summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2022-08-22 15:15:36 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-08-23 15:24:11 +0100
commit469171399184dbb03d46617ebe6e66aae3f330f7 (patch)
tree0bf33d89a38e4dbfcfbd9be83cc620ec2a2370f3 /meta
parent238660fccab248b420c5541e36270d12739b83cf (diff)
downloadpoky-469171399184dbb03d46617ebe6e66aae3f330f7.tar.gz
qemu: fix CVE-2021-3507
Backport required patches to fix CVE-2021-3507. (From OE-Core rev: 1a22fa10ef4ed80b4ef3cdd12eb4191a8c320e0a) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch92
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch115
3 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bcaa56bbba..9fdb8c6428 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
29 file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \ 29 file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
30 file://qemu-7.0.0-glibc-2.36.patch \ 30 file://qemu-7.0.0-glibc-2.36.patch \
31 file://CVE-2022-35414.patch \ 31 file://CVE-2022-35414.patch \
32 file://CVE-2021-3507_1.patch \
33 file://CVE-2021-3507_2.patch \
32 " 34 "
33UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 35UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
34 36
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
new file mode 100644
index 0000000000..24fd2c5ed3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
@@ -0,0 +1,92 @@
1From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 18 Nov 2021 12:57:32 +0100
4Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun
5 (CVE-2021-3507)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Per the 82078 datasheet, if the end-of-track (EOT byte in
11the FIFO) is more than the number of sectors per side, the
12command is terminated unsuccessfully:
13
14* 5.2.5 DATA TRANSFER TERMINATION
15
16 The 82078 supports terminal count explicitly through
17 the TC pin and implicitly through the underrun/over-
18 run and end-of-track (EOT) functions. For full sector
19 transfers, the EOT parameter can define the last
20 sector to be transferred in a single or multisector
21 transfer. If the last sector to be transferred is a par-
22 tial sector, the host can stop transferring the data in
23 mid-sector, and the 82078 will continue to complete
24 the sector as if a hardware TC was received. The
25 only difference between these implicit functions and
26 TC is that they return "abnormal termination" result
27 status. Such status indications can be ignored if they
28 were expected.
29
30* 6.1.3 READ TRACK
31
32 This command terminates when the EOT specified
33 number of sectors have been read. If the 82078
34 does not find an I D Address Mark on the diskette
35 after the second· occurrence of a pulse on the
36 INDX# pin, then it sets the IC code in Status Regis-
37 ter 0 to "01" (Abnormal termination), sets the MA bit
38 in Status Register 1 to "1", and terminates the com-
39 mand.
40
41* 6.1.6 VERIFY
42
43 Refer to Table 6-6 and Table 6-7 for information
44 concerning the values of MT and EC versus SC and
45 EOT value.
46
47* Table 6·6. Result Phase Table
48
49* Table 6-7. Verify Command Result Phase Table
50
51Fix by aborting the transfer when EOT > # Sectors Per Side.
52
53Cc: qemu-stable@nongnu.org
54Cc: Hervé Poussineau <hpoussin@reactos.org>
55Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
56Reported-by: Alexander Bulekov <alxndr@bu.edu>
57Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
58Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
59Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
60Reviewed-by: Hanna Reitz <hreitz@redhat.com>
61Signed-off-by: Kevin Wolf <kwolf@redhat.com>
62
63Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367]
64CVE: CVE-2021-3507
65
66Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
67---
68 hw/block/fdc.c | 8 ++++++++
69 1 file changed, 8 insertions(+)
70
71diff --git a/hw/block/fdc.c b/hw/block/fdc.c
72index 347875a0c..57bb35579 100644
73--- a/hw/block/fdc.c
74+++ b/hw/block/fdc.c
75@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
76 int tmp;
77 fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
78 tmp = (fdctrl->fifo[6] - ks + 1);
79+ if (tmp < 0) {
80+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
81+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
82+ fdctrl->fifo[3] = kt;
83+ fdctrl->fifo[4] = kh;
84+ fdctrl->fifo[5] = ks;
85+ return;
86+ }
87 if (fdctrl->fifo[0] & 0x80)
88 tmp += fdctrl->fifo[6];
89 fdctrl->data_len *= tmp;
90--
912.33.0
92
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
new file mode 100644
index 0000000000..acc93e897b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
@@ -0,0 +1,115 @@
1From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 18 Nov 2021 12:57:33 +0100
4Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for
5 CVE-2021-3507
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339
11
12Without the previous commit, when running 'make check-qtest-i386'
13with QEMU configured with '--enable-sanitizers' we get:
14
15 ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0
16 READ of size 786432 at 0x619000062a00 thread T0
17 #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)
18 #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13
19 #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14
20 #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18
21 #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16
22 #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5
23 #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5
24 #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9
25 #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13
26 #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13
27 #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13
28 #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9
29 #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17
30
31 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)
32 allocated by thread T0 here:
33 #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)
34 #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11
35 #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27
36 #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20
37 #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5
38 #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13
39
40 SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy
41 Shadow bytes around the buggy address:
42 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
43 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
44 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
45 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
46 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
47 =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
48 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
49 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
50 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
51 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
52 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
53 Shadow byte legend (one shadow byte represents 8 application bytes):
54 Addressable: 00
55 Heap left redzone: fa
56 Freed heap region: fd
57 ==4028352==ABORTING
58
59[ kwolf: Added snapshot=on to prevent write file lock failure ]
60
61Reported-by: Alexander Bulekov <alxndr@bu.edu>
62Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
63Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
64Signed-off-by: Kevin Wolf <kwolf@redhat.com>
65
66Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc]
67CVE: CVE-2021-3507
68
69Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
70---
71 tests/qtest/fdc-test.c | 21 +++++++++++++++++++++
72 1 file changed, 21 insertions(+)
73
74diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
75index b0d40012e..1d4f85212 100644
76--- a/tests/qtest/fdc-test.c
77+++ b/tests/qtest/fdc-test.c
78@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void)
79 qtest_quit(s);
80 }
81
82+static void test_cve_2021_3507(void)
83+{
84+ QTestState *s;
85+
86+ s = qtest_initf("-nographic -m 32M -nodefaults "
87+ "-drive file=%s,format=raw,if=floppy,snapshot=on",
88+ test_image);
89+ qtest_outl(s, 0x9, 0x0a0206);
90+ qtest_outw(s, 0x3f4, 0x1600);
91+ qtest_outw(s, 0x3f4, 0x0000);
92+ qtest_outw(s, 0x3f4, 0x0000);
93+ qtest_outw(s, 0x3f4, 0x0000);
94+ qtest_outw(s, 0x3f4, 0x0200);
95+ qtest_outw(s, 0x3f4, 0x0200);
96+ qtest_outw(s, 0x3f4, 0x0000);
97+ qtest_outw(s, 0x3f4, 0x0000);
98+ qtest_outw(s, 0x3f4, 0x0000);
99+ qtest_quit(s);
100+}
101+
102 int main(int argc, char **argv)
103 {
104 int fd;
105@@ -614,6 +634,7 @@ int main(int argc, char **argv)
106 qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
107 qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
108 qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
109+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507);
110
111 ret = g_test_run();
112
113--
1142.33.0
115