5 files changed, 369 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
new file mode 100644
index 0000000000..8b1ad0423b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
@@ -0,0 +1,54 @@
+From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+Inspired-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-2-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2]
+CVE: CVE-2021-20196
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 4c2c35e22..854b4f172 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -61,6 +61,12 @@
+     } while (0)
+ 
+ 
+/* Anonymous BlockBackend for empty drive */
+static BlockBackend *blk_create_empty_drive(void)
+{
+    return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
+}
+
+ /********************************************************/
+ /* qdev floppy bus                                      */
+ 
+@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp)
+     }
+ 
+     if (!dev->conf.blk) {
+-        /* Anonymous BlockBackend for an empty drive */
+-        dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
+        dev->conf.blk = blk_create_empty_drive();
+         ret = blk_attach_dev(dev->conf.blk, qdev);
+         assert(ret == 0);
+ 
+-- 
+2.31.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
new file mode 100644
index 0000000000..dd442ccb8f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
+From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20196
+Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-3-philmd@redhat.com
+BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233]
+CVE: CVE-2021-20196
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 854b4f172..a736c4d14 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+ 
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+-    return get_drv(fdctrl, fdctrl->cur_drv);
+    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
+
+    if (!cur_drv->blk) {
+        /*
+         * Kludge: empty drive line selected. Create an anonymous
+         * BlockBackend to avoid NULL deref with various BlockBackend
+         * API calls within this model (CVE-2021-20196).
+         * Due to the controller QOM model limitations, we don't
+         * attach the created to the controller device.
+         */
+        cur_drv->blk = blk_create_empty_drive();
+    }
+    return cur_drv;
+ }
+ 
+ /* Status A register : 0x00 (read-only) */
+-- 
+2.31.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..33fca66d3d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
+From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH 08/12] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields.  Add the missing checks.
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
+CVE: CVE-2021-3713
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index cec071d96..157734eb0 100644
+--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
+@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         p->status = USB_RET_STALL;
+         break;
+     }
+
+err_stream:
+    error_report("%s: invalid stream %d", __func__, p->stream);
+    p->status = USB_RET_STALL;
+    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev)
+-- 
+2.31.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..4765f24739
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
+From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+This addresses CVE-2021-3748.
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6]
+CVE: CVE-2021-3748
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 9179013ac..df1d30e2c 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+     VirtIONet *n = qemu_get_nic_opaque(nc);
+     VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+     VirtIODevice *vdev = VIRTIO_DEVICE(n);
+    VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
+    size_t lens[VIRTQUEUE_MAX_SIZE];
+     struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+     struct virtio_net_hdr_mrg_rxbuf mhdr;
+     unsigned mhdr_cnt = 0;
+-    size_t offset, i, guest_offset;
+    size_t offset, i, guest_offset, j;
+    ssize_t err;
+ 
+     if (!virtio_net_can_receive(nc)) {
+         return -1;
+@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ 
+         total = 0;
+ 
+        if (i == VIRTQUEUE_MAX_SIZE) {
+            virtio_error(vdev, "virtio-net unexpected long buffer chain");
+            err = size;
+            goto err;
+        }
+
+         elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+         if (!elem) {
+             if (i) {
+@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                              n->guest_hdr_len, n->host_hdr_len,
+                              vdev->guest_features);
+             }
+-            return -1;
+            err = -1;
+            goto err;
+         }
+ 
+         if (elem->in_num < 1) {
+@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                          "virtio-net receive queue contains no in buffers");
+             virtqueue_detach_element(q->rx_vq, elem, 0);
+             g_free(elem);
+-            return -1;
+            err = -1;
+            goto err;
+         }
+ 
+         sg = elem->in_sg;
+@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+         if (!n->mergeable_rx_bufs && offset < size) {
+             virtqueue_unpop(q->rx_vq, elem, total);
+             g_free(elem);
+-            return size;
+            err = size;
+            goto err;
+         }
+ 
+-        /* signal other side */
+-        virtqueue_fill(q->rx_vq, elem, total, i++);
+-        g_free(elem);
+        elems[i] = elem;
+        lens[i] = total;
+        i++;
+     }
+ 
+     if (mhdr_cnt) {
+@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                      &mhdr.num_buffers, sizeof mhdr.num_buffers);
+     }
+ 
+    for (j = 0; j < i; j++) {
+        /* signal other side */
+        virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
+        g_free(elems[j]);
+    }
+
+     virtqueue_flush(q->rx_vq, i);
+     virtio_notify(vdev, q->rx_vq);
+ 
+     return size;
+
+err:
+    for (j = 0; j < i; j++) {
+        g_free(elems[j]);
+    }
+
+    return err;
+ }
+ 
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+-- 
+2.31.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
new file mode 100644
index 0000000000..bfbe5cee33
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
@@ -0,0 +1,53 @@
+From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
+ SELECT commands
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8]
+CVE: CVE-2021-3930
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index 90841ad79..5b44ed7d8 100644
+--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
+@@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+     uint8_t *p = *p_outbuf + 2;
+     int length;
+ 
+    assert(page < ARRAY_SIZE(mode_sense_valid));
+     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+         return -1;
+     }
+@@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+         return -1;
+     }
+ 
+    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
+    if (page == MODE_PAGE_ALLS) {
+        return -1;
+    }
+
+     p = mode_current;
+     memset(mode_current, 0, inlen + 2);
+     len = mode_sense_page(s, page, &p, 0);
+-- 
+2.31.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 0000000000..8b1ad0423b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
@@ -0,0 +1,54 @@
	1	From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
	3	Date: Wed, 24 Nov 2021 17:15:34 +0100
	4	Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive()
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	We are going to re-use this code in the next commit,
	10	so extract it as a new blk_create_empty_drive() function.
	11
	12	Inspired-by: Hanna Reitz <hreitz@redhat.com>
	13	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	14	Message-id: 20211124161536.631563-2-philmd@redhat.com
	15	Signed-off-by: John Snow <jsnow@redhat.com>
	16
	17	Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2]
	18	CVE: CVE-2021-20196
	19
	20	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	21	---
	22	hw/block/fdc.c \| 9 +++++++--
	23	1 file changed, 7 insertions(+), 2 deletions(-)
	24
	25	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
	26	index 4c2c35e22..854b4f172 100644
	27	--- a/hw/block/fdc.c
	28	+++ b/hw/block/fdc.c
	29	@@ -61,6 +61,12 @@
	30	} while (0)
	31
	32
	33	+/* Anonymous BlockBackend for empty drive */
	34	+static BlockBackend *blk_create_empty_drive(void)
	35	+{
	36	+ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
	37	+}
	38	+
	39	/********************************************************/
	40	/* qdev floppy bus */
	41
	42	@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState qdev, Error *errp)
	43	}
	44
	45	if (!dev->conf.blk) {
	46	- /* Anonymous BlockBackend for an empty drive */
	47	- dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
	48	+ dev->conf.blk = blk_create_empty_drive();
	49	ret = blk_attach_dev(dev->conf.blk, qdev);
	50	assert(ret == 0);
	51
	52	--
	53	2.31.1
	54


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 0000000000..dd442ccb8f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
	1	From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
	3	Date: Wed, 24 Nov 2021 17:15:35 +0100
	4	Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
	5	CVE-2021-20196
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	Guest might select another drive on the bus by setting the
	11	DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
	12	The current controller model doesn't expect a BlockBackend
	13	to be NULL. A simple way to fix CVE-2021-20196 is to create
	14	an empty BlockBackend when it is missing. All further
	15	accesses will be safely handled, and the controller state
	16	machines keep behaving correctly.
	17
	18	Cc: qemu-stable@nongnu.org
	19	Fixes: CVE-2021-20196
	20	Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
	21	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
	22	Reviewed-by: Hanna Reitz <hreitz@redhat.com>
	23	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	24	Message-id: 20211124161536.631563-3-philmd@redhat.com
	25	BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
	26	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
	27	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
	28	Reviewed-by: Hanna Reitz <hreitz@redhat.com>
	29	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	30	Signed-off-by: John Snow <jsnow@redhat.com>
	31
	32	Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233]
	33	CVE: CVE-2021-20196
	34
	35	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	36	---
	37	hw/block/fdc.c \| 14 +++++++++++++-
	38	1 file changed, 13 insertions(+), 1 deletion(-)
	39
	40	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
	41	index 854b4f172..a736c4d14 100644
	42	--- a/hw/block/fdc.c
	43	+++ b/hw/block/fdc.c
	44	@@ -1365,7 +1365,19 @@ static FDrive get_drv(FDCtrl fdctrl, int unit)
	45
	46	static FDrive get_cur_drv(FDCtrl fdctrl)
	47	{
	48	- return get_drv(fdctrl, fdctrl->cur_drv);
	49	+ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
	50	+
	51	+ if (!cur_drv->blk) {
	52	+ /*
	53	+ * Kludge: empty drive line selected. Create an anonymous
	54	+ * BlockBackend to avoid NULL deref with various BlockBackend
	55	+ * API calls within this model (CVE-2021-20196).
	56	+ * Due to the controller QOM model limitations, we don't
	57	+ * attach the created to the controller device.
	58	+ */
	59	+ cur_drv->blk = blk_create_empty_drive();
	60	+ }
	61	+ return cur_drv;
	62	}
	63
	64	/* Status A register : 0x00 (read-only) */
	65	--
	66	2.31.1
	67


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..33fca66d3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
	1	From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
	2	From: Gerd Hoffmann <kraxel@redhat.com>
	3	Date: Wed, 18 Aug 2021 14:05:05 +0200
	4	Subject: [PATCH 08/12] uas: add stream number sanity checks.
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	The device uses the guest-supplied stream number unchecked, which can
	10	lead to guest-triggered out-of-band access to the UASDevice->data3 and
	11	UASDevice->status3 fields. Add the missing checks.
	12
	13	Fixes: CVE-2021-3713
	14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	15	Reported-by: Chen Zhe <chenzhe@huawei.com>
	16	Reported-by: Tan Jingguo <tanjingguo@huawei.com>
	17	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	18	Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
	19	(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
	20	Signed-off-by: Michael Roth <michael.roth@amd.com>
	21
	22	Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
	23	CVE: CVE-2021-3713
	24
	25	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	26	---
	27	hw/usb/dev-uas.c \| 11 +++++++++++
	28	1 file changed, 11 insertions(+)
	29
	30	diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
	31	index cec071d96..157734eb0 100644
	32	--- a/hw/usb/dev-uas.c
	33	+++ b/hw/usb/dev-uas.c
	34	@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	35	}
	36	break;
	37	case UAS_PIPE_ID_STATUS:
	38	+ if (p->stream > UAS_MAX_STREAMS) {
	39	+ goto err_stream;
	40	+ }
	41	if (p->stream) {
	42	QTAILQ_FOREACH(st, &uas->results, next) {
	43	if (st->stream == p->stream) {
	44	@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	45	break;
	46	case UAS_PIPE_ID_DATA_IN:
	47	case UAS_PIPE_ID_DATA_OUT:
	48	+ if (p->stream > UAS_MAX_STREAMS) {
	49	+ goto err_stream;
	50	+ }
	51	if (p->stream) {
	52	req = usb_uas_find_request(uas, p->stream);
	53	} else {
	54	@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	55	p->status = USB_RET_STALL;
	56	break;
	57	}
	58	+
	59	+err_stream:
	60	+ error_report("%s: invalid stream %d", __func__, p->stream);
	61	+ p->status = USB_RET_STALL;
	62	+ return;
	63	}
	64
	65	static void usb_uas_unrealize(USBDevice *dev)
	66	--
	67	2.31.1
	68


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..4765f24739 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
	1	From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
	2	From: Jason Wang <jasowang@redhat.com>
	3	Date: Thu, 2 Sep 2021 13:44:12 +0800
	4	Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
	5
	6	When mergeable buffer is enabled, we try to set the num_buffers after
	7	the virtqueue elem has been unmapped. This will lead several issues,
	8	E.g a use after free when the descriptor has an address which belongs
	9	to the non direct access region. In this case we use bounce buffer
	10	that is allocated during address_space_map() and freed during
	11	address_space_unmap().
	12
	13	Fixing this by storing the elems temporarily in an array and delay the
	14	unmap after we set the the num_buffers.
	15
	16	This addresses CVE-2021-3748.
	17
	18	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	19	Fixes: fbe78f4f55c6 ("virtio-net support")
	20	Cc: qemu-stable@nongnu.org
	21	Signed-off-by: Jason Wang <jasowang@redhat.com>
	22
	23	Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6]
	24	CVE: CVE-2021-3748
	25
	26	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	27	---
	28	hw/net/virtio-net.c \| 39 ++++++++++++++++++++++++++++++++-------
	29	1 file changed, 32 insertions(+), 7 deletions(-)
	30
	31	diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
	32	index 9179013ac..df1d30e2c 100644
	33	--- a/hw/net/virtio-net.c
	34	+++ b/hw/net/virtio-net.c
	35	@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	36	VirtIONet *n = qemu_get_nic_opaque(nc);
	37	VirtIONetQueue *q = virtio_net_get_subqueue(nc);
	38	VirtIODevice *vdev = VIRTIO_DEVICE(n);
	39	+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
	40	+ size_t lens[VIRTQUEUE_MAX_SIZE];
	41	struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
	42	struct virtio_net_hdr_mrg_rxbuf mhdr;
	43	unsigned mhdr_cnt = 0;
	44	- size_t offset, i, guest_offset;
	45	+ size_t offset, i, guest_offset, j;
	46	+ ssize_t err;
	47
	48	if (!virtio_net_can_receive(nc)) {
	49	return -1;
	50	@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	51
	52	total = 0;
	53
	54	+ if (i == VIRTQUEUE_MAX_SIZE) {
	55	+ virtio_error(vdev, "virtio-net unexpected long buffer chain");
	56	+ err = size;
	57	+ goto err;
	58	+ }
	59	+
	60	elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
	61	if (!elem) {
	62	if (i) {
	63	@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	64	n->guest_hdr_len, n->host_hdr_len,
	65	vdev->guest_features);
	66	}
	67	- return -1;
	68	+ err = -1;
	69	+ goto err;
	70	}
	71
	72	if (elem->in_num < 1) {
	73	@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	74	"virtio-net receive queue contains no in buffers");
	75	virtqueue_detach_element(q->rx_vq, elem, 0);
	76	g_free(elem);
	77	- return -1;
	78	+ err = -1;
	79	+ goto err;
	80	}
	81
	82	sg = elem->in_sg;
	83	@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	84	if (!n->mergeable_rx_bufs && offset < size) {
	85	virtqueue_unpop(q->rx_vq, elem, total);
	86	g_free(elem);
	87	- return size;
	88	+ err = size;
	89	+ goto err;
	90	}
	91
	92	- /* signal other side */
	93	- virtqueue_fill(q->rx_vq, elem, total, i++);
	94	- g_free(elem);
	95	+ elems[i] = elem;
	96	+ lens[i] = total;
	97	+ i++;
	98	}
	99
	100	if (mhdr_cnt) {
	101	@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState nc, const uint8_t buf,
	102	&mhdr.num_buffers, sizeof mhdr.num_buffers);
	103	}
	104
	105	+ for (j = 0; j < i; j++) {
	106	+ /* signal other side */
	107	+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
	108	+ g_free(elems[j]);
	109	+ }
	110	+
	111	virtqueue_flush(q->rx_vq, i);
	112	virtio_notify(vdev, q->rx_vq);
	113
	114	return size;
	115	+
	116	+err:
	117	+ for (j = 0; j < i; j++) {
	118	+ g_free(elems[j]);
	119	+ }
	120	+
	121	+ return err;
	122	}
	123
	124	static ssize_t virtio_net_do_receive(NetClientState nc, const uint8_t buf,
	125	--
	126	2.31.1
	127


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..bfbe5cee33 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
@@ -0,0 +1,53 @@
	1	From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001
	2	From: Mauro Matteo Cascella <mcascell@redhat.com>
	3	Date: Thu, 4 Nov 2021 17:31:38 +0100
	4	Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE
	5	SELECT commands
	6
	7	This avoids an off-by-one read of 'mode_sense_valid' buffer in
	8	hw/scsi/scsi-disk.c:mode_sense_page().
	9
	10	Fixes: CVE-2021-3930
	11	Cc: qemu-stable@nongnu.org
	12	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	13	Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
	14	Fixes: #546
	15	Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
	16	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
	17	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	18
	19	Upstream-Status: Backport [b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8]
	20	CVE: CVE-2021-3930
	21
	22	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	23	---
	24	hw/scsi/scsi-disk.c \| 6 ++++++
	25	1 file changed, 6 insertions(+)
	26
	27	diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
	28	index 90841ad79..5b44ed7d8 100644
	29	--- a/hw/scsi/scsi-disk.c
	30	+++ b/hw/scsi/scsi-disk.c
	31	@@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState s, int page, uint8_t *p_outbuf,
	32	uint8_t p = p_outbuf + 2;
	33	int length;
	34
	35	+ assert(page < ARRAY_SIZE(mode_sense_valid));
	36	if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
	37	return -1;
	38	}
	39	@@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
	40	return -1;
	41	}
	42
	43	+ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
	44	+ if (page == MODE_PAGE_ALLS) {
	45	+ return -1;
	46	+ }
	47	+
	48	p = mode_current;
	49	memset(mode_current, 0, inlen + 2);
	50	len = mode_sense_page(s, page, &p, 0);
	51	--
	52	2.31.1
	53