diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
5 files changed, 369 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 0000000000..8b1ad0423b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> | ||
3 | Date: Wed, 24 Nov 2021 17:15:34 +0100 | ||
4 | Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive() | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | We are going to re-use this code in the next commit, | ||
10 | so extract it as a new blk_create_empty_drive() function. | ||
11 | |||
12 | Inspired-by: Hanna Reitz <hreitz@redhat.com> | ||
13 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
14 | Message-id: 20211124161536.631563-2-philmd@redhat.com | ||
15 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2] | ||
18 | CVE: CVE-2021-20196 | ||
19 | |||
20 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
21 | --- | ||
22 | hw/block/fdc.c | 9 +++++++-- | ||
23 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
26 | index 4c2c35e22..854b4f172 100644 | ||
27 | --- a/hw/block/fdc.c | ||
28 | +++ b/hw/block/fdc.c | ||
29 | @@ -61,6 +61,12 @@ | ||
30 | } while (0) | ||
31 | |||
32 | |||
33 | +/* Anonymous BlockBackend for empty drive */ | ||
34 | +static BlockBackend *blk_create_empty_drive(void) | ||
35 | +{ | ||
36 | + return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); | ||
37 | +} | ||
38 | + | ||
39 | /********************************************************/ | ||
40 | /* qdev floppy bus */ | ||
41 | |||
42 | @@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) | ||
43 | } | ||
44 | |||
45 | if (!dev->conf.blk) { | ||
46 | - /* Anonymous BlockBackend for an empty drive */ | ||
47 | - dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); | ||
48 | + dev->conf.blk = blk_create_empty_drive(); | ||
49 | ret = blk_attach_dev(dev->conf.blk, qdev); | ||
50 | assert(ret == 0); | ||
51 | |||
52 | -- | ||
53 | 2.31.1 | ||
54 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 0000000000..dd442ccb8f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> | ||
3 | Date: Wed, 24 Nov 2021 17:15:35 +0100 | ||
4 | Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix | ||
5 | CVE-2021-20196 | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Guest might select another drive on the bus by setting the | ||
11 | DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). | ||
12 | The current controller model doesn't expect a BlockBackend | ||
13 | to be NULL. A simple way to fix CVE-2021-20196 is to create | ||
14 | an empty BlockBackend when it is missing. All further | ||
15 | accesses will be safely handled, and the controller state | ||
16 | machines keep behaving correctly. | ||
17 | |||
18 | Cc: qemu-stable@nongnu.org | ||
19 | Fixes: CVE-2021-20196 | ||
20 | Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn> | ||
21 | Reviewed-by: Darren Kenny <darren.kenny@oracle.com> | ||
22 | Reviewed-by: Hanna Reitz <hreitz@redhat.com> | ||
23 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
24 | Message-id: 20211124161536.631563-3-philmd@redhat.com | ||
25 | BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 | ||
26 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 | ||
27 | Reviewed-by: Darren Kenny <darren.kenny@oracle.com> | ||
28 | Reviewed-by: Hanna Reitz <hreitz@redhat.com> | ||
29 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
30 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
31 | |||
32 | Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233] | ||
33 | CVE: CVE-2021-20196 | ||
34 | |||
35 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
36 | --- | ||
37 | hw/block/fdc.c | 14 +++++++++++++- | ||
38 | 1 file changed, 13 insertions(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
41 | index 854b4f172..a736c4d14 100644 | ||
42 | --- a/hw/block/fdc.c | ||
43 | +++ b/hw/block/fdc.c | ||
44 | @@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) | ||
45 | |||
46 | static FDrive *get_cur_drv(FDCtrl *fdctrl) | ||
47 | { | ||
48 | - return get_drv(fdctrl, fdctrl->cur_drv); | ||
49 | + FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); | ||
50 | + | ||
51 | + if (!cur_drv->blk) { | ||
52 | + /* | ||
53 | + * Kludge: empty drive line selected. Create an anonymous | ||
54 | + * BlockBackend to avoid NULL deref with various BlockBackend | ||
55 | + * API calls within this model (CVE-2021-20196). | ||
56 | + * Due to the controller QOM model limitations, we don't | ||
57 | + * attach the created to the controller device. | ||
58 | + */ | ||
59 | + cur_drv->blk = blk_create_empty_drive(); | ||
60 | + } | ||
61 | + return cur_drv; | ||
62 | } | ||
63 | |||
64 | /* Status A register : 0x00 (read-only) */ | ||
65 | -- | ||
66 | 2.31.1 | ||
67 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..33fca66d3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Wed, 18 Aug 2021 14:05:05 +0200 | ||
4 | Subject: [PATCH 08/12] uas: add stream number sanity checks. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The device uses the guest-supplied stream number unchecked, which can | ||
10 | lead to guest-triggered out-of-band access to the UASDevice->data3 and | ||
11 | UASDevice->status3 fields. Add the missing checks. | ||
12 | |||
13 | Fixes: CVE-2021-3713 | ||
14 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
15 | Reported-by: Chen Zhe <chenzhe@huawei.com> | ||
16 | Reported-by: Tan Jingguo <tanjingguo@huawei.com> | ||
17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
18 | Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> | ||
19 | (cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a) | ||
20 | Signed-off-by: Michael Roth <michael.roth@amd.com> | ||
21 | |||
22 | Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1] | ||
23 | CVE: CVE-2021-3713 | ||
24 | |||
25 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
26 | --- | ||
27 | hw/usb/dev-uas.c | 11 +++++++++++ | ||
28 | 1 file changed, 11 insertions(+) | ||
29 | |||
30 | diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c | ||
31 | index cec071d96..157734eb0 100644 | ||
32 | --- a/hw/usb/dev-uas.c | ||
33 | +++ b/hw/usb/dev-uas.c | ||
34 | @@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
35 | } | ||
36 | break; | ||
37 | case UAS_PIPE_ID_STATUS: | ||
38 | + if (p->stream > UAS_MAX_STREAMS) { | ||
39 | + goto err_stream; | ||
40 | + } | ||
41 | if (p->stream) { | ||
42 | QTAILQ_FOREACH(st, &uas->results, next) { | ||
43 | if (st->stream == p->stream) { | ||
44 | @@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
45 | break; | ||
46 | case UAS_PIPE_ID_DATA_IN: | ||
47 | case UAS_PIPE_ID_DATA_OUT: | ||
48 | + if (p->stream > UAS_MAX_STREAMS) { | ||
49 | + goto err_stream; | ||
50 | + } | ||
51 | if (p->stream) { | ||
52 | req = usb_uas_find_request(uas, p->stream); | ||
53 | } else { | ||
54 | @@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
55 | p->status = USB_RET_STALL; | ||
56 | break; | ||
57 | } | ||
58 | + | ||
59 | +err_stream: | ||
60 | + error_report("%s: invalid stream %d", __func__, p->stream); | ||
61 | + p->status = USB_RET_STALL; | ||
62 | + return; | ||
63 | } | ||
64 | |||
65 | static void usb_uas_unrealize(USBDevice *dev) | ||
66 | -- | ||
67 | 2.31.1 | ||
68 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..4765f24739 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Thu, 2 Sep 2021 13:44:12 +0800 | ||
4 | Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg | ||
5 | |||
6 | When mergeable buffer is enabled, we try to set the num_buffers after | ||
7 | the virtqueue elem has been unmapped. This will lead several issues, | ||
8 | E.g a use after free when the descriptor has an address which belongs | ||
9 | to the non direct access region. In this case we use bounce buffer | ||
10 | that is allocated during address_space_map() and freed during | ||
11 | address_space_unmap(). | ||
12 | |||
13 | Fixing this by storing the elems temporarily in an array and delay the | ||
14 | unmap after we set the the num_buffers. | ||
15 | |||
16 | This addresses CVE-2021-3748. | ||
17 | |||
18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Fixes: fbe78f4f55c6 ("virtio-net support") | ||
20 | Cc: qemu-stable@nongnu.org | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6] | ||
24 | CVE: CVE-2021-3748 | ||
25 | |||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- | ||
29 | 1 file changed, 32 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c | ||
32 | index 9179013ac..df1d30e2c 100644 | ||
33 | --- a/hw/net/virtio-net.c | ||
34 | +++ b/hw/net/virtio-net.c | ||
35 | @@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
36 | VirtIONet *n = qemu_get_nic_opaque(nc); | ||
37 | VirtIONetQueue *q = virtio_net_get_subqueue(nc); | ||
38 | VirtIODevice *vdev = VIRTIO_DEVICE(n); | ||
39 | + VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; | ||
40 | + size_t lens[VIRTQUEUE_MAX_SIZE]; | ||
41 | struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; | ||
42 | struct virtio_net_hdr_mrg_rxbuf mhdr; | ||
43 | unsigned mhdr_cnt = 0; | ||
44 | - size_t offset, i, guest_offset; | ||
45 | + size_t offset, i, guest_offset, j; | ||
46 | + ssize_t err; | ||
47 | |||
48 | if (!virtio_net_can_receive(nc)) { | ||
49 | return -1; | ||
50 | @@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
51 | |||
52 | total = 0; | ||
53 | |||
54 | + if (i == VIRTQUEUE_MAX_SIZE) { | ||
55 | + virtio_error(vdev, "virtio-net unexpected long buffer chain"); | ||
56 | + err = size; | ||
57 | + goto err; | ||
58 | + } | ||
59 | + | ||
60 | elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); | ||
61 | if (!elem) { | ||
62 | if (i) { | ||
63 | @@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
64 | n->guest_hdr_len, n->host_hdr_len, | ||
65 | vdev->guest_features); | ||
66 | } | ||
67 | - return -1; | ||
68 | + err = -1; | ||
69 | + goto err; | ||
70 | } | ||
71 | |||
72 | if (elem->in_num < 1) { | ||
73 | @@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
74 | "virtio-net receive queue contains no in buffers"); | ||
75 | virtqueue_detach_element(q->rx_vq, elem, 0); | ||
76 | g_free(elem); | ||
77 | - return -1; | ||
78 | + err = -1; | ||
79 | + goto err; | ||
80 | } | ||
81 | |||
82 | sg = elem->in_sg; | ||
83 | @@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
84 | if (!n->mergeable_rx_bufs && offset < size) { | ||
85 | virtqueue_unpop(q->rx_vq, elem, total); | ||
86 | g_free(elem); | ||
87 | - return size; | ||
88 | + err = size; | ||
89 | + goto err; | ||
90 | } | ||
91 | |||
92 | - /* signal other side */ | ||
93 | - virtqueue_fill(q->rx_vq, elem, total, i++); | ||
94 | - g_free(elem); | ||
95 | + elems[i] = elem; | ||
96 | + lens[i] = total; | ||
97 | + i++; | ||
98 | } | ||
99 | |||
100 | if (mhdr_cnt) { | ||
101 | @@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
102 | &mhdr.num_buffers, sizeof mhdr.num_buffers); | ||
103 | } | ||
104 | |||
105 | + for (j = 0; j < i; j++) { | ||
106 | + /* signal other side */ | ||
107 | + virtqueue_fill(q->rx_vq, elems[j], lens[j], j); | ||
108 | + g_free(elems[j]); | ||
109 | + } | ||
110 | + | ||
111 | virtqueue_flush(q->rx_vq, i); | ||
112 | virtio_notify(vdev, q->rx_vq); | ||
113 | |||
114 | return size; | ||
115 | + | ||
116 | +err: | ||
117 | + for (j = 0; j < i; j++) { | ||
118 | + g_free(elems[j]); | ||
119 | + } | ||
120 | + | ||
121 | + return err; | ||
122 | } | ||
123 | |||
124 | static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, | ||
125 | -- | ||
126 | 2.31.1 | ||
127 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..bfbe5cee33 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 4 Nov 2021 17:31:38 +0100 | ||
4 | Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE | ||
5 | SELECT commands | ||
6 | |||
7 | This avoids an off-by-one read of 'mode_sense_valid' buffer in | ||
8 | hw/scsi/scsi-disk.c:mode_sense_page(). | ||
9 | |||
10 | Fixes: CVE-2021-3930 | ||
11 | Cc: qemu-stable@nongnu.org | ||
12 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
13 | Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") | ||
14 | Fixes: #546 | ||
15 | Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> | ||
16 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
17 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
18 | |||
19 | Upstream-Status: Backport [b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8] | ||
20 | CVE: CVE-2021-3930 | ||
21 | |||
22 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
23 | --- | ||
24 | hw/scsi/scsi-disk.c | 6 ++++++ | ||
25 | 1 file changed, 6 insertions(+) | ||
26 | |||
27 | diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c | ||
28 | index 90841ad79..5b44ed7d8 100644 | ||
29 | --- a/hw/scsi/scsi-disk.c | ||
30 | +++ b/hw/scsi/scsi-disk.c | ||
31 | @@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, | ||
32 | uint8_t *p = *p_outbuf + 2; | ||
33 | int length; | ||
34 | |||
35 | + assert(page < ARRAY_SIZE(mode_sense_valid)); | ||
36 | if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { | ||
37 | return -1; | ||
38 | } | ||
39 | @@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, | ||
40 | return -1; | ||
41 | } | ||
42 | |||
43 | + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ | ||
44 | + if (page == MODE_PAGE_ALLS) { | ||
45 | + return -1; | ||
46 | + } | ||
47 | + | ||
48 | p = mode_current; | ||
49 | memset(mode_current, 0, inlen + 2); | ||
50 | len = mode_sense_page(s, page, &p, 0); | ||
51 | -- | ||
52 | 2.31.1 | ||
53 | |||