qemu: fix CVE-2021-3527

Source: http://git.yoctoproject.org/cgit/poky.git MR: 111827 Type: Security Fix Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?h=hardknott&id=45e06a2e02cb01540d3970bd8ab5771014a031f9 ChangeID: 33bb20f503888abc346ae1a6f590f57ebdd0f1f9 Description: (cherry picked from commit 6774efd1e3d0bd5c8c34f84dcf4f698d7eafb36a) (From OE-Core rev: fcbcd27a1c97668af9634143376f75ab32fffd68) (From OE-Core rev: 1c7e9099b5f417a7e7664ce3572b2098e2ebbbf7) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 45e06a2e02cb01540d3970bd8ab5771014a031f9) [Fixup for Dunfell context] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2021-08-24 11:18:28 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-01 16:27:09 +0100
commit: d56b8f6f762f8aab5c4972aaca4704a3e43755dc (patch)
tree: 61ecd52d8aa434ce8a4abed440c98fd3ddd1bb08 /meta
parent: 189108ac7441a2232829b519d9834aa3e7d2713a (diff)
download: poky-d56b8f6f762f8aab5c4972aaca4704a3e43755dc.tar.gz
3 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 028b81ee34..78e487fc6f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -79,6 +79,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3544_5.patch \
           file://CVE-2021-3545.patch \
           file://CVE-2021-3546.patch \
+           file://CVE-2021-3527-1.patch \
+           file://CVE-2021-3527-2.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
+From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
+                (totalsize == (16 * KiB - 36) && p->int_req) ||
+                /* Next package may grow combined package over 1MiB */
+                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {
+-- 
+GitLab
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
new file mode 100644
index 0000000000..6371aced12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
+From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:12 +0200
+Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Use autofree heap allocation instead.
+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/redirect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f3417..6a75b0dc4a 100644
+--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
+                 .endpoint = ep,
+                 .length = p->iov.size
+             };
+-            uint8_t buf[p->iov.size];
+            g_autofree uint8_t *buf = g_malloc(p->iov.size);
+             /* No id, we look at the ep when receiving a status back */
+             usb_packet_copy(p, buf, p->iov.size);
+             usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+                                         &bulk_packet, NULL, 0);
+     } else {
+-        uint8_t buf[size];
+        g_autofree uint8_t *buf = g_malloc(size);
+         usb_packet_copy(p, buf, size);
+         usbredir_log_data(dev, "bulk data out:", buf, size);
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
+                                                USBPacket *p, uint8_t ep)
+ {
+     struct usb_redir_interrupt_packet_header interrupt_packet;
+-    uint8_t buf[p->iov.size];
+    g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ 
+     DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+             p->iov.size, p->id);
+-- 
+GitLab
author	Lee Chee Yang <chee.yang.lee@intel.com>	2021-08-24 11:18:28 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-01 16:27:09 +0100
commit	d56b8f6f762f8aab5c4972aaca4704a3e43755dc (patch)
tree	61ecd52d8aa434ce8a4abed440c98fd3ddd1bb08 /meta
parent	189108ac7441a2232829b519d9834aa3e7d2713a (diff)
download	poky-d56b8f6f762f8aab5c4972aaca4704a3e43755dc.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 028b81ee34..78e487fc6f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -79,6 +79,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
79	file://CVE-2021-3544_5.patch \	79	file://CVE-2021-3544_5.patch \
80	file://CVE-2021-3545.patch \	80	file://CVE-2021-3545.patch \
81	file://CVE-2021-3546.patch \	81	file://CVE-2021-3546.patch \
		82	file://CVE-2021-3527-1.patch \
		83	file://CVE-2021-3527-2.patch \
82	"	84	"
83	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	85	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
84		86


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 0000000000..77a5385692 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
		1	From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Mon, 3 May 2021 15:29:15 +0200
		4	Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
		5
		6	usb-host and usb-redirect try to batch bulk transfers by combining many
		7	small usb packets into a single, large transfer request, to reduce the
		8	overhead and improve performance.
		9
		10	This patch adds a size limit of 1 MiB for those combined packets to
		11	restrict the host resources the guest can bind that way.
		12
		13	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		14	Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
		15
		16	Upstream-Status: Backport
		17	https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
		18	CVE: CVE-2021-3527
		19	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		20
		21	---
		22	hw/usb/combined-packet.c \| 4 +++-
		23	1 file changed, 3 insertions(+), 1 deletion(-)
		24
		25	diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
		26	index 5d57e883dc..e56802f89a 100644
		27	--- a/hw/usb/combined-packet.c
		28	+++ b/hw/usb/combined-packet.c
		29	@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
		30	if ((p->iov.size % ep->max_packet_size) != 0 \|\| !p->short_not_ok \|\|
		31	next == NULL \|\|
		32	/* Work around for Linux usbfs bulk splitting + migration */
		33	- (totalsize == (16 * KiB - 36) && p->int_req)) {
		34	+ (totalsize == (16 * KiB - 36) && p->int_req) \|\|
		35	+ /* Next package may grow combined package over 1MiB */
		36	+ totalsize > 1 * MiB - ep->max_packet_size) {
		37	usb_device_handle_data(ep->dev, first);
		38	assert(first->status == USB_RET_ASYNC);
		39	if (first->combined) {
		40	--
		41	GitLab
		42


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch new file mode 100644 index 0000000000..6371aced12 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
		1	From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Mon, 3 May 2021 15:29:12 +0200
		4	Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Use autofree heap allocation instead.
		10
		11	Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
		12	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		13	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		14	Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		15	Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
		16
		17	Upstream-Status: Backport
		18	https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
		19	CVE: CVE-2021-3527
		20	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		21
		22	---
		23	hw/usb/redirect.c \| 6 +++---
		24	1 file changed, 3 insertions(+), 3 deletions(-)
		25
		26	diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
		27	index 17f06f3417..6a75b0dc4a 100644
		28	--- a/hw/usb/redirect.c
		29	+++ b/hw/usb/redirect.c
		30	@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice dev, USBPacket p,
		31	.endpoint = ep,
		32	.length = p->iov.size
		33	};
		34	- uint8_t buf[p->iov.size];
		35	+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
		36	/* No id, we look at the ep when receiving a status back */
		37	usb_packet_copy(p, buf, p->iov.size);
		38	usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
		39	@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice dev, USBPacket p,
		40	usbredirparser_send_bulk_packet(dev->parser, p->id,
		41	&bulk_packet, NULL, 0);
		42	} else {
		43	- uint8_t buf[size];
		44	+ g_autofree uint8_t *buf = g_malloc(size);
		45	usb_packet_copy(p, buf, size);
		46	usbredir_log_data(dev, "bulk data out:", buf, size);
		47	usbredirparser_send_bulk_packet(dev->parser, p->id,
		48	@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
		49	USBPacket *p, uint8_t ep)
		50	{
		51	struct usb_redir_interrupt_packet_header interrupt_packet;
		52	- uint8_t buf[p->iov.size];
		53	+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
		54
		55	DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
		56	p->iov.size, p->id);
		57	--
		58	GitLab
		59