diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2023-03-21 11:40:23 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-04-01 20:23:23 +0100 |
commit | 72707c04e10248640328dd39afe55ba08195965d (patch) | |
tree | 9d675807dc06d19e792546938aa2e5f929092490 /meta | |
parent | f76c7b8e6366129a2550417ed6f091717d897a81 (diff) | |
download | poky-72707c04e10248640328dd39afe55ba08195965d.tar.gz |
qemu: fix multple CVEs
import patches from ubuntu to fix
CVE-2020-15469
CVE-2020-15859
CVE-2020-17380
CVE-2020-35504
CVE-2020-35505
CVE-2021-3409
CVE-2022-26354
https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/focal-security
Combine patches for both CVE-2020-25085 and CVE-2021-3409 also fix CVE-2020-17380.
so mark CVE-2020-17380 fixed by CVE-2021-3409 patches. CVE-2020-17380 patch backported since
oecore rev 6b4c58a31ec11e557d40c31f2532985dd53e61eb.
(From OE-Core rev: 3ee2e9027d57dd5ae9f8795436c1acd18a9f1e24)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
18 files changed, 1039 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 0649727338..600a2af022 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -117,6 +117,23 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
117 | file://CVE-2021-3507.patch \ | 117 | file://CVE-2021-3507.patch \ |
118 | file://CVE-2021-3929.patch \ | 118 | file://CVE-2021-3929.patch \ |
119 | file://CVE-2022-4144.patch \ | 119 | file://CVE-2022-4144.patch \ |
120 | file://CVE-2020-15859.patch \ | ||
121 | file://CVE-2020-15469-1.patch \ | ||
122 | file://CVE-2020-15469-2.patch \ | ||
123 | file://CVE-2020-15469-3.patch \ | ||
124 | file://CVE-2020-15469-4.patch \ | ||
125 | file://CVE-2020-15469-5.patch \ | ||
126 | file://CVE-2020-15469-6.patch \ | ||
127 | file://CVE-2020-15469-7.patch \ | ||
128 | file://CVE-2020-15469-8.patch \ | ||
129 | file://CVE-2020-35504.patch \ | ||
130 | file://CVE-2020-35505.patch \ | ||
131 | file://CVE-2022-26354.patch \ | ||
132 | file://CVE-2021-3409-1.patch \ | ||
133 | file://CVE-2021-3409-2.patch \ | ||
134 | file://CVE-2021-3409-3.patch \ | ||
135 | file://CVE-2021-3409-4.patch \ | ||
136 | file://CVE-2021-3409-5.patch \ | ||
120 | " | 137 | " |
121 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 138 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
122 | 139 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch new file mode 100644 index 0000000000..20f39f0a26 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:25 +0530 | ||
4 | Subject: [PATCH] hw/pci-host: add pci-intack write method | ||
5 | |||
6 | Add pci-intack mmio write method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Message-Id: <20200811114133.672647-2-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu | ||
18 | https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-1.patch?h=ubuntu/focal-security | ||
19 | Upstream commit https://github.com/qemu/qemu/commit/520f26fc6d17b71a43eaf620e834b3bdf316f3d3 ] | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | --- | ||
22 | hw/pci-host/prep.c | 8 ++++++++ | ||
23 | 1 file changed, 8 insertions(+) | ||
24 | |||
25 | --- a/hw/pci-host/prep.c | ||
26 | +++ b/hw/pci-host/prep.c | ||
27 | @@ -26,6 +26,7 @@ | ||
28 | #include "qemu/osdep.h" | ||
29 | #include "qemu-common.h" | ||
30 | #include "qemu/units.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "qapi/error.h" | ||
33 | #include "hw/pci/pci.h" | ||
34 | #include "hw/pci/pci_bus.h" | ||
35 | @@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void * | ||
36 | return pic_read_irq(isa_pic); | ||
37 | } | ||
38 | |||
39 | +static void raven_intack_write(void *opaque, hwaddr addr, | ||
40 | + uint64_t data, unsigned size) | ||
41 | +{ | ||
42 | + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); | ||
43 | +} | ||
44 | + | ||
45 | static const MemoryRegionOps raven_intack_ops = { | ||
46 | .read = raven_intack_read, | ||
47 | + .write = raven_intack_write, | ||
48 | .valid = { | ||
49 | .max_access_size = 1, | ||
50 | }, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch new file mode 100644 index 0000000000..d6715d337c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:26 +0530 | ||
4 | Subject: [PATCH] pci-host: designware: add pcie-msi read method | ||
5 | |||
6 | Add pcie-msi mmio read method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Message-Id: <20200811114133.672647-3-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/pci-host/designware.c | 19 +++++++++++++++++++ | ||
21 | 1 file changed, 19 insertions(+) | ||
22 | |||
23 | diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c | ||
24 | index f9fb97a..bde3a34 100644 | ||
25 | --- a/hw/pci-host/designware.c | ||
26 | +++ b/hw/pci-host/designware.c | ||
27 | @@ -21,6 +21,7 @@ | ||
28 | #include "qemu/osdep.h" | ||
29 | #include "qapi/error.h" | ||
30 | #include "qemu/module.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "hw/pci/msi.h" | ||
33 | #include "hw/pci/pci_bridge.h" | ||
34 | #include "hw/pci/pci_host.h" | ||
35 | @@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) | ||
36 | return DESIGNWARE_PCIE_HOST(bus->parent); | ||
37 | } | ||
38 | |||
39 | +static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, | ||
40 | + unsigned size) | ||
41 | +{ | ||
42 | + /* | ||
43 | + * Attempts to read from the MSI address are undefined in | ||
44 | + * the PCI specifications. For this hardware, the datasheet | ||
45 | + * specifies that a read from the magic address is simply not | ||
46 | + * intercepted by the MSI controller, and will go out to the | ||
47 | + * AHB/AXI bus like any other PCI-device-initiated DMA read. | ||
48 | + * This is not trivial to implement in QEMU, so since | ||
49 | + * well-behaved guests won't ever ask a PCI device to DMA from | ||
50 | + * this address we just log the missing functionality. | ||
51 | + */ | ||
52 | + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); | ||
53 | + return 0; | ||
54 | +} | ||
55 | + | ||
56 | static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, | ||
57 | uint64_t val, unsigned len) | ||
58 | { | ||
59 | @@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, | ||
60 | } | ||
61 | |||
62 | static const MemoryRegionOps designware_pci_host_msi_ops = { | ||
63 | + .read = designware_pcie_root_msi_read, | ||
64 | .write = designware_pcie_root_msi_write, | ||
65 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
66 | .valid = { | ||
67 | -- | ||
68 | 1.8.3.1 | ||
69 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch new file mode 100644 index 0000000000..85abe8ff32 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:27 +0530 | ||
4 | Subject: [PATCH] vfio: add quirk device write method | ||
5 | |||
6 | Add vfio quirk device mmio write method to avoid NULL pointer | ||
7 | dereference issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Acked-by: Alex Williamson <alex.williamson@redhat.com> | ||
13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
14 | Message-Id: <20200811114133.672647-4-ppandit@redhat.com> | ||
15 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | |||
17 | CVE: CVE-2020-15469 | ||
18 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/24202d2b561c3b4c48bd28383c8c34b4ac66c2bf] | ||
19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
20 | --- | ||
21 | hw/vfio/pci-quirks.c | 8 ++++++++ | ||
22 | 1 file changed, 8 insertions(+) | ||
23 | |||
24 | --- a/hw/vfio/pci-quirks.c | ||
25 | +++ b/hw/vfio/pci-quirks.c | ||
26 | @@ -13,6 +13,7 @@ | ||
27 | #include "qemu/osdep.h" | ||
28 | #include "exec/memop.h" | ||
29 | #include "qemu/units.h" | ||
30 | +#include "qemu/log.h" | ||
31 | #include "qemu/error-report.h" | ||
32 | #include "qemu/main-loop.h" | ||
33 | #include "qemu/module.h" | ||
34 | @@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read( | ||
35 | return data; | ||
36 | } | ||
37 | |||
38 | +static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, | ||
39 | + uint64_t data, unsigned size) | ||
40 | +{ | ||
41 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); | ||
42 | +} | ||
43 | + | ||
44 | static const MemoryRegionOps vfio_ati_3c3_quirk = { | ||
45 | .read = vfio_ati_3c3_quirk_read, | ||
46 | + .write = vfio_ati_3c3_quirk_write, | ||
47 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
48 | }; | ||
49 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch new file mode 100644 index 0000000000..52fac8a051 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From f867cebaedbc9c43189f102e4cdfdff05e88df7f Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:28 +0530 | ||
4 | Subject: [PATCH] prep: add ppc-parity write method | ||
5 | |||
6 | Add ppc-parity mmio write method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Acked-by: David Gibson <david@gibson.dropbear.id.au> | ||
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
13 | Message-Id: <20200811114133.672647-5-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/f867cebaedbc9c43189f102e4cdfdff05e88df7f] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/ppc/prep_systemio.c | 8 ++++++++ | ||
21 | 1 file changed, 8 insertions(+) | ||
22 | |||
23 | diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c | ||
24 | index 4e48ef2..b2bd783 100644 | ||
25 | --- a/hw/ppc/prep_systemio.c | ||
26 | +++ b/hw/ppc/prep_systemio.c | ||
27 | @@ -23,6 +23,7 @@ | ||
28 | */ | ||
29 | |||
30 | #include "qemu/osdep.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "hw/irq.h" | ||
33 | #include "hw/isa/isa.h" | ||
34 | #include "hw/qdev-properties.h" | ||
35 | @@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, | ||
36 | return val; | ||
37 | } | ||
38 | |||
39 | +static void ppc_parity_error_writel(void *opaque, hwaddr addr, | ||
40 | + uint64_t data, unsigned size) | ||
41 | +{ | ||
42 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); | ||
43 | +} | ||
44 | + | ||
45 | static const MemoryRegionOps ppc_parity_error_ops = { | ||
46 | .read = ppc_parity_error_readl, | ||
47 | + .write = ppc_parity_error_writel, | ||
48 | .valid = { | ||
49 | .min_access_size = 4, | ||
50 | .max_access_size = 4, | ||
51 | -- | ||
52 | 1.8.3.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch new file mode 100644 index 0000000000..49c6c5e3e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:29 +0530 | ||
4 | Subject: [PATCH] nvram: add nrf51_soc flash read method | ||
5 | |||
6 | Add nrf51_soc mmio read method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
13 | Message-Id: <20200811114133.672647-6-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/nvram/nrf51_nvm.c | 10 ++++++++++ | ||
21 | 1 file changed, 10 insertions(+) | ||
22 | |||
23 | diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c | ||
24 | index f2283c1..7b3460d 100644 | ||
25 | --- a/hw/nvram/nrf51_nvm.c | ||
26 | +++ b/hw/nvram/nrf51_nvm.c | ||
27 | @@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = { | ||
28 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
29 | }; | ||
30 | |||
31 | +static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) | ||
32 | +{ | ||
33 | + /* | ||
34 | + * This is a rom_device MemoryRegion which is always in | ||
35 | + * romd_mode (we never put it in MMIO mode), so reads always | ||
36 | + * go directly to RAM and never come here. | ||
37 | + */ | ||
38 | + g_assert_not_reached(); | ||
39 | +} | ||
40 | |||
41 | static void flash_write(void *opaque, hwaddr offset, uint64_t value, | ||
42 | unsigned int size) | ||
43 | @@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, | ||
44 | |||
45 | |||
46 | static const MemoryRegionOps flash_ops = { | ||
47 | + .read = flash_read, | ||
48 | .write = flash_write, | ||
49 | .valid.min_access_size = 4, | ||
50 | .valid.max_access_size = 4, | ||
51 | -- | ||
52 | 1.8.3.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch new file mode 100644 index 0000000000..115be68295 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001 | ||
4 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
5 | Date: Tue, 11 Aug 2020 17:11:30 +0530 | ||
6 | Subject: [PATCH] spapr_pci: add spapr msi read method | ||
7 | |||
8 | Add spapr msi mmio read method to avoid NULL pointer dereference | ||
9 | issue. | ||
10 | |||
11 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
12 | Acked-by: David Gibson <david@gibson.dropbear.id.au> | ||
13 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Message-Id: <20200811114133.672647-7-ppandit@redhat.com> | ||
16 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
17 | |||
18 | CVE: CVE-2020-15469 | ||
19 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e] | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | --- | ||
22 | hw/ppc/spapr_pci.c | 14 ++++++++++++-- | ||
23 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
24 | |||
25 | --- a/hw/ppc/spapr_pci.c | ||
26 | +++ b/hw/ppc/spapr_pci.c | ||
27 | @@ -52,6 +52,7 @@ | ||
28 | #include "sysemu/kvm.h" | ||
29 | #include "sysemu/hostmem.h" | ||
30 | #include "sysemu/numa.h" | ||
31 | +#include "qemu/log.h" | ||
32 | |||
33 | /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ | ||
34 | #define RTAS_QUERY_FN 0 | ||
35 | @@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin | ||
36 | return route; | ||
37 | } | ||
38 | |||
39 | +static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) | ||
40 | +{ | ||
41 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); | ||
42 | + return 0; | ||
43 | +} | ||
44 | + | ||
45 | /* | ||
46 | * MSI/MSIX memory region implementation. | ||
47 | * The handler handles both MSI and MSIX. | ||
48 | @@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque | ||
49 | } | ||
50 | |||
51 | static const MemoryRegionOps spapr_msi_ops = { | ||
52 | - /* There is no .read as the read result is undefined by PCI spec */ | ||
53 | - .read = NULL, | ||
54 | + /* | ||
55 | + * .read result is undefined by PCI spec. | ||
56 | + * define .read method to avoid assert failure in memory_region_init_io | ||
57 | + */ | ||
58 | + .read = spapr_msi_read, | ||
59 | .write = spapr_msi_write, | ||
60 | .endianness = DEVICE_LITTLE_ENDIAN | ||
61 | }; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch new file mode 100644 index 0000000000..7d8ec32251 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:31 +0530 | ||
4 | Subject: [PATCH] tz-ppc: add dummy read/write methods | ||
5 | |||
6 | Add tz-ppc-dummy mmio read/write methods to avoid assert failure | ||
7 | during initialisation. | ||
8 | |||
9 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
10 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
11 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
12 | Message-Id: <20200811114133.672647-8-ppandit@redhat.com> | ||
13 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
14 | |||
15 | CVE: CVE-2020-15469 | ||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-7.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/2c9fb3b784000c1df32231e1c2464bb2e3fc4620 ] | ||
17 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
18 | --- | ||
19 | hw/misc/tz-ppc.c | 14 ++++++++++++++ | ||
20 | 1 file changed, 14 insertions(+) | ||
21 | |||
22 | diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c | ||
23 | index 6431257..36495c6 100644 | ||
24 | --- a/hw/misc/tz-ppc.c | ||
25 | +++ b/hw/misc/tz-ppc.c | ||
26 | @@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, | ||
27 | g_assert_not_reached(); | ||
28 | } | ||
29 | |||
30 | +static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) | ||
31 | +{ | ||
32 | + g_assert_not_reached(); | ||
33 | +} | ||
34 | + | ||
35 | +static void tz_ppc_dummy_write(void *opaque, hwaddr addr, | ||
36 | + uint64_t data, unsigned size) | ||
37 | +{ | ||
38 | + g_assert_not_reached(); | ||
39 | +} | ||
40 | + | ||
41 | static const MemoryRegionOps tz_ppc_dummy_ops = { | ||
42 | + /* define r/w methods to avoid assert failure in memory_region_init_io */ | ||
43 | + .read = tz_ppc_dummy_read, | ||
44 | + .write = tz_ppc_dummy_write, | ||
45 | .valid.accepts = tz_ppc_dummy_accepts, | ||
46 | }; | ||
47 | |||
48 | -- | ||
49 | 1.8.3.1 | ||
50 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch new file mode 100644 index 0000000000..7857ba266e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 735754aaa15a6ed46db51fd731e88331c446ea54 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:32 +0530 | ||
4 | Subject: [PATCH] imx7-ccm: add digprog mmio write method | ||
5 | |||
6 | Add digprog mmio write method to avoid assert failure during | ||
7 | initialisation. | ||
8 | |||
9 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
10 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
11 | Message-Id: <20200811114133.672647-9-ppandit@redhat.com> | ||
12 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
13 | |||
14 | CVE: CVE-2020-15469 | ||
15 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-8.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/735754aaa15a6ed46db51fd731e88331c446ea54] | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | hw/misc/imx7_ccm.c | 8 ++++++++ | ||
19 | 1 file changed, 8 insertions(+) | ||
20 | |||
21 | diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c | ||
22 | index 02fc1ae..075159e 100644 | ||
23 | --- a/hw/misc/imx7_ccm.c | ||
24 | +++ b/hw/misc/imx7_ccm.c | ||
25 | @@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { | ||
26 | }, | ||
27 | }; | ||
28 | |||
29 | +static void imx7_digprog_write(void *opaque, hwaddr addr, | ||
30 | + uint64_t data, unsigned size) | ||
31 | +{ | ||
32 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
33 | + "Guest write to read-only ANALOG_DIGPROG register\n"); | ||
34 | +} | ||
35 | + | ||
36 | static const struct MemoryRegionOps imx7_digprog_ops = { | ||
37 | .read = imx7_set_clr_tog_read, | ||
38 | + .write = imx7_digprog_write, | ||
39 | .endianness = DEVICE_NATIVE_ENDIAN, | ||
40 | .impl = { | ||
41 | .min_access_size = 4, | ||
42 | -- | ||
43 | 1.8.3.1 | ||
44 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch new file mode 100644 index 0000000000..0f43adeea8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 22 Jul 2020 16:57:46 +0800 | ||
4 | Subject: [PATCH] net: forbid the reentrant RX | ||
5 | |||
6 | The memory API allows DMA into NIC's MMIO area. This means the NIC's | ||
7 | RX routine must be reentrant. Instead of auditing all the NIC, we can | ||
8 | simply detect the reentrancy and return early. The queue->delivering | ||
9 | is set and cleared by qemu_net_queue_deliver() for other queue helpers | ||
10 | to know whether the delivering in on going (NIC's receive is being | ||
11 | called). We can check it and return early in qemu_net_queue_flush() to | ||
12 | forbid reentrant RX. | ||
13 | |||
14 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15859 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | net/queue.c | 3 +++ | ||
21 | 1 file changed, 3 insertions(+) | ||
22 | |||
23 | diff --git a/net/queue.c b/net/queue.c | ||
24 | index 0164727..19e32c8 100644 | ||
25 | --- a/net/queue.c | ||
26 | +++ b/net/queue.c | ||
27 | @@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from) | ||
28 | |||
29 | bool qemu_net_queue_flush(NetQueue *queue) | ||
30 | { | ||
31 | + if (queue->delivering) | ||
32 | + return false; | ||
33 | + | ||
34 | while (!QTAILQ_EMPTY(&queue->packets)) { | ||
35 | NetPacket *packet; | ||
36 | int ret; | ||
37 | -- | ||
38 | 1.8.3.1 | ||
39 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch new file mode 100644 index 0000000000..97d32589d8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001 | ||
4 | From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
5 | Date: Wed, 7 Apr 2021 20:57:50 +0100 | ||
6 | Subject: [PATCH] esp: always check current_req is not NULL before use in DMA | ||
7 | callbacks | ||
8 | |||
9 | After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel | ||
10 | callback which resets both current_req and current_dev to NULL. If any data | ||
11 | is left in the transfer buffer (async_len != 0) then the next TI (Transfer | ||
12 | Information) command will attempt to reference the NULL pointer causing a | ||
13 | segfault. | ||
14 | |||
15 | Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 | ||
16 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 | ||
17 | Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
18 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> | ||
20 | |||
21 | CVE: CVE-2020-35504 | ||
22 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ] | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/scsi/esp.c | 19 ++++++++++++++----- | ||
26 | 1 file changed, 14 insertions(+), 5 deletions(-) | ||
27 | |||
28 | --- a/hw/scsi/esp.c | ||
29 | +++ b/hw/scsi/esp.c | ||
30 | @@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s) | ||
31 | do_cmd(s, s->cmdbuf); | ||
32 | return; | ||
33 | } | ||
34 | + | ||
35 | + if (!s->current_req) { | ||
36 | + return; | ||
37 | + } | ||
38 | + | ||
39 | s->dma_left -= len; | ||
40 | s->async_buf += len; | ||
41 | s->async_len -= len; | ||
42 | @@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s) | ||
43 | do_cmd(s, s->cmdbuf); | ||
44 | return; | ||
45 | } | ||
46 | + if (!s->current_req) { | ||
47 | + return; | ||
48 | + } | ||
49 | if (s->async_len == 0) { | ||
50 | /* Defer until data is available. */ | ||
51 | return; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch new file mode 100644 index 0000000000..c5ff6e89ff --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001 | ||
4 | From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
5 | Date: Wed, 7 Apr 2021 20:57:55 +0100 | ||
6 | Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=utf8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | When about to execute a SCSI command, ensure that cmdfifo is not empty and | ||
12 | current_dev is non-NULL. This can happen if the guest tries to execute a TI | ||
13 | (Transfer Information) command without issuing one of the select commands | ||
14 | first. | ||
15 | |||
16 | Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 | ||
17 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 | ||
18 | Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
19 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
20 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> | ||
22 | |||
23 | CVE: CVE-2020-35504 | ||
24 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ] | ||
25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
26 | --- | ||
27 | hw/scsi/esp.c | 3 +++ | ||
28 | 1 file changed, 3 insertions(+) | ||
29 | |||
30 | --- a/hw/scsi/esp.c | ||
31 | +++ b/hw/scsi/esp.c | ||
32 | @@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, ui | ||
33 | |||
34 | trace_esp_do_busid_cmd(busid); | ||
35 | lun = busid & 7; | ||
36 | + | ||
37 | + if (!s->current_dev) { | ||
38 | + return; | ||
39 | + } | ||
40 | current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); | ||
41 | s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); | ||
42 | datalen = scsi_req_enqueue(s->current_req); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch new file mode 100644 index 0000000000..d53383247e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:35 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | At the end of sdhci_send_command(), it starts a data transfer if the | ||
10 | command register indicates data is associated. But the data transfer | ||
11 | should only be initiated when the command execution has succeeded. | ||
12 | |||
13 | With this fix, the following reproducer: | ||
14 | |||
15 | outl 0xcf8 0x80001810 | ||
16 | outl 0xcfc 0xe1068000 | ||
17 | outl 0xcf8 0x80001804 | ||
18 | outw 0xcfc 0x7 | ||
19 | write 0xe106802c 0x1 0x0f | ||
20 | write 0xe1068004 0xc 0x2801d10101fffffbff28a384 | ||
21 | write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f | ||
22 | write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 | ||
23 | write 0xe1068003 0x1 0xfe | ||
24 | |||
25 | cannot be reproduced with the following QEMU command line: | ||
26 | |||
27 | $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ | ||
28 | -device sdhci-pci,sd-spec-version=3 \ | ||
29 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
30 | -device sd-card,drive=mydrive \ | ||
31 | -monitor none -serial none -qtest stdio | ||
32 | |||
33 | Cc: qemu-stable@nongnu.org | ||
34 | Fixes: CVE-2020-17380 | ||
35 | Fixes: CVE-2020-25085 | ||
36 | Fixes: CVE-2021-3409 | ||
37 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
38 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
39 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
40 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
41 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
42 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
43 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
44 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
45 | Acked-by: Alistair Francis <alistair.francis@wdc.com> | ||
46 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
47 | Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
48 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
49 | Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> | ||
50 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
51 | |||
52 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
53 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ] | ||
54 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
55 | --- | ||
56 | hw/sd/sdhci.c | 4 +++- | ||
57 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
58 | |||
59 | --- a/hw/sd/sdhci.c | ||
60 | +++ b/hw/sd/sdhci.c | ||
61 | @@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat | ||
62 | SDRequest request; | ||
63 | uint8_t response[16]; | ||
64 | int rlen; | ||
65 | + bool timeout = false; | ||
66 | |||
67 | s->errintsts = 0; | ||
68 | s->acmd12errsts = 0; | ||
69 | @@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat | ||
70 | trace_sdhci_response16(s->rspreg[3], s->rspreg[2], | ||
71 | s->rspreg[1], s->rspreg[0]); | ||
72 | } else { | ||
73 | + timeout = true; | ||
74 | trace_sdhci_error("timeout waiting for command response"); | ||
75 | if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { | ||
76 | s->errintsts |= SDHC_EIS_CMDTIMEOUT; | ||
77 | @@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat | ||
78 | |||
79 | sdhci_update_irq(s); | ||
80 | |||
81 | - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
82 | + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
83 | s->data_count = 0; | ||
84 | sdhci_data_transfer(s); | ||
85 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch new file mode 100644 index 0000000000..dc00f76ec9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:36 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when | ||
5 | transfer is in progress | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Per "SD Host Controller Standard Specification Version 7.00" | ||
11 | chapter 2.2.1 SDMA System Address Register: | ||
12 | |||
13 | This register can be accessed only if no transaction is executing | ||
14 | (i.e., after a transaction has stopped). | ||
15 | |||
16 | With this fix, the following reproducer: | ||
17 | |||
18 | outl 0xcf8 0x80001010 | ||
19 | outl 0xcfc 0xfbefff00 | ||
20 | outl 0xcf8 0x80001001 | ||
21 | outl 0xcfc 0x06000000 | ||
22 | write 0xfbefff2c 0x1 0x05 | ||
23 | write 0xfbefff0f 0x1 0x37 | ||
24 | write 0xfbefff0a 0x1 0x01 | ||
25 | write 0xfbefff0f 0x1 0x29 | ||
26 | write 0xfbefff0f 0x1 0x02 | ||
27 | write 0xfbefff0f 0x1 0x03 | ||
28 | write 0xfbefff04 0x1 0x01 | ||
29 | write 0xfbefff05 0x1 0x01 | ||
30 | write 0xfbefff07 0x1 0x02 | ||
31 | write 0xfbefff0c 0x1 0x33 | ||
32 | write 0xfbefff0e 0x1 0x20 | ||
33 | write 0xfbefff0f 0x1 0x00 | ||
34 | write 0xfbefff2a 0x1 0x01 | ||
35 | write 0xfbefff0c 0x1 0x00 | ||
36 | write 0xfbefff03 0x1 0x00 | ||
37 | write 0xfbefff05 0x1 0x00 | ||
38 | write 0xfbefff2a 0x1 0x02 | ||
39 | write 0xfbefff0c 0x1 0x32 | ||
40 | write 0xfbefff01 0x1 0x01 | ||
41 | write 0xfbefff02 0x1 0x01 | ||
42 | write 0xfbefff03 0x1 0x01 | ||
43 | |||
44 | cannot be reproduced with the following QEMU command line: | ||
45 | |||
46 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
47 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
48 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
49 | -device sd-card,drive=mydrive -qtest stdio | ||
50 | |||
51 | Cc: qemu-stable@nongnu.org | ||
52 | Fixes: CVE-2020-17380 | ||
53 | Fixes: CVE-2020-25085 | ||
54 | Fixes: CVE-2021-3409 | ||
55 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
56 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
57 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
58 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
59 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
60 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
61 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
62 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
63 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
64 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
65 | Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> | ||
66 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
67 | |||
68 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
69 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ] | ||
70 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
71 | --- | ||
72 | hw/sd/sdhci.c | 20 +++++++++++--------- | ||
73 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
74 | |||
75 | --- a/hw/sd/sdhci.c | ||
76 | +++ b/hw/sd/sdhci.c | ||
77 | @@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset, | ||
78 | |||
79 | switch (offset & ~0x3) { | ||
80 | case SDHC_SYSAD: | ||
81 | - s->sdmasysad = (s->sdmasysad & mask) | value; | ||
82 | - MASKED_WRITE(s->sdmasysad, mask, value); | ||
83 | - /* Writing to last byte of sdmasysad might trigger transfer */ | ||
84 | - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && | ||
85 | - s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { | ||
86 | - if (s->trnmod & SDHC_TRNS_MULTI) { | ||
87 | - sdhci_sdma_transfer_multi_blocks(s); | ||
88 | - } else { | ||
89 | - sdhci_sdma_transfer_single_block(s); | ||
90 | + if (!TRANSFERRING_DATA(s->prnsts)) { | ||
91 | + s->sdmasysad = (s->sdmasysad & mask) | value; | ||
92 | + MASKED_WRITE(s->sdmasysad, mask, value); | ||
93 | + /* Writing to last byte of sdmasysad might trigger transfer */ | ||
94 | + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && | ||
95 | + SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { | ||
96 | + if (s->trnmod & SDHC_TRNS_MULTI) { | ||
97 | + sdhci_sdma_transfer_multi_blocks(s); | ||
98 | + } else { | ||
99 | + sdhci_sdma_transfer_single_block(s); | ||
100 | + } | ||
101 | } | ||
102 | } | ||
103 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch new file mode 100644 index 0000000000..d06ac0ed3c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001 | ||
4 | From: Bin Meng <bmeng.cn@gmail.com> | ||
5 | Date: Wed, 3 Mar 2021 20:26:37 +0800 | ||
6 | Subject: [PATCH] hw/sd: sdhci: Correctly set the controller status for ADMA | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=utf8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | When an ADMA transfer is started, the codes forget to set the | ||
12 | controller status to indicate a transfer is in progress. | ||
13 | |||
14 | With this fix, the following 2 reproducers: | ||
15 | |||
16 | https://paste.debian.net/plain/1185136 | ||
17 | https://paste.debian.net/plain/1185141 | ||
18 | |||
19 | cannot be reproduced with the following QEMU command line: | ||
20 | |||
21 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
22 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
23 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
24 | -device sd-card,drive=mydrive -qtest stdio | ||
25 | |||
26 | Cc: qemu-stable@nongnu.org | ||
27 | Fixes: CVE-2020-17380 | ||
28 | Fixes: CVE-2020-25085 | ||
29 | Fixes: CVE-2021-3409 | ||
30 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
31 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
32 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
33 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
34 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
35 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
36 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
37 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
38 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
39 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
40 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
41 | Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> | ||
42 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
43 | |||
44 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
45 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/bc6f28995ff88f5d82c38afcfd65406f0ae375aa ] | ||
46 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
47 | --- | ||
48 | hw/sd/sdhci.c | 3 +++ | ||
49 | 1 file changed, 3 insertions(+) | ||
50 | |||
51 | --- a/hw/sd/sdhci.c | ||
52 | +++ b/hw/sd/sdhci.c | ||
53 | @@ -776,8 +776,9 @@ static void sdhci_do_adma(SDHCIState *s) | ||
54 | |||
55 | switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { | ||
56 | case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ | ||
57 | - | ||
58 | + s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; | ||
59 | if (s->trnmod & SDHC_TRNS_READ) { | ||
60 | + s->prnsts |= SDHC_DOING_READ; | ||
61 | while (length) { | ||
62 | if (s->data_count == 0) { | ||
63 | for (n = 0; n < block_size; n++) { | ||
64 | @@ -807,6 +808,7 @@ static void sdhci_do_adma(SDHCIState *s) | ||
65 | } | ||
66 | } | ||
67 | } else { | ||
68 | + s->prnsts |= SDHC_DOING_WRITE; | ||
69 | while (length) { | ||
70 | begin = s->data_count; | ||
71 | if ((length + begin) < block_size) { | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch new file mode 100644 index 0000000000..2e49e3bc18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001 | ||
4 | From: Bin Meng <bmeng.cn@gmail.com> | ||
5 | Date: Wed, 3 Mar 2021 20:26:38 +0800 | ||
6 | Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE | ||
7 | register is writable | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=utf8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | The codes to limit the maximum block size is only necessary when | ||
13 | SDHC_BLKSIZE register is writable. | ||
14 | |||
15 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
16 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
17 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
18 | Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> | ||
19 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
20 | |||
21 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
22 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ] | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/sd/sdhci.c | 14 +++++++------- | ||
26 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
27 | |||
28 | --- a/hw/sd/sdhci.c | ||
29 | +++ b/hw/sd/sdhci.c | ||
30 | @@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset, | ||
31 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
32 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
33 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
34 | - } | ||
35 | |||
36 | - /* Limit block size to the maximum buffer size */ | ||
37 | - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { | ||
38 | - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \ | ||
39 | - "the maximum buffer 0x%x", __func__, s->blksize, | ||
40 | - s->buf_maxsz); | ||
41 | + /* Limit block size to the maximum buffer size */ | ||
42 | + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " | ||
44 | + "the maximum buffer 0x%x\n", __func__, s->blksize, | ||
45 | + s->buf_maxsz); | ||
46 | |||
47 | - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
48 | + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
49 | + } | ||
50 | } | ||
51 | |||
52 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch new file mode 100644 index 0000000000..7b436809e9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:39 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when | ||
5 | a different block size is programmed | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If the block size is programmed to a different value from the | ||
11 | previous one, reset the data pointer of s->fifo_buffer[] so that | ||
12 | s->fifo_buffer[] can be filled in using the new block size in | ||
13 | the next transfer. | ||
14 | |||
15 | With this fix, the following reproducer: | ||
16 | |||
17 | outl 0xcf8 0x80001010 | ||
18 | outl 0xcfc 0xe0000000 | ||
19 | outl 0xcf8 0x80001001 | ||
20 | outl 0xcfc 0x06000000 | ||
21 | write 0xe000002c 0x1 0x05 | ||
22 | write 0xe0000005 0x1 0x02 | ||
23 | write 0xe0000007 0x1 0x01 | ||
24 | write 0xe0000028 0x1 0x10 | ||
25 | write 0x0 0x1 0x23 | ||
26 | write 0x2 0x1 0x08 | ||
27 | write 0xe000000c 0x1 0x01 | ||
28 | write 0xe000000e 0x1 0x20 | ||
29 | write 0xe000000f 0x1 0x00 | ||
30 | write 0xe000000c 0x1 0x32 | ||
31 | write 0xe0000004 0x2 0x0200 | ||
32 | write 0xe0000028 0x1 0x00 | ||
33 | write 0xe0000003 0x1 0x40 | ||
34 | |||
35 | cannot be reproduced with the following QEMU command line: | ||
36 | |||
37 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
38 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
39 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
40 | -device sd-card,drive=mydrive -qtest stdio | ||
41 | |||
42 | Cc: qemu-stable@nongnu.org | ||
43 | Fixes: CVE-2020-17380 | ||
44 | Fixes: CVE-2020-25085 | ||
45 | Fixes: CVE-2021-3409 | ||
46 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
47 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
48 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
49 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
50 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
51 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
52 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
53 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
54 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
55 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
56 | Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> | ||
57 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
58 | |||
59 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
60 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ] | ||
61 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
62 | --- | ||
63 | hw/sd/sdhci.c | 12 ++++++++++++ | ||
64 | 1 file changed, 12 insertions(+) | ||
65 | |||
66 | --- a/hw/sd/sdhci.c | ||
67 | +++ b/hw/sd/sdhci.c | ||
68 | @@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset, | ||
69 | break; | ||
70 | case SDHC_BLKSIZE: | ||
71 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
72 | + uint16_t blksize = s->blksize; | ||
73 | + | ||
74 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
75 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
76 | |||
77 | @@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset, | ||
78 | |||
79 | s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
80 | } | ||
81 | + | ||
82 | + /* | ||
83 | + * If the block size is programmed to a different value from | ||
84 | + * the previous one, reset the data pointer of s->fifo_buffer[] | ||
85 | + * so that s->fifo_buffer[] can be filled in using the new block | ||
86 | + * size in the next transfer. | ||
87 | + */ | ||
88 | + if (blksize != s->blksize) { | ||
89 | + s->data_count = 0; | ||
90 | + } | ||
91 | } | ||
92 | |||
93 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch new file mode 100644 index 0000000000..fc4d6cf3df --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefano Garzarella <sgarzare@redhat.com> | ||
5 | Date: Mon, 28 Feb 2022 10:50:58 +0100 | ||
6 | Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error | ||
7 | |||
8 | In vhost_vsock_common_send_transport_reset(), if an element popped from | ||
9 | the virtqueue is invalid, we should call virtqueue_detach_element() to | ||
10 | detach it from the virtqueue before freeing its memory. | ||
11 | |||
12 | Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") | ||
13 | Fixes: CVE-2022-26354 | ||
14 | Cc: qemu-stable@nongnu.org | ||
15 | Reported-by: VictorV <vv474172261@gmail.com> | ||
16 | Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> | ||
17 | Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> | ||
18 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
19 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
21 | |||
22 | CVE: CVE-2022-26354 | ||
23 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ] | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | hw/virtio/vhost-vsock-common.c | 10 +++++++--- | ||
27 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
28 | |||
29 | --- a/hw/virtio/vhost-vsock.c | ||
30 | +++ b/hw/virtio/vhost-vsock.c | ||
31 | @@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r | ||
32 | if (elem->out_num) { | ||
33 | error_report("invalid vhost-vsock event virtqueue element with " | ||
34 | "out buffers"); | ||
35 | - goto out; | ||
36 | + goto err; | ||
37 | } | ||
38 | |||
39 | if (iov_from_buf(elem->in_sg, elem->in_num, 0, | ||
40 | &event, sizeof(event)) != sizeof(event)) { | ||
41 | error_report("vhost-vsock event virtqueue element is too short"); | ||
42 | - goto out; | ||
43 | + goto err; | ||
44 | } | ||
45 | |||
46 | virtqueue_push(vq, elem, sizeof(event)); | ||
47 | virtio_notify(VIRTIO_DEVICE(vsock), vq); | ||
48 | |||
49 | -out: | ||
50 | + g_free(elem); | ||
51 | + return; | ||
52 | + | ||
53 | +err: | ||
54 | + virtqueue_detach_element(vq, elem, 0); | ||
55 | g_free(elem); | ||
56 | } | ||
57 | |||