1 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 0000000000..26e22b4c31
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,77 @@
+[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
+ exist for this release]
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/scsi/lsi53c895a.c               | 23 +++++++++++++++------
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+--- qemu-4.2.orig/hw/scsi/lsi53c895a.c
+++ qemu-4.2/hw/scsi/lsi53c895a.c
+@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
+     uint32_t addr, addr_high;
+     int opcode;
+     int insn_processed = 0;
+    static int reentrancy_level;
+
+    reentrancy_level++;
+ 
+     s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-    if (++insn_processed > LSI_MAX_INSN) {
+-        /* Some windows drivers make the device spin waiting for a memory
+-           location to change.  If we have been executed a lot of code then
+-           assume this is the case and force an unexpected device disconnect.
+-           This is apparently sufficient to beat the drivers into submission.
+-         */
+    /*
+     * Some windows drivers make the device spin waiting for a memory location
+     * to change. If we have executed more than LSI_MAX_INSN instructions then
+     * assume this is the case and force an unexpected device disconnect. This
+     * is apparently sufficient to beat the drivers into submission.
+     *
+     * Another issue (CVE-2023-0330) can occur if the script is programmed to
+     * trigger itself again and again. Avoid this problem by stopping after
+     * being called multiple times in a reentrant way (8 is an arbitrary value
+     * which should be enough for all valid use cases).
+     */
+    if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+         if (!(s->sien0 & LSI_SIST0_UDC)) {
+             qemu_log_mask(LOG_GUEST_ERROR,
+                           "lsi_scsi: inf. loop with UDC masked");
+@@ -1597,6 +1606,8 @@ again:
+         }
+     }
+     trace_lsi_execute_script_stop();
+
+    reentrancy_level--;
+ }
+ 
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..26e22b4c31 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,77 @@
	1	[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
	2	exist for this release]
	3	From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
	4	From: Thomas Huth <thuth@redhat.com>
	5	Date: Mon, 22 May 2023 11:10:11 +0200
	6	Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
	7	controller (CVE-2023-0330)
	8
	9	We cannot use the generic reentrancy guard in the LSI code, so
	10	we have to manually prevent endless reentrancy here. The problematic
	11	lsi_execute_script() function has already a way to detect whether
	12	too many instructions have been executed - we just have to slightly
	13	change the logic here that it also takes into account if the function
	14	has been called too often in a reentrant way.
	15
	16	The code in fuzz-lsi53c895a-test.c has been taken from an earlier
	17	patch by Mauro Matteo Cascella.
	18
	19	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
	20	Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
	21	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
	22	Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
	23	Signed-off-by: Thomas Huth <thuth@redhat.com>
	24
	25	Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27
	26
	27	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security
	28	Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
	29	CVE: CVE-2023-0330
	30	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	31	---
	32	hw/scsi/lsi53c895a.c \| 23 +++++++++++++++------
	33	tests/qtest/fuzz-lsi53c895a-test.c \| 33 ++++++++++++++++++++++++++++++
	34	2 files changed, 50 insertions(+), 6 deletions(-)
	35
	36	--- qemu-4.2.orig/hw/scsi/lsi53c895a.c
	37	+++ qemu-4.2/hw/scsi/lsi53c895a.c
	38	@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
	39	uint32_t addr, addr_high;
	40	int opcode;
	41	int insn_processed = 0;
	42	+ static int reentrancy_level;
	43	+
	44	+ reentrancy_level++;
	45
	46	s->istat1 \|= LSI_ISTAT1_SRUN;
	47	again:
	48	- if (++insn_processed > LSI_MAX_INSN) {
	49	- /* Some windows drivers make the device spin waiting for a memory
	50	- location to change. If we have been executed a lot of code then
	51	- assume this is the case and force an unexpected device disconnect.
	52	- This is apparently sufficient to beat the drivers into submission.
	53	- */
	54	+ /*
	55	+ * Some windows drivers make the device spin waiting for a memory location
	56	+ * to change. If we have executed more than LSI_MAX_INSN instructions then
	57	+ * assume this is the case and force an unexpected device disconnect. This
	58	+ * is apparently sufficient to beat the drivers into submission.
	59	+ *
	60	+ * Another issue (CVE-2023-0330) can occur if the script is programmed to
	61	+ * trigger itself again and again. Avoid this problem by stopping after
	62	+ * being called multiple times in a reentrant way (8 is an arbitrary value
	63	+ * which should be enough for all valid use cases).
	64	+ */
	65	+ if (++insn_processed > LSI_MAX_INSN \|\| reentrancy_level > 8) {
	66	if (!(s->sien0 & LSI_SIST0_UDC)) {
	67	qemu_log_mask(LOG_GUEST_ERROR,
	68	"lsi_scsi: inf. loop with UDC masked");
	69	@@ -1597,6 +1606,8 @@ again:
	70	}
	71	}
	72	trace_lsi_execute_script_stop();
	73	+
	74	+ reentrancy_level--;
	75	}
	76
	77	static uint8_t lsi_reg_readb(LSIState *s, int offset)