diff options
author | Daniel BORNAZ <daniel.bornaz@enea.com> | 2014-07-17 14:24:11 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-07-19 00:09:02 +0100 |
commit | ee2b26fe759d1d8a0f78c94f1a4f3cfe30ff3c5d (patch) | |
tree | 6de973953c8749b57d06d0980951859300afca66 /meta | |
parent | 348102a03d84ba0965556cd88d6e3df70c44eb74 (diff) | |
download | poky-ee2b26fe759d1d8a0f78c94f1a4f3cfe30ff3c5d.tar.gz |
qemu: security patch for CVE-2014-3471
Qemu PCIe bus support is vulnerable to a use-after-free flaw. It could
occur via guest, when it tries to hotplug/hotunplug devices on the
guest.
A user able to add & delete Virtio block devices on a guest could use
this flaw to crash the Qemu instance resulting in DoS.
Originated-by: Marcel Apfelbaum <address@hidden>
Updated the qemu recipe to include the security patch.
Upstream-Status: Submitted
(From OE-Core rev: a84e1749b489cee5ea219799c35e29b6edead30f)
Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch | 74 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.0.0.bb | 6 |
2 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch new file mode 100644 index 0000000000..c7035b2bf7 --- /dev/null +++ b/meta/recipes-devtools/qemu/files/pcie_better_hotplug_support.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | The current code is broken: it does surprise removal which crashes guests. | ||
2 | |||
3 | Reimplemented the steps: | ||
4 | - Hotplug triggers both 'present detect change' and | ||
5 | 'attention button pressed'. | ||
6 | |||
7 | - Hotunplug starts by triggering 'attention button pressed', | ||
8 | then waits for the OS to power off the device and only | ||
9 | then detaches it. | ||
10 | |||
11 | Fixes CVE-2014-3471. | ||
12 | |||
13 | Originated-by: Marcel Apfelbaum <address@hidden> | ||
14 | Updated-by: Daniel BORNAZ <daniel.bornaz@enea.com> | ||
15 | |||
16 | --- a/hw/pci/pcie.c 2014-04-17 15:44:44.000000000 +0200 | ||
17 | +++ b/hw/pci/pcie.c 2014-07-15 13:03:16.905070562 +0200 | ||
18 | @@ -258,7 +258,8 @@ void pcie_cap_slot_hotplug_cb(HotplugHan | ||
19 | |||
20 | pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, | ||
21 | PCI_EXP_SLTSTA_PDS); | ||
22 | - pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC); | ||
23 | + pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), | ||
24 | + PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP); | ||
25 | } | ||
26 | |||
27 | void pcie_cap_slot_hot_unplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev, | ||
28 | @@ -268,10 +269,7 @@ void pcie_cap_slot_hot_unplug_cb(Hotplug | ||
29 | |||
30 | pcie_cap_slot_hotplug_common(PCI_DEVICE(hotplug_dev), dev, &exp_cap, errp); | ||
31 | |||
32 | - object_unparent(OBJECT(dev)); | ||
33 | - pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA, | ||
34 | - PCI_EXP_SLTSTA_PDS); | ||
35 | - pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), PCI_EXP_HP_EV_PDC); | ||
36 | + pcie_cap_slot_push_attention_button(PCI_DEVICE(hotplug_dev)); | ||
37 | } | ||
38 | |||
39 | /* pci express slot for pci express root/downstream port | ||
40 | @@ -352,6 +350,11 @@ void pcie_cap_slot_reset(PCIDevice *dev) | ||
41 | hotplug_event_update_event_status(dev); | ||
42 | } | ||
43 | |||
44 | +static void pcie_unplug_device(PCIBus *bus, PCIDevice *dev, void *opaque) | ||
45 | +{ | ||
46 | + object_unparent(OBJECT(dev)); | ||
47 | +} | ||
48 | + | ||
49 | void pcie_cap_slot_write_config(PCIDevice *dev, | ||
50 | uint32_t addr, uint32_t val, int len) | ||
51 | { | ||
52 | @@ -376,6 +379,22 @@ void pcie_cap_slot_write_config(PCIDevic | ||
53 | sltsta); | ||
54 | } | ||
55 | |||
56 | + /* | ||
57 | + * If the slot is polulated, power indicator is off and power | ||
58 | + * controller is off, it is safe to detach the devices. | ||
59 | + */ | ||
60 | + if ((sltsta & PCI_EXP_SLTSTA_PDS) && (val & PCI_EXP_SLTCTL_PCC) && | ||
61 | + ((val & PCI_EXP_SLTCTL_PIC_OFF) == PCI_EXP_SLTCTL_PIC_OFF)) { | ||
62 | + PCIBus *sec_bus = pci_bridge_get_sec_bus(PCI_BRIDGE(dev)); | ||
63 | + pci_for_each_device(sec_bus, pci_bus_num(sec_bus), | ||
64 | + pcie_unplug_device, NULL); | ||
65 | + | ||
66 | + pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA, | ||
67 | + PCI_EXP_SLTSTA_PDS); | ||
68 | + pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, | ||
69 | + PCI_EXP_SLTSTA_PDC); | ||
70 | + } | ||
71 | + | ||
72 | hotplug_event_notify(dev); | ||
73 | |||
74 | /* | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.0.0.bb b/meta/recipes-devtools/qemu/qemu_2.0.0.bb index b8ce62428b..9a530a6fb5 100644 --- a/meta/recipes-devtools/qemu/qemu_2.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.0.0.bb | |||
@@ -4,7 +4,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | |||
4 | file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" | 4 | file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" |
5 | 5 | ||
6 | SRC_URI += "file://qemu-enlarge-env-entry-size.patch \ | 6 | SRC_URI += "file://qemu-enlarge-env-entry-size.patch \ |
7 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch" | 7 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
8 | file://pcie_better_hotplug_support.patch \ | ||
9 | " | ||
10 | |||
11 | |||
8 | 12 | ||
9 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 13 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
10 | SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2" | 14 | SRC_URI[md5sum] = "2790f44fd76da5de5024b4aafeb594c2" |