | ||
63 | 3 files changed, 26 insertions(+), 3 deletions(-) | ||
64 | |||
65 | diff --git a/nbd/server.c b/nbd/server.c | ||
66 | index 02b1ed08014..20754e9ebc3 100644 | ||
67 | --- a/nbd/server.c | ||
68 | +++ b/nbd/server.c | ||
69 | @@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
70 | |||
71 | msg = g_strdup_vprintf(fmt, va); | ||
72 | len = strlen(msg); | ||
73 | - assert(len < 4096); | ||
74 | + assert(len < NBD_MAX_STRING_SIZE); | ||
75 | trace_nbd_negotiate_send_rep_err(msg); | ||
76 | ret = nbd_negotiate_send_rep_len(client, type, len, errp); | ||
77 | if (ret < 0) { | ||
78 | @@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
79 | return 0; | ||
80 | } | ||
81 | |||
82 | +/* | ||
83 | + * Return a malloc'd copy of @name suitable for use in an error reply. | ||
84 | + */ | ||
85 | +static char * | ||
86 | +nbd_sanitize_name(const char *name) | ||
87 | +{ | ||
88 | + if (strnlen(name, 80) < 80) { | ||
89 | + return g_strdup(name); | ||
90 | + } | ||
91 | + /* XXX Should we also try to sanitize any control characters? */ | ||
92 | + return g_strdup_printf("%.80s...", name); | ||
93 | +} | ||
94 | + | ||
95 | /* Send an error reply. | ||
96 | * Return -errno on error, 0 on success. */ | ||
97 | static int GCC_FMT_ATTR(4, 5) | ||
98 | @@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) | ||
99 | |||
100 | exp = nbd_export_find(name); | ||
101 | if (!exp) { | ||
102 | + g_autofree char *sane_name = nbd_sanitize_name(name); | ||
103 | + | ||
104 | return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, | ||
105 | errp, "export '%s' not present", | ||
106 | - name); | ||
107 | + sane_name); | ||
108 | } | ||
109 | |||
110 | /* Don't bother sending NBD_INFO_NAME unless client requested it */ | ||
111 | @@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client, | ||
112 | |||
113 | meta->exp = nbd_export_find(export_name); | ||
114 | if (meta->exp == NULL) { | ||
115 | + g_autofree char *sane_name = nbd_sanitize_name(export_name); | ||
116 | + | ||
117 | return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, | ||
118 | - "export '%s' not present", export_name); | ||
119 | + "export '%s' not present", sane_name); | ||
120 | } | ||
121 | |||
122 | ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); | ||
123 | diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143 | ||
124 | index f649b361950..d2349903b1b 100755 | ||
125 | --- a/tests/qemu-iotests/143 | ||
126 | +++ b/tests/qemu-iotests/143 | ||
127 | @@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \ | ||
128 | $QEMU_IO_PROG -f raw -c quit \ | ||
129 | "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
130 | | _filter_qemu_io | _filter_nbd | ||
131 | +# Likewise, with longest possible name permitted in NBD protocol | ||
132 | +$QEMU_IO_PROG -f raw -c quit \ | ||
133 | + "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
134 | + | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/' | ||
135 | |||
136 | _send_qemu_cmd $QEMU_HANDLE \ | ||
137 | "{ 'execute': 'quit' }" \ | ||
138 | diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out | ||
139 | index 1f4001c6013..fc9c0a761fa 100644 | ||
140 | --- a/tests/qemu-iotests/143.out | ||
141 | +++ b/tests/qemu-iotests/143.out | ||
142 | @@ -5,6 +5,8 @@ QA output created by 143 | ||
143 | {"return": {}} | ||
144 | qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available | ||
145 | server reported: export 'no_such_export' not present | ||
146 | +qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available | ||
147 | +server reported: export 'aa--aa...' not present | ||
148 | { 'execute': 'quit' } | ||
149 | {"return": {}} | ||
150 | {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch new file mode 100644 index 0000000000..7c92d762f2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 14 May 2020 00:55:38 +0530 | ||
4 | Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check | ||
5 | index | ||
6 | |||
7 | A guest user may set 'reply_queue_head' field of MegasasState to | ||
8 | a negative value. Later in 'megasas_lookup_frame' it is used to | ||
9 | index into s->frames[] array. Use unsigned type to avoid OOB | ||
10 | access issue. | ||
11 | |||
12 | Also check that 'index' value stays within s->frames[] bounds | ||
13 | through the while() loop in 'megasas_lookup_frame' to avoid OOB | ||
14 | access. | ||
15 | |||
16 | Reported-by: Ren Ding <rding@gatech.edu> | ||
17 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Acked-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> | ||
22 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f50ab86a2620bd7e8507af865b164655ee921661] | ||
25 | CVE: CVE-2020-13362 | ||
26 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
27 | --- | ||
28 | hw/scsi/megasas.c | 4 ++-- | ||
29 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | ||
32 | index af18c88b656..6ce598cd690 100644 | ||
33 | --- a/hw/scsi/megasas.c | ||
34 | +++ b/hw/scsi/megasas.c | ||
35 | @@ -112,7 +112,7 @@ typedef struct MegasasState { | ||
36 | uint64_t reply_queue_pa; | ||
37 | void *reply_queue; | ||
38 | int reply_queue_len; | ||
39 | - int reply_queue_head; | ||
40 | + uint16_t reply_queue_head; | ||
41 | int reply_queue_tail; | ||
42 | uint64_t consumer_pa; | ||
43 | uint64_t producer_pa; | ||
44 | @@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, | ||
45 | |||
46 | index = s->reply_queue_head; | ||
47 | |||
48 | - while (num < s->fw_cmds) { | ||
49 | + while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { | ||
50 | if (s->frames[index].pa && s->frames[index].pa == frame) { | ||
51 | cmd = &s->frames[index]; | ||
52 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch new file mode 100644 index 0000000000..f1e9345eca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 26 May 2020 16:47:43 +0530 | ||
4 | Subject: [PATCH] exec: set map length to zero when returning NULL | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | When mapping physical memory into host's virtual address space, | ||
10 | 'address_space_map' may return NULL if BounceBuffer is in_use. | ||
11 | Set and return '*plen = 0' to avoid later NULL pointer dereference. | ||
12 | |||
13 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
14 | Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 | ||
15 | Suggested-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | Suggested-by: Peter Maydell <peter.maydell@linaro.org> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Message-Id: <20200526111743.428367-1-ppandit@redhat.com> | ||
19 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
20 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77f55eac6c433e23e82a1b88b2d74f385c4c7d82] | ||
23 | CVE: CVE-2020-13659 | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | exec.c | 1 + | ||
27 | include/exec/memory.h | 3 ++- | ||
28 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/exec.c b/exec.c | ||
31 | index 9cbde85d8c1..778263f1c6a 100644 | ||
32 | --- a/exec.c | ||
33 | +++ b/exec.c | ||
34 | @@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, | ||
35 | |||
36 | if (!memory_access_is_direct(mr, is_write)) { | ||
37 | if (atomic_xchg(&bounce.in_use, true)) { | ||
38 | + *plen = 0; | ||
39 | return NULL; | ||
40 | } | ||
41 | /* Avoid unbounded allocations */ | ||
42 | diff --git a/include/exec/memory.h b/include/exec/memory.h | ||
43 | index bd7fdd60810..af8ca7824e0 100644 | ||
44 | --- a/include/exec/memory.h | ||
45 | +++ b/include/exec/memory.h | ||
46 | @@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, | ||
47 | /* address_space_map: map a physical memory region into a host virtual address | ||
48 | * | ||
49 | * May map a subset of the requested range, given by and returned in @plen. | ||
50 | - * May return %NULL if resources needed to perform the mapping are exhausted. | ||
51 | + * May return %NULL and set *@plen to zero(0), if resources needed to perform | ||
52 | + * the mapping are exhausted. | ||
53 | * Use only for reads OR writes - not for read-modify-write operations. | ||
54 | * Use cpu_register_map_client() to know when retrying the map operation is | ||
55 | * likely to succeed. | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch new file mode 100644 index 0000000000..84b2f06894 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 4 Jun 2020 14:38:30 +0530 | ||
4 | Subject: [PATCH] ati-vga: check mm_index before recursive call | ||
5 | (CVE-2020-13800) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | While accessing VGA registers via ati_mm_read/write routines, | ||
11 | a guest may set 's->regs.mm_index' such that it leads to infinite | ||
12 | recursion. Check mm_index value to avoid such recursion. Log an | ||
13 | error message for wrong values. | ||
14 | |||
15 | Reported-by: Ren Ding <rding@gatech.edu> | ||
16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
17 | Reported-by: Yi Ren <c4tren@gmail.com> | ||
18 | Message-id: 20200604090830.33885-1-ppandit@redhat.com | ||
19 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
20 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a98610c429d52db0937c1e48659428929835c455] | ||
25 | CVE: CVE-2020-13800 | ||
26 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
27 | --- | ||
28 | hw/display/ati.c | 10 ++++++++-- | ||
29 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/display/ati.c b/hw/display/ati.c | ||
32 | index 065f197678e..67604e68deb 100644 | ||
33 | --- a/hw/display/ati.c | ||
34 | +++ b/hw/display/ati.c | ||
35 | @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) | ||
36 | if (idx <= s->vga.vram_size - size) { | ||
37 | val = ldn_le_p(s->vga.vram_ptr + idx, size); | ||
38 | } | ||
39 | - } else { | ||
40 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
41 | val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); | ||
42 | + } else { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
44 | + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); | ||
45 | } | ||
46 | break; | ||
47 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
48 | @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, | ||
49 | if (idx <= s->vga.vram_size - size) { | ||
50 | stn_le_p(s->vga.vram_ptr + idx, size, data); | ||
51 | } | ||
52 | - } else { | ||
53 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
54 | ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); | ||
55 | + } else { | ||
56 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
57 | + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); | ||
58 | } | ||
59 | break; | ||
60 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||