diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..26e22b4c31 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | [Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not | ||
2 | exist for this release] | ||
3 | From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 | ||
4 | From: Thomas Huth <thuth@redhat.com> | ||
5 | Date: Mon, 22 May 2023 11:10:11 +0200 | ||
6 | Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI | ||
7 | controller (CVE-2023-0330) | ||
8 | |||
9 | We cannot use the generic reentrancy guard in the LSI code, so | ||
10 | we have to manually prevent endless reentrancy here. The problematic | ||
11 | lsi_execute_script() function has already a way to detect whether | ||
12 | too many instructions have been executed - we just have to slightly | ||
13 | change the logic here that it also takes into account if the function | ||
14 | has been called too often in a reentrant way. | ||
15 | |||
16 | The code in fuzz-lsi53c895a-test.c has been taken from an earlier | ||
17 | patch by Mauro Matteo Cascella. | ||
18 | |||
19 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 | ||
20 | Message-Id: <20230522091011.1082574-1-thuth@redhat.com> | ||
21 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
22 | Reviewed-by: Alexander Bulekov <alxndr@bu.edu> | ||
23 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
24 | |||
25 | Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27 | ||
26 | |||
27 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security | ||
28 | Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] | ||
29 | CVE: CVE-2023-0330 | ||
30 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
31 | --- | ||
32 | hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ | ||
33 | tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ | ||
34 | 2 files changed, 50 insertions(+), 6 deletions(-) | ||
35 | |||
36 | --- qemu-4.2.orig/hw/scsi/lsi53c895a.c | ||
37 | +++ qemu-4.2/hw/scsi/lsi53c895a.c | ||
38 | @@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState | ||
39 | uint32_t addr, addr_high; | ||
40 | int opcode; | ||
41 | int insn_processed = 0; | ||
42 | + static int reentrancy_level; | ||
43 | + | ||
44 | + reentrancy_level++; | ||
45 | |||
46 | s->istat1 |= LSI_ISTAT1_SRUN; | ||
47 | again: | ||
48 | - if (++insn_processed > LSI_MAX_INSN) { | ||
49 | - /* Some windows drivers make the device spin waiting for a memory | ||
50 | - location to change. If we have been executed a lot of code then | ||
51 | - assume this is the case and force an unexpected device disconnect. | ||
52 | - This is apparently sufficient to beat the drivers into submission. | ||
53 | - */ | ||
54 | + /* | ||
55 | + * Some windows drivers make the device spin waiting for a memory location | ||
56 | + * to change. If we have executed more than LSI_MAX_INSN instructions then | ||
57 | + * assume this is the case and force an unexpected device disconnect. This | ||
58 | + * is apparently sufficient to beat the drivers into submission. | ||
59 | + * | ||
60 | + * Another issue (CVE-2023-0330) can occur if the script is programmed to | ||
61 | + * trigger itself again and again. Avoid this problem by stopping after | ||
62 | + * being called multiple times in a reentrant way (8 is an arbitrary value | ||
63 | + * which should be enough for all valid use cases). | ||
64 | + */ | ||
65 | + if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { | ||
66 | if (!(s->sien0 & LSI_SIST0_UDC)) { | ||
67 | qemu_log_mask(LOG_GUEST_ERROR, | ||
68 | "lsi_scsi: inf. loop with UDC masked"); | ||
69 | @@ -1597,6 +1606,8 @@ again: | ||
70 | } | ||
71 | } | ||
72 | trace_lsi_execute_script_stop(); | ||
73 | + | ||
74 | + reentrancy_level--; | ||
75 | } | ||
76 | |||
77 | static uint8_t lsi_reg_readb(LSIState *s, int offset) | ||