Revert "qemu: Backport fix for CVE-2023-0330"

This reverts commit 45ce9885351a2344737170e6e810dc67ab3e7ea9. Unfortunately this backport results in qemuarmv5 failing to boot with a qemu lsi hw error. [YOCTO #15274] See discussion: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15274 (From OE-Core rev: 14aa11aecf503cef08e43c90cf0bd574721ca965) Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Steve Sakoman <steve@sakoman.com> 2023-11-07 07:36:29 -1000
committer: Steve Sakoman <steve@sakoman.com> 2023-11-17 06:00:32 -1000
commit: 72c7bacfd367378e979d7800e655f6b445733e60 (patch)
tree: fc860cfd4f3f75aca80085444194243721a2c550 /meta/recipes-devtools
parent: 8a8d40420fd1f875f2dfc97ad445335635fd8fd5 (diff)
download: poky-72c7bacfd367378e979d7800e655f6b445733e60.tar.gz
3 files changed, 1 insertions, 137 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e6b26aba88..a24915c35c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,8 +137,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3409-4.patch \
           file://CVE-2021-3409-5.patch \
           file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
-           file://CVE-2023-0330_1.patch \
+           file://CVE-2023-0330.patch \
-           file://CVE-2023-0330_2.patch \
           file://CVE-2023-3354.patch \
           file://CVE-2023-3180.patch \
           file://CVE-2020-24165.patch \
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
index 26e22b4c31..26e22b4c31 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
deleted file mode 100644
index 3b45bc0411..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Thu, 27 Apr 2023 17:10:06 -0400
-Subject: [PATCH] memory: prevent dma-reentracy issues
-Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
-This flag is set/checked prior to calling a device's MemoryRegion
-handlers, and set when device code initiates DMA.  The purpose of this
-flag is to prevent two types of DMA-based reentrancy issues:
-1.) mmio -> dma -> mmio case
-2.) bh -> dma write -> mmio case
-These issues have led to problems such as stack-exhaustion and
-use-after-frees.
-Summary of the problem from Peter Maydell:
-https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
-Resolves: CVE-2023-0330
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-Id: <20230427211013.2994127-2-alxndr@bu.edu>
-[thuth: Replace warn_report() with warn_report_once()]
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
-CVE: CVE-2023-0330
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
- include/exec/memory.h  |  5 +++++
- include/hw/qdev-core.h |  7 +++++++
- memory.c               | 16 ++++++++++++++++
- 3 files changed, 28 insertions(+)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index 2b8bccdd..0c8cdb8e 100644
--- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -378,6 +378,8 @@ struct MemoryRegion {
-     bool is_iommu;
-     RAMBlock *ram_block;
-     Object *owner;
-+    /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
-+    DeviceState *dev;
- 
-     const MemoryRegionOps *ops;
-     void *opaque;
-@@ -400,6 +402,9 @@ struct MemoryRegion {
-     const char *name;
-     unsigned ioeventfd_nb;
-     MemoryRegionIoeventfd *ioeventfds;
-+
-+    /* For devices designed to perform re-entrant IO into their own IO MRs */
-+    bool disable_reentrancy_guard;
- };
- 
- struct IOMMUMemoryRegion {
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index 1518495b..206f0a70 100644
--- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -138,6 +138,10 @@ struct NamedGPIOList {
-     QLIST_ENTRY(NamedGPIOList) node;
- };
- 
-+typedef struct {
-+    bool engaged_in_io;
-+} MemReentrancyGuard;
-+
- /**
-  * DeviceState:
-  * @realized: Indicates whether the device has been fully constructed.
-@@ -163,6 +167,9 @@ struct DeviceState {
-     int num_child_bus;
-     int instance_id_alias;
-     int alias_required_for_version;
-+
-+    /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
-+    MemReentrancyGuard mem_reentrancy_guard;
- };
- 
- struct DeviceListener {
-diff --git a/memory.c b/memory.c
-index 8cafb86a..94ebcaf9 100644
--- a/memory.c
-+++ b/memory.c
-@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-         access_size_max = 4;
-     }
- 
-+    /* Do not allow more than one simultaneous access to a device's IO Regions */
-+    if (mr->dev && !mr->disable_reentrancy_guard &&
-+       !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
-+       if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
-+           warn_report_once("Blocked re-entrant IO on MemoryRegion: "
-+                            "%s at addr: 0x%" HWADDR_PRIX,
-+                            memory_region_name(mr), addr);
-+           return MEMTX_ACCESS_ERROR;
-+       }
-+       mr->dev->mem_reentrancy_guard.engaged_in_io = true;
-+    }
-+
-     /* FIXME: support unaligned access? */
-     access_size = MAX(MIN(size, access_size_max), access_size_min);
-     access_mask = MAKE_64BIT_MASK(0, access_size * 8);
-@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
-                         access_mask, attrs);
-         }
-     }
-+    if (mr->dev) {
-+       mr->dev->mem_reentrancy_guard.engaged_in_io = false;
-+    }
-     return r;
- }
- 
-@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr,
-     }
-     mr->name = g_strdup(name);
-     mr->owner = owner;
-+    mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
-     mr->ram_block = NULL;
- 
-     if (name) {
-- 
-2.25.1
author	Steve Sakoman <steve@sakoman.com>	2023-11-07 07:36:29 -1000
committer	Steve Sakoman <steve@sakoman.com>	2023-11-17 06:00:32 -1000
commit	72c7bacfd367378e979d7800e655f6b445733e60 (patch)
tree	fc860cfd4f3f75aca80085444194243721a2c550 /meta/recipes-devtools
parent	8a8d40420fd1f875f2dfc97ad445335635fd8fd5 (diff)
download	poky-72c7bacfd367378e979d7800e655f6b445733e60.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e6b26aba88..a24915c35c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,8 +137,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
137	file://CVE-2021-3409-4.patch \	137	file://CVE-2021-3409-4.patch \
138	file://CVE-2021-3409-5.patch \	138	file://CVE-2021-3409-5.patch \
139	file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \	139	file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
140	file://CVE-2023-0330_1.patch \	140	file://CVE-2023-0330.patch \
141	file://CVE-2023-0330_2.patch \
142	file://CVE-2023-3354.patch \	141	file://CVE-2023-3354.patch \
143	file://CVE-2023-3180.patch \	142	file://CVE-2023-3180.patch \
144	file://CVE-2020-24165.patch \	143	file://CVE-2020-24165.patch \


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch index 26e22b4c31..26e22b4c31 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch deleted file mode 100644 index 3b45bc0411..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch +++ /dev/null
@@ -1,135 +0,0 @@
1	From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
2	From: Alexander Bulekov <alxndr@bu.edu>
3	Date: Thu, 27 Apr 2023 17:10:06 -0400
4	Subject: [PATCH] memory: prevent dma-reentracy issues
5
6	Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
7	This flag is set/checked prior to calling a device's MemoryRegion
8	handlers, and set when device code initiates DMA. The purpose of this
9	flag is to prevent two types of DMA-based reentrancy issues:
10
11	1.) mmio -> dma -> mmio case
12	2.) bh -> dma write -> mmio case
13
14	These issues have led to problems such as stack-exhaustion and
15	use-after-frees.
16
17	Summary of the problem from Peter Maydell:
18	https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
19
20	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
21	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
22	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
23	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
24	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
25	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
26	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
27	Resolves: CVE-2023-0330
28
29	Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
30	Reviewed-by: Thomas Huth <thuth@redhat.com>
31	Message-Id: <20230427211013.2994127-2-alxndr@bu.edu>
32	[thuth: Replace warn_report() with warn_report_once()]
33	Signed-off-by: Thomas Huth <thuth@redhat.com>
34
35	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
36	CVE: CVE-2023-0330
37	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
38	---
39	include/exec/memory.h \| 5 +++++
40	include/hw/qdev-core.h \| 7 +++++++
41	memory.c \| 16 ++++++++++++++++
42	3 files changed, 28 insertions(+)
43
44	diff --git a/include/exec/memory.h b/include/exec/memory.h
45	index 2b8bccdd..0c8cdb8e 100644
46	--- a/include/exec/memory.h
47	+++ b/include/exec/memory.h
48	@@ -378,6 +378,8 @@ struct MemoryRegion {
49	bool is_iommu;
50	RAMBlock *ram_block;
51	Object *owner;
52	+ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
53	+ DeviceState *dev;
54
55	const MemoryRegionOps *ops;
56	void *opaque;
57	@@ -400,6 +402,9 @@ struct MemoryRegion {
58	const char *name;
59	unsigned ioeventfd_nb;
60	MemoryRegionIoeventfd *ioeventfds;
61	+
62	+ /* For devices designed to perform re-entrant IO into their own IO MRs */
63	+ bool disable_reentrancy_guard;
64	};
65
66	struct IOMMUMemoryRegion {
67	diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
68	index 1518495b..206f0a70 100644
69	--- a/include/hw/qdev-core.h
70	+++ b/include/hw/qdev-core.h
71	@@ -138,6 +138,10 @@ struct NamedGPIOList {
72	QLIST_ENTRY(NamedGPIOList) node;
73	};
74
75	+typedef struct {
76	+ bool engaged_in_io;
77	+} MemReentrancyGuard;
78	+
79	/**
80	* DeviceState:
81	* @realized: Indicates whether the device has been fully constructed.
82	@@ -163,6 +167,9 @@ struct DeviceState {
83	int num_child_bus;
84	int instance_id_alias;
85	int alias_required_for_version;
86	+
87	+ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
88	+ MemReentrancyGuard mem_reentrancy_guard;
89	};
90
91	struct DeviceListener {
92	diff --git a/memory.c b/memory.c
93	index 8cafb86a..94ebcaf9 100644
94	--- a/memory.c
95	+++ b/memory.c
96	@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
97	access_size_max = 4;
98	}
99
100	+ /* Do not allow more than one simultaneous access to a device's IO Regions */
101	+ if (mr->dev && !mr->disable_reentrancy_guard &&
102	+ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
103	+ if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
104	+ warn_report_once("Blocked re-entrant IO on MemoryRegion: "
105	+ "%s at addr: 0x%" HWADDR_PRIX,
106	+ memory_region_name(mr), addr);
107	+ return MEMTX_ACCESS_ERROR;
108	+ }
109	+ mr->dev->mem_reentrancy_guard.engaged_in_io = true;
110	+ }
111	+
112	/* FIXME: support unaligned access? */
113	access_size = MAX(MIN(size, access_size_max), access_size_min);
114	access_mask = MAKE_64BIT_MASK(0, access_size * 8);
115	@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
116	access_mask, attrs);
117	}
118	}
119	+ if (mr->dev) {
120	+ mr->dev->mem_reentrancy_guard.engaged_in_io = false;
121	+ }
122	return r;
123	}
124
125	@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr,
126	}
127	mr->name = g_strdup(name);
128	mr->owner = owner;
129	+ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
130	mr->ram_block = NULL;
131
132	if (name) {
133	--
134	2.25.1
135