diff options
Diffstat (limited to 'meta/recipes-devtools/qemu')
95 files changed, 6792 insertions, 24 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb index d83ee59375..5ae6a37f26 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb | |||
@@ -9,7 +9,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native" | |||
9 | 9 | ||
10 | EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" | 10 | EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" |
11 | 11 | ||
12 | PACKAGECONFIG ??= "fdt alsa kvm" | 12 | PACKAGECONFIG ??= "fdt alsa kvm slirp" |
13 | 13 | ||
14 | # Handle distros such as CentOS 5 32-bit that do not have kvm support | 14 | # Handle distros such as CentOS 5 32-bit that do not have kvm support |
15 | PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}" | 15 | PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}" |
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a1a418374f..59ff69d51d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -35,30 +35,147 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
35 | file://CVE-2020-7039-2.patch \ | 35 | file://CVE-2020-7039-2.patch \ |
36 | file://CVE-2020-7039-3.patch \ | 36 | file://CVE-2020-7039-3.patch \ |
37 | file://0001-Add-enable-disable-udev.patch \ | 37 | file://0001-Add-enable-disable-udev.patch \ |
38 | file://CVE-2020-7211.patch \ | 38 | file://CVE-2020-7211.patch \ |
39 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ | 39 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ |
40 | file://CVE-2020-11102.patch \ | 40 | file://CVE-2020-11102.patch \ |
41 | file://CVE-2020-11869.patch \ | 41 | file://CVE-2020-11869.patch \ |
42 | file://CVE-2020-13361.patch \ | 42 | file://CVE-2020-13361.patch \ |
43 | file://CVE-2020-10761.patch \ | 43 | file://CVE-2020-10761.patch \ |
44 | file://CVE-2020-10702.patch \ | 44 | file://CVE-2020-10702.patch \ |
45 | file://CVE-2020-13659.patch \ | 45 | file://CVE-2020-13659.patch \ |
46 | file://CVE-2020-13800.patch \ | 46 | file://CVE-2020-13800.patch \ |
47 | file://CVE-2020-13362.patch \ | 47 | file://CVE-2020-13362.patch \ |
48 | file://CVE-2020-15863.patch \ | 48 | file://CVE-2020-15863.patch \ |
49 | file://CVE-2020-14364.patch \ | 49 | file://CVE-2020-14364.patch \ |
50 | file://CVE-2020-14415.patch \ | 50 | file://CVE-2020-14415.patch \ |
51 | file://CVE-2020-16092.patch \ | 51 | file://CVE-2020-16092.patch \ |
52 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ | 52 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ |
53 | file://CVE-2019-20175.patch \ | 53 | file://CVE-2019-20175.patch \ |
54 | file://CVE-2020-24352.patch \ | 54 | file://CVE-2020-24352.patch \ |
55 | file://CVE-2020-25723.patch \ | 55 | file://CVE-2020-25723.patch \ |
56 | " | 56 | file://CVE-2021-20203.patch \ |
57 | file://CVE-2021-3392.patch \ | ||
58 | file://CVE-2020-25085.patch \ | ||
59 | file://CVE-2020-25624_1.patch \ | ||
60 | file://CVE-2020-25624_2.patch \ | ||
61 | file://CVE-2020-25625.patch \ | ||
62 | file://CVE-2020-29443.patch \ | ||
63 | file://CVE-2021-20221.patch \ | ||
64 | file://CVE-2021-20181.patch \ | ||
65 | file://CVE-2021-3416_1.patch \ | ||
66 | file://CVE-2021-3416_2.patch \ | ||
67 | file://CVE-2021-3416_3.patch \ | ||
68 | file://CVE-2021-3416_5.patch \ | ||
69 | file://CVE-2021-3416_6.patch \ | ||
70 | file://CVE-2021-3416_7.patch \ | ||
71 | file://CVE-2021-3416_8.patch \ | ||
72 | file://CVE-2021-3416_9.patch \ | ||
73 | file://CVE-2021-3416_10.patch \ | ||
74 | file://CVE-2021-20257.patch \ | ||
75 | file://CVE-2021-3544.patch \ | ||
76 | file://CVE-2021-3544_2.patch \ | ||
77 | file://CVE-2021-3544_3.patch \ | ||
78 | file://CVE-2021-3544_4.patch \ | ||
79 | file://CVE-2021-3544_5.patch \ | ||
80 | file://CVE-2021-3545.patch \ | ||
81 | file://CVE-2021-3546.patch \ | ||
82 | file://CVE-2021-3527-1.patch \ | ||
83 | file://CVE-2021-3527-2.patch \ | ||
84 | file://CVE-2021-3582.patch \ | ||
85 | file://CVE-2021-3607.patch \ | ||
86 | file://CVE-2021-3608.patch \ | ||
87 | file://CVE-2020-12829_1.patch \ | ||
88 | file://CVE-2020-12829_2.patch \ | ||
89 | file://CVE-2020-12829_3.patch \ | ||
90 | file://CVE-2020-12829_4.patch \ | ||
91 | file://CVE-2020-12829_5.patch \ | ||
92 | file://CVE-2020-27617.patch \ | ||
93 | file://CVE-2020-28916.patch \ | ||
94 | file://CVE-2021-3682.patch \ | ||
95 | file://CVE-2020-13253_1.patch \ | ||
96 | file://CVE-2020-13253_2.patch \ | ||
97 | file://CVE-2020-13253_3.patch \ | ||
98 | file://CVE-2020-13253_4.patch \ | ||
99 | file://CVE-2020-13253_5.patch \ | ||
100 | file://CVE-2020-13791.patch \ | ||
101 | file://CVE-2022-35414.patch \ | ||
102 | file://CVE-2020-27821.patch \ | ||
103 | file://CVE-2020-13754-1.patch \ | ||
104 | file://CVE-2020-13754-2.patch \ | ||
105 | file://CVE-2020-13754-3.patch \ | ||
106 | file://CVE-2020-13754-4.patch \ | ||
107 | file://CVE-2021-3713.patch \ | ||
108 | file://CVE-2021-3748.patch \ | ||
109 | file://CVE-2021-3930.patch \ | ||
110 | file://CVE-2021-4206.patch \ | ||
111 | file://CVE-2021-4207.patch \ | ||
112 | file://CVE-2022-0216-1.patch \ | ||
113 | file://CVE-2022-0216-2.patch \ | ||
114 | file://CVE-2021-3750.patch \ | ||
115 | file://CVE-2021-3638.patch \ | ||
116 | file://CVE-2021-20196.patch \ | ||
117 | file://CVE-2021-3507.patch \ | ||
118 | file://hw-block-nvme-refactor-nvme_addr_read.patch \ | ||
119 | file://hw-block-nvme-handle-dma-errors.patch \ | ||
120 | file://CVE-2021-3929.patch \ | ||
121 | file://CVE-2022-4144.patch \ | ||
122 | file://CVE-2020-15859.patch \ | ||
123 | file://CVE-2020-15469-1.patch \ | ||
124 | file://CVE-2020-15469-2.patch \ | ||
125 | file://CVE-2020-15469-3.patch \ | ||
126 | file://CVE-2020-15469-4.patch \ | ||
127 | file://CVE-2020-15469-5.patch \ | ||
128 | file://CVE-2020-15469-6.patch \ | ||
129 | file://CVE-2020-15469-7.patch \ | ||
130 | file://CVE-2020-15469-8.patch \ | ||
131 | file://CVE-2020-35504.patch \ | ||
132 | file://CVE-2020-35505.patch \ | ||
133 | file://CVE-2022-26354.patch \ | ||
134 | file://CVE-2021-3409-1.patch \ | ||
135 | file://CVE-2021-3409-2.patch \ | ||
136 | file://CVE-2021-3409-3.patch \ | ||
137 | file://CVE-2021-3409-4.patch \ | ||
138 | file://CVE-2021-3409-5.patch \ | ||
139 | file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ | ||
140 | file://CVE-2023-0330.patch \ | ||
141 | file://CVE-2023-3354.patch \ | ||
142 | file://CVE-2023-3180.patch \ | ||
143 | file://CVE-2020-24165.patch \ | ||
144 | file://CVE-2023-5088.patch \ | ||
145 | file://9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch \ | ||
146 | file://CVE-2023-2861.patch \ | ||
147 | " | ||
57 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 148 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
58 | 149 | ||
59 | SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" | 150 | SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" |
60 | SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0" | 151 | SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0" |
61 | 152 | ||
153 | # Applies against virglrender < 0.6.0 and not qemu itself | ||
154 | CVE_CHECK_WHITELIST += "CVE-2017-5957" | ||
155 | |||
156 | # The VNC server can expose host files uder some circumstances. We don't | ||
157 | # enable it by default. | ||
158 | CVE_CHECK_WHITELIST += "CVE-2007-0998" | ||
159 | |||
160 | # 'The issues identified by this CVE were determined to not constitute a vulnerability.' | ||
161 | # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 | ||
162 | CVE_CHECK_WHITELIST += "CVE-2018-18438" | ||
163 | |||
164 | # the issue introduced in v5.1.0-rc0 | ||
165 | CVE_CHECK_WHITELIST += "CVE-2020-27661" | ||
166 | |||
167 | # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 | ||
168 | # https://bugzilla.redhat.com/show_bug.cgi?id=2167423 | ||
169 | # this bug related to windows specific. | ||
170 | CVE_CHECK_WHITELIST += "CVE-2023-0664" | ||
171 | |||
172 | # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 | ||
173 | # RHEL specific issue | ||
174 | CVE_CHECK_WHITELIST += "CVE-2023-2680" | ||
175 | |||
176 | # Affected only `qemu-kvm` shipped with Red Hat Enterprise Linux 8.3 release. | ||
177 | CVE_CHECK_WHITELIST += "CVE-2021-20295" | ||
178 | |||
62 | COMPATIBLE_HOST_mipsarchn32 = "null" | 179 | COMPATIBLE_HOST_mipsarchn32 = "null" |
63 | COMPATIBLE_HOST_mipsarchn64 = "null" | 180 | COMPATIBLE_HOST_mipsarchn64 = "null" |
64 | 181 | ||
@@ -197,6 +314,16 @@ PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs" | |||
197 | PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" | 314 | PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" |
198 | PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" | 315 | PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" |
199 | PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" | 316 | PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" |
317 | PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" | ||
318 | PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" | ||
319 | # libnfs is currently provided by meta-kodi | ||
320 | PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs" | ||
321 | PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" | ||
322 | PACKAGECONFIG[vde] = "--enable-vde,--disable-vde" | ||
323 | # version 4.2.0 doesn't have an "internal" option for enable-slirp, so use "git" which uses the same configure code path | ||
324 | PACKAGECONFIG[slirp] = "--enable-slirp=git,--disable-slirp" | ||
325 | PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd" | ||
326 | PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma" | ||
200 | 327 | ||
201 | INSANE_SKIP_${PN} = "arch" | 328 | INSANE_SKIP_${PN} = "arch" |
202 | 329 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch index 3a7d7bbd33..3789f1edea 100644 --- a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch +++ b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch | |||
@@ -60,7 +60,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | |||
60 | 1 file changed, 5 insertions(+), 2 deletions(-) | 60 | 1 file changed, 5 insertions(+), 2 deletions(-) |
61 | 61 | ||
62 | diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c | 62 | diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c |
63 | index 6f132c5f..8329950c 100644 | 63 | index 300c9765..2823db7d 100644 |
64 | --- a/fsdev/virtfs-proxy-helper.c | 64 | --- a/fsdev/virtfs-proxy-helper.c |
65 | +++ b/fsdev/virtfs-proxy-helper.c | 65 | +++ b/fsdev/virtfs-proxy-helper.c |
66 | @@ -13,7 +13,6 @@ | 66 | @@ -13,7 +13,6 @@ |
@@ -71,9 +71,9 @@ index 6f132c5f..8329950c 100644 | |||
71 | #include <sys/fsuid.h> | 71 | #include <sys/fsuid.h> |
72 | #include <sys/vfs.h> | 72 | #include <sys/vfs.h> |
73 | #include <sys/ioctl.h> | 73 | #include <sys/ioctl.h> |
74 | @@ -27,7 +26,11 @@ | 74 | @@ -28,7 +27,11 @@ |
75 | #include "9p-iov-marshal.h" | ||
76 | #include "hw/9pfs/9p-proxy.h" | 75 | #include "hw/9pfs/9p-proxy.h" |
76 | #include "hw/9pfs/9p-util.h" | ||
77 | #include "fsdev/9p-iov-marshal.h" | 77 | #include "fsdev/9p-iov-marshal.h" |
78 | - | 78 | - |
79 | +/* | 79 | +/* |
@@ -84,3 +84,6 @@ index 6f132c5f..8329950c 100644 | |||
84 | #define PROGNAME "virtfs-proxy-helper" | 84 | #define PROGNAME "virtfs-proxy-helper" |
85 | 85 | ||
86 | #ifndef XFS_SUPER_MAGIC | 86 | #ifndef XFS_SUPER_MAGIC |
87 | -- | ||
88 | 2.25.1 | ||
89 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch new file mode 100644 index 0000000000..72d9c47bde --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b Mon Sep 17 00:00:00 2001 | ||
2 | From: Omar Sandoval <osandov@fb.com> | ||
3 | Date: Thu, 14 May 2020 08:06:43 +0200 | ||
4 | Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions | ||
5 | |||
6 | QEMU's local 9pfs server passes through O_NOATIME from the client. If | ||
7 | the QEMU process doesn't have permissions to use O_NOATIME (namely, it | ||
8 | does not own the file nor have the CAP_FOWNER capability), the open will | ||
9 | fail. This causes issues when from the client's point of view, it | ||
10 | believes it has permissions to use O_NOATIME (e.g., a process running as | ||
11 | root in the virtual machine). Additionally, overlayfs on Linux opens | ||
12 | files on the lower layer using O_NOATIME, so in this case a 9pfs mount | ||
13 | can't be used as a lower layer for overlayfs (cf. | ||
14 | https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c | ||
15 | and https://github.com/NixOS/nixpkgs/issues/54509). | ||
16 | |||
17 | Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g., | ||
18 | network filesystems. open(2) notes that O_NOATIME "may not be effective | ||
19 | on all filesystems. One example is NFS, where the server maintains the | ||
20 | access time." This means that we can honor it when possible but fall | ||
21 | back to ignoring it. | ||
22 | |||
23 | Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
24 | Signed-off-by: Omar Sandoval <osandov@fb.com> | ||
25 | Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com> | ||
26 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
27 | |||
28 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b] | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | hw/9pfs/9p-util.h | 13 +++++++++++++ | ||
32 | 1 file changed, 13 insertions(+) | ||
33 | |||
34 | diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h | ||
35 | index 79ed6b233e5..546f46dc7dc 100644 | ||
36 | --- a/hw/9pfs/9p-util.h | ||
37 | +++ b/hw/9pfs/9p-util.h | ||
38 | @@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags, | ||
39 | { | ||
40 | int fd, serrno, ret; | ||
41 | |||
42 | +again: | ||
43 | fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK, | ||
44 | mode); | ||
45 | if (fd == -1) { | ||
46 | + if (errno == EPERM && (flags & O_NOATIME)) { | ||
47 | + /* | ||
48 | + * The client passed O_NOATIME but we lack permissions to honor it. | ||
49 | + * Rather than failing the open, fall back without O_NOATIME. This | ||
50 | + * doesn't break the semantics on the client side, as the Linux | ||
51 | + * open(2) man page notes that O_NOATIME "may not be effective on | ||
52 | + * all filesystems". In particular, NFS and other network | ||
53 | + * filesystems ignore it entirely. | ||
54 | + */ | ||
55 | + flags &= ~O_NOATIME; | ||
56 | + goto again; | ||
57 | + } | ||
58 | return -1; | ||
59 | } | ||
60 | |||
61 | -- | ||
62 | GitLab | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch new file mode 100644 index 0000000000..6fee4f640d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch | |||
@@ -0,0 +1,164 @@ | |||
1 | From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001 | ||
2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
3 | Date: Thu, 21 May 2020 21:39:44 +0200 | ||
4 | Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Some places already use qemu_log_mask() to log unimplemented features | ||
10 | or errors but some others have printf() then abort(). Convert these to | ||
11 | qemu_log_mask() and avoid aborting to prevent guests to easily cause | ||
12 | denial of service. | ||
13 | |||
14 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
15 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
16 | Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu | ||
17 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | CVE: CVE-2020-12829 dep#1 | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------ | ||
25 | 1 file changed, 27 insertions(+), 30 deletions(-) | ||
26 | |||
27 | diff --git a/hw/display/sm501.c b/hw/display/sm501.c | ||
28 | index acc692531a..bd3ccfe311 100644 | ||
29 | --- a/hw/display/sm501.c | ||
30 | +++ b/hw/display/sm501.c | ||
31 | @@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s) | ||
32 | int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); | ||
33 | |||
34 | if (addressing != 0x0) { | ||
35 | - printf("%s: only XY addressing is supported.\n", __func__); | ||
36 | - abort(); | ||
37 | + qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n"); | ||
38 | + return; | ||
39 | } | ||
40 | |||
41 | if (rop_mode == 0) { | ||
42 | @@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s) | ||
43 | |||
44 | if ((s->twoD_source_base & 0x08000000) || | ||
45 | (s->twoD_destination_base & 0x08000000)) { | ||
46 | - printf("%s: only local memory is supported.\n", __func__); | ||
47 | - abort(); | ||
48 | + qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); | ||
49 | + return; | ||
50 | } | ||
51 | |||
52 | switch (operation) { | ||
53 | @@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s) | ||
54 | break; | ||
55 | |||
56 | default: | ||
57 | - printf("non-implemented SM501 2D operation. %d\n", operation); | ||
58 | - abort(); | ||
59 | - break; | ||
60 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", | ||
61 | + operation); | ||
62 | + return; | ||
63 | } | ||
64 | |||
65 | if (dst_base >= get_fb_addr(s, crt) && | ||
66 | @@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr, | ||
67 | break; | ||
68 | |||
69 | default: | ||
70 | - printf("sm501 system config : not implemented register read." | ||
71 | - " addr=%x\n", (int)addr); | ||
72 | - abort(); | ||
73 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config" | ||
74 | + "register read. addr=%" HWADDR_PRIx "\n", addr); | ||
75 | } | ||
76 | |||
77 | return ret; | ||
78 | @@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr, | ||
79 | break; | ||
80 | case SM501_ENDIAN_CONTROL: | ||
81 | if (value & 0x00000001) { | ||
82 | - printf("sm501 system config : big endian mode not implemented.\n"); | ||
83 | - abort(); | ||
84 | + qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not" | ||
85 | + " implemented.\n"); | ||
86 | } | ||
87 | break; | ||
88 | |||
89 | default: | ||
90 | - printf("sm501 system config : not implemented register write." | ||
91 | - " addr=%x, val=%x\n", (int)addr, (uint32_t)value); | ||
92 | - abort(); | ||
93 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config" | ||
94 | + "register write. addr=%" HWADDR_PRIx | ||
95 | + ", val=%" PRIx64 "\n", addr, value); | ||
96 | } | ||
97 | } | ||
98 | |||
99 | @@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr, | ||
100 | break; | ||
101 | |||
102 | default: | ||
103 | - printf("sm501 disp ctrl : not implemented register read." | ||
104 | - " addr=%x\n", (int)addr); | ||
105 | - abort(); | ||
106 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " | ||
107 | + "read. addr=%" HWADDR_PRIx "\n", addr); | ||
108 | } | ||
109 | |||
110 | return ret; | ||
111 | @@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr, | ||
112 | break; | ||
113 | |||
114 | default: | ||
115 | - printf("sm501 disp ctrl : not implemented register write." | ||
116 | - " addr=%x, val=%x\n", (int)addr, (unsigned)value); | ||
117 | - abort(); | ||
118 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " | ||
119 | + "write. addr=%" HWADDR_PRIx | ||
120 | + ", val=%" PRIx64 "\n", addr, value); | ||
121 | } | ||
122 | } | ||
123 | |||
124 | @@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr, | ||
125 | ret = 0; /* Should return interrupt status */ | ||
126 | break; | ||
127 | default: | ||
128 | - printf("sm501 disp ctrl : not implemented register read." | ||
129 | - " addr=%x\n", (int)addr); | ||
130 | - abort(); | ||
131 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " | ||
132 | + "read. addr=%" HWADDR_PRIx "\n", addr); | ||
133 | } | ||
134 | |||
135 | return ret; | ||
136 | @@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr, | ||
137 | /* ignored, writing 0 should clear interrupt status */ | ||
138 | break; | ||
139 | default: | ||
140 | - printf("sm501 2d engine : not implemented register write." | ||
141 | - " addr=%x, val=%x\n", (int)addr, (unsigned)value); | ||
142 | - abort(); | ||
143 | + qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register " | ||
144 | + "write. addr=%" HWADDR_PRIx | ||
145 | + ", val=%" PRIx64 "\n", addr, value); | ||
146 | } | ||
147 | } | ||
148 | |||
149 | @@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque) | ||
150 | draw_line = draw_line32_funcs[dst_depth_index]; | ||
151 | break; | ||
152 | default: | ||
153 | - printf("sm501 update display : invalid control register value.\n"); | ||
154 | - abort(); | ||
155 | - break; | ||
156 | + qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display" | ||
157 | + "invalid control register value.\n"); | ||
158 | + return; | ||
159 | } | ||
160 | |||
161 | /* set up to draw hardware cursor */ | ||
162 | -- | ||
163 | 2.25.1 | ||
164 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch new file mode 100644 index 0000000000..e7258a43d3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch | |||
@@ -0,0 +1,139 @@ | |||
1 | From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001 | ||
2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
3 | Date: Thu, 21 May 2020 21:39:44 +0200 | ||
4 | Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation | ||
5 | |||
6 | This increases readability and cleans up some confusing naming. | ||
7 | |||
8 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
9 | Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu | ||
10 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2020-12829 dep#2 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | hw/display/sm501.c | 45 ++++++++++++++++++++++----------------------- | ||
18 | 1 file changed, 22 insertions(+), 23 deletions(-) | ||
19 | |||
20 | diff --git a/hw/display/sm501.c b/hw/display/sm501.c | ||
21 | index bd3ccfe311..f42d05e1e4 100644 | ||
22 | --- a/hw/display/sm501.c | ||
23 | +++ b/hw/display/sm501.c | ||
24 | @@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt) | ||
25 | static void sm501_2d_operation(SM501State *s) | ||
26 | { | ||
27 | /* obtain operation parameters */ | ||
28 | - int operation = (s->twoD_control >> 16) & 0x1f; | ||
29 | + int cmd = (s->twoD_control >> 16) & 0x1F; | ||
30 | int rtl = s->twoD_control & 0x8000000; | ||
31 | int src_x = (s->twoD_source >> 16) & 0x01FFF; | ||
32 | int src_y = s->twoD_source & 0xFFFF; | ||
33 | int dst_x = (s->twoD_destination >> 16) & 0x01FFF; | ||
34 | int dst_y = s->twoD_destination & 0xFFFF; | ||
35 | - int operation_width = (s->twoD_dimension >> 16) & 0x1FFF; | ||
36 | - int operation_height = s->twoD_dimension & 0xFFFF; | ||
37 | + int width = (s->twoD_dimension >> 16) & 0x1FFF; | ||
38 | + int height = s->twoD_dimension & 0xFFFF; | ||
39 | uint32_t color = s->twoD_foreground; | ||
40 | - int format_flags = (s->twoD_stretch >> 20) & 0x3; | ||
41 | - int addressing = (s->twoD_stretch >> 16) & 0xF; | ||
42 | + int format = (s->twoD_stretch >> 20) & 0x3; | ||
43 | int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */ | ||
44 | /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ | ||
45 | int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; | ||
46 | @@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s) | ||
47 | /* get frame buffer info */ | ||
48 | uint8_t *src = s->local_mem + src_base; | ||
49 | uint8_t *dst = s->local_mem + dst_base; | ||
50 | - int src_width = s->twoD_pitch & 0x1FFF; | ||
51 | - int dst_width = (s->twoD_pitch >> 16) & 0x1FFF; | ||
52 | + int src_pitch = s->twoD_pitch & 0x1FFF; | ||
53 | + int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; | ||
54 | int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; | ||
55 | int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); | ||
56 | |||
57 | - if (addressing != 0x0) { | ||
58 | + if ((s->twoD_stretch >> 16) & 0xF) { | ||
59 | qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n"); | ||
60 | return; | ||
61 | } | ||
62 | @@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s) | ||
63 | return; | ||
64 | } | ||
65 | |||
66 | - switch (operation) { | ||
67 | + switch (cmd) { | ||
68 | case 0x00: /* copy area */ | ||
69 | #define COPY_AREA(_bpp, _pixel_type, rtl) { \ | ||
70 | int y, x, index_d, index_s; \ | ||
71 | - for (y = 0; y < operation_height; y++) { \ | ||
72 | - for (x = 0; x < operation_width; x++) { \ | ||
73 | + for (y = 0; y < height; y++) { \ | ||
74 | + for (x = 0; x < width; x++) { \ | ||
75 | _pixel_type val; \ | ||
76 | \ | ||
77 | if (rtl) { \ | ||
78 | - index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \ | ||
79 | - index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \ | ||
80 | + index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \ | ||
81 | + index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \ | ||
82 | } else { \ | ||
83 | - index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \ | ||
84 | - index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ | ||
85 | + index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \ | ||
86 | + index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ | ||
87 | } \ | ||
88 | if (rop_mode == 1 && rop == 5) { \ | ||
89 | /* Invert dest */ \ | ||
90 | @@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s) | ||
91 | } \ | ||
92 | } \ | ||
93 | } | ||
94 | - switch (format_flags) { | ||
95 | + switch (format) { | ||
96 | case 0: | ||
97 | COPY_AREA(1, uint8_t, rtl); | ||
98 | break; | ||
99 | @@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s) | ||
100 | case 0x01: /* fill rectangle */ | ||
101 | #define FILL_RECT(_bpp, _pixel_type) { \ | ||
102 | int y, x; \ | ||
103 | - for (y = 0; y < operation_height; y++) { \ | ||
104 | - for (x = 0; x < operation_width; x++) { \ | ||
105 | - int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ | ||
106 | + for (y = 0; y < height; y++) { \ | ||
107 | + for (x = 0; x < width; x++) { \ | ||
108 | + int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ | ||
109 | *(_pixel_type *)&dst[index] = (_pixel_type)color; \ | ||
110 | } \ | ||
111 | } \ | ||
112 | } | ||
113 | |||
114 | - switch (format_flags) { | ||
115 | + switch (format) { | ||
116 | case 0: | ||
117 | FILL_RECT(1, uint8_t); | ||
118 | break; | ||
119 | @@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s) | ||
120 | |||
121 | default: | ||
122 | qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", | ||
123 | - operation); | ||
124 | + cmd); | ||
125 | return; | ||
126 | } | ||
127 | |||
128 | if (dst_base >= get_fb_addr(s, crt) && | ||
129 | dst_base <= get_fb_addr(s, crt) + fb_len) { | ||
130 | - int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width + | ||
131 | - dst_x + operation_width) * (1 << format_flags)); | ||
132 | + int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch + | ||
133 | + dst_x + width) * (1 << format)); | ||
134 | if (dst_len) { | ||
135 | memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len); | ||
136 | } | ||
137 | -- | ||
138 | 2.25.1 | ||
139 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch new file mode 100644 index 0000000000..c647028cfe --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 2824809b7f8f03ddc6e2b7e33e78c06022424298 Mon Sep 17 00:00:00 2001 | ||
2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
3 | Date: Thu, 21 May 2020 21:39:44 +0200 | ||
4 | Subject: [PATCH 3/5] sm501: Use BIT(x) macro to shorten constant | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
10 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
11 | Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu | ||
12 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2020-12829 dep#3 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | hw/display/sm501.c | 5 ++--- | ||
20 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
21 | |||
22 | diff --git a/hw/display/sm501.c b/hw/display/sm501.c | ||
23 | index f42d05e1e4..97660090bb 100644 | ||
24 | --- a/hw/display/sm501.c | ||
25 | +++ b/hw/display/sm501.c | ||
26 | @@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s) | ||
27 | { | ||
28 | /* obtain operation parameters */ | ||
29 | int cmd = (s->twoD_control >> 16) & 0x1F; | ||
30 | - int rtl = s->twoD_control & 0x8000000; | ||
31 | + int rtl = s->twoD_control & BIT(27); | ||
32 | int src_x = (s->twoD_source >> 16) & 0x01FFF; | ||
33 | int src_y = s->twoD_source & 0xFFFF; | ||
34 | int dst_x = (s->twoD_destination >> 16) & 0x01FFF; | ||
35 | @@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s) | ||
36 | } | ||
37 | } | ||
38 | |||
39 | - if ((s->twoD_source_base & 0x08000000) || | ||
40 | - (s->twoD_destination_base & 0x08000000)) { | ||
41 | + if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) { | ||
42 | qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); | ||
43 | return; | ||
44 | } | ||
45 | -- | ||
46 | 2.25.1 | ||
47 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch new file mode 100644 index 0000000000..485af05e1e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001 | ||
2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
3 | Date: Thu, 21 May 2020 21:39:44 +0200 | ||
4 | Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Make variables local to the block they are used in to make it clearer | ||
10 | which operation they are needed for. | ||
11 | |||
12 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
13 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
14 | Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu | ||
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2020-12829 dep#4 | ||
19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
20 | |||
21 | --- | ||
22 | hw/display/sm501.c | 31 ++++++++++++++++--------------- | ||
23 | 1 file changed, 16 insertions(+), 15 deletions(-) | ||
24 | |||
25 | diff --git a/hw/display/sm501.c b/hw/display/sm501.c | ||
26 | index 97660090bb..5ed57703d8 100644 | ||
27 | --- a/hw/display/sm501.c | ||
28 | +++ b/hw/display/sm501.c | ||
29 | @@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt) | ||
30 | |||
31 | static void sm501_2d_operation(SM501State *s) | ||
32 | { | ||
33 | - /* obtain operation parameters */ | ||
34 | int cmd = (s->twoD_control >> 16) & 0x1F; | ||
35 | int rtl = s->twoD_control & BIT(27); | ||
36 | - int src_x = (s->twoD_source >> 16) & 0x01FFF; | ||
37 | - int src_y = s->twoD_source & 0xFFFF; | ||
38 | - int dst_x = (s->twoD_destination >> 16) & 0x01FFF; | ||
39 | - int dst_y = s->twoD_destination & 0xFFFF; | ||
40 | - int width = (s->twoD_dimension >> 16) & 0x1FFF; | ||
41 | - int height = s->twoD_dimension & 0xFFFF; | ||
42 | - uint32_t color = s->twoD_foreground; | ||
43 | int format = (s->twoD_stretch >> 20) & 0x3; | ||
44 | int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */ | ||
45 | /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ | ||
46 | int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; | ||
47 | int rop = s->twoD_control & 0xFF; | ||
48 | - uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; | ||
49 | + int dst_x = (s->twoD_destination >> 16) & 0x01FFF; | ||
50 | + int dst_y = s->twoD_destination & 0xFFFF; | ||
51 | + int width = (s->twoD_dimension >> 16) & 0x1FFF; | ||
52 | + int height = s->twoD_dimension & 0xFFFF; | ||
53 | uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; | ||
54 | - | ||
55 | - /* get frame buffer info */ | ||
56 | - uint8_t *src = s->local_mem + src_base; | ||
57 | uint8_t *dst = s->local_mem + dst_base; | ||
58 | - int src_pitch = s->twoD_pitch & 0x1FFF; | ||
59 | int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; | ||
60 | int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; | ||
61 | int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); | ||
62 | @@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s) | ||
63 | |||
64 | switch (cmd) { | ||
65 | case 0x00: /* copy area */ | ||
66 | + { | ||
67 | + int src_x = (s->twoD_source >> 16) & 0x01FFF; | ||
68 | + int src_y = s->twoD_source & 0xFFFF; | ||
69 | + uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; | ||
70 | + uint8_t *src = s->local_mem + src_base; | ||
71 | + int src_pitch = s->twoD_pitch & 0x1FFF; | ||
72 | + | ||
73 | #define COPY_AREA(_bpp, _pixel_type, rtl) { \ | ||
74 | int y, x, index_d, index_s; \ | ||
75 | for (y = 0; y < height; y++) { \ | ||
76 | @@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s) | ||
77 | break; | ||
78 | } | ||
79 | break; | ||
80 | - | ||
81 | + } | ||
82 | case 0x01: /* fill rectangle */ | ||
83 | + { | ||
84 | + uint32_t color = s->twoD_foreground; | ||
85 | + | ||
86 | #define FILL_RECT(_bpp, _pixel_type) { \ | ||
87 | int y, x; \ | ||
88 | for (y = 0; y < height; y++) { \ | ||
89 | @@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s) | ||
90 | break; | ||
91 | } | ||
92 | break; | ||
93 | - | ||
94 | + } | ||
95 | default: | ||
96 | qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", | ||
97 | cmd); | ||
98 | -- | ||
99 | 2.25.1 | ||
100 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch new file mode 100644 index 0000000000..ab09e8b039 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch | |||
@@ -0,0 +1,266 @@ | |||
1 | From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001 | ||
2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
3 | Date: Thu, 21 May 2020 21:39:44 +0200 | ||
4 | Subject: [PATCH 5/5] sm501: Replace hand written implementation with pixman | ||
5 | where possible | ||
6 | |||
7 | Besides being faster this should also prevent malicious guests to | ||
8 | abuse 2D engine to overwrite data or cause a crash. | ||
9 | |||
10 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
11 | Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu | ||
12 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2020-12829 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | hw/display/sm501.c | 207 ++++++++++++++++++++++++++------------------- | ||
20 | 1 file changed, 119 insertions(+), 88 deletions(-) | ||
21 | |||
22 | diff --git a/hw/display/sm501.c b/hw/display/sm501.c | ||
23 | index 5ed57703d8..8bf4d111f4 100644 | ||
24 | --- a/hw/display/sm501.c | ||
25 | +++ b/hw/display/sm501.c | ||
26 | @@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s) | ||
27 | /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ | ||
28 | int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; | ||
29 | int rop = s->twoD_control & 0xFF; | ||
30 | - int dst_x = (s->twoD_destination >> 16) & 0x01FFF; | ||
31 | - int dst_y = s->twoD_destination & 0xFFFF; | ||
32 | - int width = (s->twoD_dimension >> 16) & 0x1FFF; | ||
33 | - int height = s->twoD_dimension & 0xFFFF; | ||
34 | + unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF; | ||
35 | + unsigned int dst_y = s->twoD_destination & 0xFFFF; | ||
36 | + unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF; | ||
37 | + unsigned int height = s->twoD_dimension & 0xFFFF; | ||
38 | uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; | ||
39 | - uint8_t *dst = s->local_mem + dst_base; | ||
40 | - int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; | ||
41 | + unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; | ||
42 | int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; | ||
43 | int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); | ||
44 | |||
45 | @@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s) | ||
46 | return; | ||
47 | } | ||
48 | |||
49 | - if (rop_mode == 0) { | ||
50 | - if (rop != 0xcc) { | ||
51 | - /* Anything other than plain copies are not supported */ | ||
52 | - qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not " | ||
53 | - "supported.\n", rop); | ||
54 | - } | ||
55 | - } else { | ||
56 | - if (rop2_source_is_pattern && rop != 0x5) { | ||
57 | - /* For pattern source, we support only inverse dest */ | ||
58 | - qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and " | ||
59 | - "rop %x is not supported.\n", rop); | ||
60 | - } else { | ||
61 | - if (rop != 0x5 && rop != 0xc) { | ||
62 | - /* Anything other than plain copies or inverse dest is not | ||
63 | - * supported */ | ||
64 | - qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not " | ||
65 | - "supported.\n", rop); | ||
66 | - } | ||
67 | - } | ||
68 | - } | ||
69 | - | ||
70 | if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) { | ||
71 | qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); | ||
72 | return; | ||
73 | } | ||
74 | |||
75 | + if (!dst_pitch) { | ||
76 | + qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n"); | ||
77 | + return; | ||
78 | + } | ||
79 | + | ||
80 | + if (!width || !height) { | ||
81 | + qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n"); | ||
82 | + return; | ||
83 | + } | ||
84 | + | ||
85 | + if (rtl) { | ||
86 | + dst_x -= width - 1; | ||
87 | + dst_y -= height - 1; | ||
88 | + } | ||
89 | + | ||
90 | + if (dst_base >= get_local_mem_size(s) || dst_base + | ||
91 | + (dst_x + width + (dst_y + height) * (dst_pitch + width)) * | ||
92 | + (1 << format) >= get_local_mem_size(s)) { | ||
93 | + qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n"); | ||
94 | + return; | ||
95 | + } | ||
96 | + | ||
97 | switch (cmd) { | ||
98 | - case 0x00: /* copy area */ | ||
99 | + case 0: /* BitBlt */ | ||
100 | { | ||
101 | - int src_x = (s->twoD_source >> 16) & 0x01FFF; | ||
102 | - int src_y = s->twoD_source & 0xFFFF; | ||
103 | + unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF; | ||
104 | + unsigned int src_y = s->twoD_source & 0xFFFF; | ||
105 | uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; | ||
106 | - uint8_t *src = s->local_mem + src_base; | ||
107 | - int src_pitch = s->twoD_pitch & 0x1FFF; | ||
108 | - | ||
109 | -#define COPY_AREA(_bpp, _pixel_type, rtl) { \ | ||
110 | - int y, x, index_d, index_s; \ | ||
111 | - for (y = 0; y < height; y++) { \ | ||
112 | - for (x = 0; x < width; x++) { \ | ||
113 | - _pixel_type val; \ | ||
114 | - \ | ||
115 | - if (rtl) { \ | ||
116 | - index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \ | ||
117 | - index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \ | ||
118 | - } else { \ | ||
119 | - index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \ | ||
120 | - index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ | ||
121 | - } \ | ||
122 | - if (rop_mode == 1 && rop == 5) { \ | ||
123 | - /* Invert dest */ \ | ||
124 | - val = ~*(_pixel_type *)&dst[index_d]; \ | ||
125 | - } else { \ | ||
126 | - val = *(_pixel_type *)&src[index_s]; \ | ||
127 | - } \ | ||
128 | - *(_pixel_type *)&dst[index_d] = val; \ | ||
129 | - } \ | ||
130 | - } \ | ||
131 | - } | ||
132 | - switch (format) { | ||
133 | - case 0: | ||
134 | - COPY_AREA(1, uint8_t, rtl); | ||
135 | - break; | ||
136 | - case 1: | ||
137 | - COPY_AREA(2, uint16_t, rtl); | ||
138 | - break; | ||
139 | - case 2: | ||
140 | - COPY_AREA(4, uint32_t, rtl); | ||
141 | - break; | ||
142 | + unsigned int src_pitch = s->twoD_pitch & 0x1FFF; | ||
143 | + | ||
144 | + if (!src_pitch) { | ||
145 | + qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n"); | ||
146 | + return; | ||
147 | + } | ||
148 | + | ||
149 | + if (rtl) { | ||
150 | + src_x -= width - 1; | ||
151 | + src_y -= height - 1; | ||
152 | + } | ||
153 | + | ||
154 | + if (src_base >= get_local_mem_size(s) || src_base + | ||
155 | + (src_x + width + (src_y + height) * (src_pitch + width)) * | ||
156 | + (1 << format) >= get_local_mem_size(s)) { | ||
157 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
158 | + "sm501: 2D op src is outside vram.\n"); | ||
159 | + return; | ||
160 | + } | ||
161 | + | ||
162 | + if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) { | ||
163 | + /* Invert dest, is there a way to do this with pixman? */ | ||
164 | + unsigned int x, y, i; | ||
165 | + uint8_t *d = s->local_mem + dst_base; | ||
166 | + | ||
167 | + for (y = 0; y < height; y++) { | ||
168 | + i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format); | ||
169 | + for (x = 0; x < width; x++, i += (1 << format)) { | ||
170 | + switch (format) { | ||
171 | + case 0: | ||
172 | + d[i] = ~d[i]; | ||
173 | + break; | ||
174 | + case 1: | ||
175 | + *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i]; | ||
176 | + break; | ||
177 | + case 2: | ||
178 | + *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i]; | ||
179 | + break; | ||
180 | + } | ||
181 | + } | ||
182 | + } | ||
183 | + } else { | ||
184 | + /* Do copy src for unimplemented ops, better than unpainted area */ | ||
185 | + if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) || | ||
186 | + (!rop_mode && rop != 0xcc)) { | ||
187 | + qemu_log_mask(LOG_UNIMP, | ||
188 | + "sm501: rop%d op %x%s not implemented\n", | ||
189 | + (rop_mode ? 2 : 3), rop, | ||
190 | + (rop2_source_is_pattern ? | ||
191 | + " with pattern source" : "")); | ||
192 | + } | ||
193 | + /* Check for overlaps, this could be made more exact */ | ||
194 | + uint32_t sb, se, db, de; | ||
195 | + sb = src_base + src_x + src_y * (width + src_pitch); | ||
196 | + se = sb + width + height * (width + src_pitch); | ||
197 | + db = dst_base + dst_x + dst_y * (width + dst_pitch); | ||
198 | + de = db + width + height * (width + dst_pitch); | ||
199 | + if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) { | ||
200 | + /* regions may overlap: copy via temporary */ | ||
201 | + int llb = width * (1 << format); | ||
202 | + int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t)); | ||
203 | + uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) * | ||
204 | + height); | ||
205 | + pixman_blt((uint32_t *)&s->local_mem[src_base], tmp, | ||
206 | + src_pitch * (1 << format) / sizeof(uint32_t), | ||
207 | + tmp_stride, 8 * (1 << format), 8 * (1 << format), | ||
208 | + src_x, src_y, 0, 0, width, height); | ||
209 | + pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base], | ||
210 | + tmp_stride, | ||
211 | + dst_pitch * (1 << format) / sizeof(uint32_t), | ||
212 | + 8 * (1 << format), 8 * (1 << format), | ||
213 | + 0, 0, dst_x, dst_y, width, height); | ||
214 | + g_free(tmp); | ||
215 | + } else { | ||
216 | + pixman_blt((uint32_t *)&s->local_mem[src_base], | ||
217 | + (uint32_t *)&s->local_mem[dst_base], | ||
218 | + src_pitch * (1 << format) / sizeof(uint32_t), | ||
219 | + dst_pitch * (1 << format) / sizeof(uint32_t), | ||
220 | + 8 * (1 << format), 8 * (1 << format), | ||
221 | + src_x, src_y, dst_x, dst_y, width, height); | ||
222 | + } | ||
223 | } | ||
224 | break; | ||
225 | } | ||
226 | - case 0x01: /* fill rectangle */ | ||
227 | + case 1: /* Rectangle Fill */ | ||
228 | { | ||
229 | uint32_t color = s->twoD_foreground; | ||
230 | |||
231 | -#define FILL_RECT(_bpp, _pixel_type) { \ | ||
232 | - int y, x; \ | ||
233 | - for (y = 0; y < height; y++) { \ | ||
234 | - for (x = 0; x < width; x++) { \ | ||
235 | - int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ | ||
236 | - *(_pixel_type *)&dst[index] = (_pixel_type)color; \ | ||
237 | - } \ | ||
238 | - } \ | ||
239 | - } | ||
240 | - | ||
241 | - switch (format) { | ||
242 | - case 0: | ||
243 | - FILL_RECT(1, uint8_t); | ||
244 | - break; | ||
245 | - case 1: | ||
246 | - color = cpu_to_le16(color); | ||
247 | - FILL_RECT(2, uint16_t); | ||
248 | - break; | ||
249 | - case 2: | ||
250 | + if (format == 2) { | ||
251 | color = cpu_to_le32(color); | ||
252 | - FILL_RECT(4, uint32_t); | ||
253 | - break; | ||
254 | + } else if (format == 1) { | ||
255 | + color = cpu_to_le16(color); | ||
256 | } | ||
257 | + | ||
258 | + pixman_fill((uint32_t *)&s->local_mem[dst_base], | ||
259 | + dst_pitch * (1 << format) / sizeof(uint32_t), | ||
260 | + 8 * (1 << format), dst_x, dst_y, width, height, color); | ||
261 | break; | ||
262 | } | ||
263 | default: | ||
264 | -- | ||
265 | 2.25.1 | ||
266 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch new file mode 100644 index 0000000000..7f8383987c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 5 Jun 2018 22:28:51 -0300 | ||
4 | Subject: [PATCH 1/1] hw/sd/sdcard: Simplify realize() a bit | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | We don't need to check if sd->blk is set twice. | ||
10 | |||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
13 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
14 | Message-Id: <20200630133912.9428-18-f4bug@amsat.org> | ||
15 | |||
16 | Upstram-Status: Backport: | ||
17 | https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=6dd3a164f5b31c703c7d8372841ad3bd6a57de6d | ||
18 | |||
19 | CVE: CVE-2020-13253 | ||
20 | |||
21 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
22 | --- | ||
23 | hw/sd/sd.c | 10 +++++----- | ||
24 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
27 | index 1cc16bf..edd60a0 100644 | ||
28 | --- a/hw/sd/sd.c | ||
29 | +++ b/hw/sd/sd.c | ||
30 | @@ -2105,12 +2105,12 @@ static void sd_realize(DeviceState *dev, Error **errp) | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | - if (sd->blk && blk_is_read_only(sd->blk)) { | ||
35 | - error_setg(errp, "Cannot use read-only drive as SD card"); | ||
36 | - return; | ||
37 | - } | ||
38 | - | ||
39 | if (sd->blk) { | ||
40 | + if (blk_is_read_only(sd->blk)) { | ||
41 | + error_setg(errp, "Cannot use read-only drive as SD card"); | ||
42 | + return; | ||
43 | + } | ||
44 | + | ||
45 | ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, | ||
46 | BLK_PERM_ALL, errp); | ||
47 | if (ret < 0) { | ||
48 | -- | ||
49 | 1.8.3.1 | ||
50 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch new file mode 100644 index 0000000000..53145d059f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 7 Jul 2020 13:02:34 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | QEMU allows to create SD card with unrealistic sizes. This could | ||
10 | work, but some guests (at least Linux) consider sizes that are not | ||
11 | a power of 2 as a firmware bug and fix the card size to the next | ||
12 | power of 2. | ||
13 | |||
14 | While the possibility to use small SD card images has been seen as | ||
15 | a feature, it became a bug with CVE-2020-13253, where the guest is | ||
16 | able to do OOB read/write accesses past the image size end. | ||
17 | |||
18 | In a pair of commits we will fix CVE-2020-13253 as: | ||
19 | |||
20 | Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
21 | occurred and no data transfer is performed. | ||
22 | |||
23 | Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
24 | occurred and no data transfer is performed. | ||
25 | |||
26 | WP_VIOLATION errors are not modified: the error bit is set, we | ||
27 | stay in receive-data state, wait for a stop command. All further | ||
28 | data transfer is ignored. See the check on sd->card_status at the | ||
29 | beginning of sd_read_data() and sd_write_data(). | ||
30 | |||
31 | While this is the correct behavior, in case QEMU create smaller SD | ||
32 | cards, guests still try to access past the image size end, and QEMU | ||
33 | considers this is an invalid address, thus "all further data transfer | ||
34 | is ignored". This is wrong and make the guest looping until | ||
35 | eventually timeouts. | ||
36 | |||
37 | Fix by not allowing invalid SD card sizes (suggesting the expected | ||
38 | size as a hint): | ||
39 | |||
40 | $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw | ||
41 | qemu-system-arm: Invalid SD card size: 60 MiB | ||
42 | SD card size has to be a power of 2, e.g. 64 MiB. | ||
43 | You can resize disk images with 'qemu-img resize <imagefile> <new-size>' | ||
44 | (note that this will lose data if you make the image smaller than it currently is). | ||
45 | |||
46 | Cc: qemu-stable@nongnu.org | ||
47 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
48 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
49 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
50 | Message-Id: <20200713183209.26308-8-f4bug@amsat.org> | ||
51 | |||
52 | Upstram-Status: Backport: | ||
53 | https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 | ||
54 | |||
55 | CVE: CVE-2020-13253 | ||
56 | |||
57 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
58 | --- | ||
59 | hw/sd/sd.c | 25 +++++++++++++++++++++++++ | ||
60 | 1 file changed, 25 insertions(+) | ||
61 | |||
62 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
63 | index edd60a09c0..76d68359a4 100644 | ||
64 | --- a/hw/sd/sd.c | ||
65 | +++ b/hw/sd/sd.c | ||
66 | @@ -32,6 +32,7 @@ | ||
67 | |||
68 | #include "qemu/osdep.h" | ||
69 | #include "qemu/units.h" | ||
70 | +#include "qemu/cutils.h" | ||
71 | #include "hw/irq.h" | ||
72 | #include "hw/registerfields.h" | ||
73 | #include "sysemu/block-backend.h" | ||
74 | @@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp) | ||
75 | } | ||
76 | |||
77 | if (sd->blk) { | ||
78 | + int64_t blk_size; | ||
79 | + | ||
80 | if (blk_is_read_only(sd->blk)) { | ||
81 | error_setg(errp, "Cannot use read-only drive as SD card"); | ||
82 | return; | ||
83 | } | ||
84 | |||
85 | + blk_size = blk_getlength(sd->blk); | ||
86 | + if (blk_size > 0 && !is_power_of_2(blk_size)) { | ||
87 | + int64_t blk_size_aligned = pow2ceil(blk_size); | ||
88 | + char *blk_size_str; | ||
89 | + | ||
90 | + blk_size_str = size_to_str(blk_size); | ||
91 | + error_setg(errp, "Invalid SD card size: %s", blk_size_str); | ||
92 | + g_free(blk_size_str); | ||
93 | + | ||
94 | + blk_size_str = size_to_str(blk_size_aligned); | ||
95 | + error_append_hint(errp, | ||
96 | + "SD card size has to be a power of 2, e.g. %s.\n" | ||
97 | + "You can resize disk images with" | ||
98 | + " 'qemu-img resize <imagefile> <new-size>'\n" | ||
99 | + "(note that this will lose data if you make the" | ||
100 | + " image smaller than it currently is).\n", | ||
101 | + blk_size_str); | ||
102 | + g_free(blk_size_str); | ||
103 | + | ||
104 | + return; | ||
105 | + } | ||
106 | + | ||
107 | ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, | ||
108 | BLK_PERM_ALL, errp); | ||
109 | if (ret < 0) { | ||
110 | -- | ||
111 | 2.32.0 | ||
112 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch new file mode 100644 index 0000000000..b512b2bd7f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 794d68de2f021a6d3874df41d6bbe8590ec05207 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Mon, 13 Jul 2020 09:27:35 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Update coding style to make checkpatch.pl happy | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | To make the next commit easier to review, clean this code first. | ||
10 | |||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
13 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
14 | Reviewed-by: Alexander Bulekov <alxndr@bu.edu> | ||
15 | Message-Id: <20200630133912.9428-3-f4bug@amsat.org> | ||
16 | |||
17 | Upstram-Status: Backport: | ||
18 | https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=794d68de2f021a6d3874df41d6bbe8590ec05207 | ||
19 | |||
20 | CVE: CVE-2020-13253 | ||
21 | |||
22 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
23 | --- | ||
24 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
25 | --- a/hw/sd/sd.c (revision b0ca999a43a22b38158a222233d3f5881648bb4f) | ||
26 | +++ b/hw/sd/sd.c (date 1647514442924) | ||
27 | @@ -1154,8 +1154,9 @@ | ||
28 | sd->data_start = addr; | ||
29 | sd->data_offset = 0; | ||
30 | |||
31 | - if (sd->data_start + sd->blk_len > sd->size) | ||
32 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
33 | sd->card_status |= ADDRESS_ERROR; | ||
34 | + } | ||
35 | return sd_r1; | ||
36 | |||
37 | default: | ||
38 | @@ -1170,8 +1171,9 @@ | ||
39 | sd->data_start = addr; | ||
40 | sd->data_offset = 0; | ||
41 | |||
42 | - if (sd->data_start + sd->blk_len > sd->size) | ||
43 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
44 | sd->card_status |= ADDRESS_ERROR; | ||
45 | + } | ||
46 | return sd_r1; | ||
47 | |||
48 | default: | ||
49 | @@ -1216,12 +1218,15 @@ | ||
50 | sd->data_offset = 0; | ||
51 | sd->blk_written = 0; | ||
52 | |||
53 | - if (sd->data_start + sd->blk_len > sd->size) | ||
54 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
55 | sd->card_status |= ADDRESS_ERROR; | ||
56 | - if (sd_wp_addr(sd, sd->data_start)) | ||
57 | + } | ||
58 | + if (sd_wp_addr(sd, sd->data_start)) { | ||
59 | sd->card_status |= WP_VIOLATION; | ||
60 | - if (sd->csd[14] & 0x30) | ||
61 | + } | ||
62 | + if (sd->csd[14] & 0x30) { | ||
63 | sd->card_status |= WP_VIOLATION; | ||
64 | + } | ||
65 | return sd_r1; | ||
66 | |||
67 | default: | ||
68 | @@ -1240,12 +1245,15 @@ | ||
69 | sd->data_offset = 0; | ||
70 | sd->blk_written = 0; | ||
71 | |||
72 | - if (sd->data_start + sd->blk_len > sd->size) | ||
73 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
74 | sd->card_status |= ADDRESS_ERROR; | ||
75 | - if (sd_wp_addr(sd, sd->data_start)) | ||
76 | + } | ||
77 | + if (sd_wp_addr(sd, sd->data_start)) { | ||
78 | sd->card_status |= WP_VIOLATION; | ||
79 | - if (sd->csd[14] & 0x30) | ||
80 | + } | ||
81 | + if (sd->csd[14] & 0x30) { | ||
82 | sd->card_status |= WP_VIOLATION; | ||
83 | + } | ||
84 | return sd_r1; | ||
85 | |||
86 | default: | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch new file mode 100644 index 0000000000..6b4c1ec050 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch | |||
@@ -0,0 +1,139 @@ | |||
1 | From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Thu, 4 Jun 2020 19:22:29 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is | ||
5 | invalid | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Only move the state machine to ReceivingData if there is no | ||
11 | pending error. This avoids later OOB access while processing | ||
12 | commands queued. | ||
13 | |||
14 | "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" | ||
15 | |||
16 | 4.3.3 Data Read | ||
17 | |||
18 | Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
19 | occurred and no data transfer is performed. | ||
20 | |||
21 | 4.3.4 Data Write | ||
22 | |||
23 | Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
24 | occurred and no data transfer is performed. | ||
25 | |||
26 | WP_VIOLATION errors are not modified: the error bit is set, we | ||
27 | stay in receive-data state, wait for a stop command. All further | ||
28 | data transfer is ignored. See the check on sd->card_status at the | ||
29 | beginning of sd_read_data() and sd_write_data(). | ||
30 | |||
31 | Fixes: CVE-2020-13253 | ||
32 | |||
33 | Cc: qemu-stable@nongnu.org | ||
34 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
35 | Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 | ||
36 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
37 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
38 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
39 | Message-Id: <20200630133912.9428-6-f4bug@amsat.org> | ||
40 | |||
41 | Upstram-Status: Backport: | ||
42 | https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd | ||
43 | |||
44 | CVE: CVE-2020-13253 | ||
45 | |||
46 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
47 | --- | ||
48 | hw/sd/sd.c | 38 ++++++++++++++++++++++++-------------- | ||
49 | 1 file changed, 24 insertions(+), 14 deletions(-) | ||
50 | |||
51 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
52 | index f4f76f8fd2..fad9cf1ee7 100644 | ||
53 | --- a/hw/sd/sd.c | ||
54 | +++ b/hw/sd/sd.c | ||
55 | @@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
56 | case 17: /* CMD17: READ_SINGLE_BLOCK */ | ||
57 | switch (sd->state) { | ||
58 | case sd_transfer_state: | ||
59 | - sd->state = sd_sendingdata_state; | ||
60 | - sd->data_start = addr; | ||
61 | - sd->data_offset = 0; | ||
62 | |||
63 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
64 | + if (addr + sd->blk_len > sd->size) { | ||
65 | sd->card_status |= ADDRESS_ERROR; | ||
66 | + return sd_r1; | ||
67 | } | ||
68 | + | ||
69 | + sd->state = sd_sendingdata_state; | ||
70 | + sd->data_start = addr; | ||
71 | + sd->data_offset = 0; | ||
72 | return sd_r1; | ||
73 | |||
74 | default: | ||
75 | @@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
76 | case 18: /* CMD18: READ_MULTIPLE_BLOCK */ | ||
77 | switch (sd->state) { | ||
78 | case sd_transfer_state: | ||
79 | - sd->state = sd_sendingdata_state; | ||
80 | - sd->data_start = addr; | ||
81 | - sd->data_offset = 0; | ||
82 | |||
83 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
84 | + if (addr + sd->blk_len > sd->size) { | ||
85 | sd->card_status |= ADDRESS_ERROR; | ||
86 | + return sd_r1; | ||
87 | } | ||
88 | + | ||
89 | + sd->state = sd_sendingdata_state; | ||
90 | + sd->data_start = addr; | ||
91 | + sd->data_offset = 0; | ||
92 | return sd_r1; | ||
93 | |||
94 | default: | ||
95 | @@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
96 | /* Writing in SPI mode not implemented. */ | ||
97 | if (sd->spi) | ||
98 | break; | ||
99 | + | ||
100 | + if (addr + sd->blk_len > sd->size) { | ||
101 | + sd->card_status |= ADDRESS_ERROR; | ||
102 | + return sd_r1; | ||
103 | + } | ||
104 | + | ||
105 | sd->state = sd_receivingdata_state; | ||
106 | sd->data_start = addr; | ||
107 | sd->data_offset = 0; | ||
108 | sd->blk_written = 0; | ||
109 | |||
110 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
111 | - sd->card_status |= ADDRESS_ERROR; | ||
112 | - } | ||
113 | if (sd_wp_addr(sd, sd->data_start)) { | ||
114 | sd->card_status |= WP_VIOLATION; | ||
115 | } | ||
116 | @@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
117 | /* Writing in SPI mode not implemented. */ | ||
118 | if (sd->spi) | ||
119 | break; | ||
120 | + | ||
121 | + if (addr + sd->blk_len > sd->size) { | ||
122 | + sd->card_status |= ADDRESS_ERROR; | ||
123 | + return sd_r1; | ||
124 | + } | ||
125 | + | ||
126 | sd->state = sd_receivingdata_state; | ||
127 | sd->data_start = addr; | ||
128 | sd->data_offset = 0; | ||
129 | sd->blk_written = 0; | ||
130 | |||
131 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
132 | - sd->card_status |= ADDRESS_ERROR; | ||
133 | - } | ||
134 | if (sd_wp_addr(sd, sd->data_start)) { | ||
135 | sd->card_status |= WP_VIOLATION; | ||
136 | } | ||
137 | -- | ||
138 | 2.32.0 | ||
139 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch new file mode 100644 index 0000000000..ffce610f79 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 9157dd597d293ab7f599f4d96c3fe8a6e07c633d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Wed, 3 Jun 2020 19:59:16 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Only SCSD cards support Class 6 (Block Oriented Write Protection) | ||
10 | commands. | ||
11 | |||
12 | "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" | ||
13 | |||
14 | 4.3.14 Command Functional Difference in Card Capacity Types | ||
15 | |||
16 | * Write Protected Group | ||
17 | |||
18 | SDHC and SDXC do not support write-protected groups. Issuing | ||
19 | CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. | ||
20 | |||
21 | Cc: qemu-stable@nongnu.org | ||
22 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
23 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
24 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
25 | Message-Id: <20200630133912.9428-7-f4bug@amsat.org> | ||
26 | |||
27 | Upstram-Status: Backport: | ||
28 | https://git.qemu.org/?p=qemu.git;a=commit;h=9157dd597d293ab7f599f4d96c3fe8a6e07c633d | ||
29 | |||
30 | CVE: CVE-2020-13253 | ||
31 | |||
32 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
33 | --- | ||
34 | hw/sd/sd.c | 5 +++++ | ||
35 | 1 file changed, 5 insertions(+) | ||
36 | |||
37 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
38 | index 5137168..1cc16bf 100644 | ||
39 | --- a/hw/sd/sd.c | ||
40 | +++ b/hw/sd/sd.c | ||
41 | @@ -920,6 +920,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
42 | sd->multi_blk_cnt = 0; | ||
43 | } | ||
44 | |||
45 | + if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { | ||
46 | + /* Only Standard Capacity cards support class 6 commands */ | ||
47 | + return sd_illegal; | ||
48 | + } | ||
49 | + | ||
50 | switch (req.cmd) { | ||
51 | /* Basic commands (Class 0 and Class 1) */ | ||
52 | case 0: /* CMD0: GO_IDLE_STATE */ | ||
53 | -- | ||
54 | 1.8.3.1 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 10 Jun 2020 09:47:49 -0400 | ||
4 | Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in | ||
5 | memory_region_access_valid" | ||
6 | |||
7 | Memory API documentation documents valid .min_access_size and .max_access_size | ||
8 | fields and explains that any access outside these boundaries is blocked. | ||
9 | |||
10 | This is what devices seem to assume. | ||
11 | |||
12 | However this is not what the implementation does: it simply | ||
13 | ignores the boundaries unless there's an "accepts" callback. | ||
14 | |||
15 | Naturally, this breaks a bunch of devices. | ||
16 | |||
17 | Revert to the documented behaviour. | ||
18 | |||
19 | Devices that want to allow any access can just drop the valid field, | ||
20 | or add the impl field to have accesses converted to appropriate | ||
21 | length. | ||
22 | |||
23 | Cc: qemu-stable@nongnu.org | ||
24 | Reviewed-by: Richard Henderson <rth@twiddle.net> | ||
25 | Fixes: CVE-2020-13754 | ||
26 | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 | ||
27 | Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") | ||
28 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
29 | Message-Id: <20200610134731.1514409-1-mst@redhat.com> | ||
30 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
31 | |||
32 | https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 | ||
33 | CVE: CVE-2020-13754 | ||
34 | Upstream-Status: Backport | ||
35 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
36 | --- | ||
37 | memory.c | 29 +++++++++-------------------- | ||
38 | 1 file changed, 9 insertions(+), 20 deletions(-) | ||
39 | |||
40 | diff --git a/memory.c b/memory.c | ||
41 | index 2f15a4b..9200b20 100644 | ||
42 | --- a/memory.c | ||
43 | +++ b/memory.c | ||
44 | @@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, | ||
45 | bool is_write, | ||
46 | MemTxAttrs attrs) | ||
47 | { | ||
48 | - int access_size_min, access_size_max; | ||
49 | - int access_size, i; | ||
50 | - | ||
51 | - if (!mr->ops->valid.unaligned && (addr & (size - 1))) { | ||
52 | + if (mr->ops->valid.accepts | ||
53 | + && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { | ||
54 | return false; | ||
55 | } | ||
56 | |||
57 | - if (!mr->ops->valid.accepts) { | ||
58 | - return true; | ||
59 | - } | ||
60 | - | ||
61 | - access_size_min = mr->ops->valid.min_access_size; | ||
62 | - if (!mr->ops->valid.min_access_size) { | ||
63 | - access_size_min = 1; | ||
64 | + if (!mr->ops->valid.unaligned && (addr & (size - 1))) { | ||
65 | + return false; | ||
66 | } | ||
67 | |||
68 | - access_size_max = mr->ops->valid.max_access_size; | ||
69 | + /* Treat zero as compatibility all valid */ | ||
70 | if (!mr->ops->valid.max_access_size) { | ||
71 | - access_size_max = 4; | ||
72 | + return true; | ||
73 | } | ||
74 | |||
75 | - access_size = MAX(MIN(size, access_size_max), access_size_min); | ||
76 | - for (i = 0; i < size; i += access_size) { | ||
77 | - if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, | ||
78 | - is_write, attrs)) { | ||
79 | - return false; | ||
80 | - } | ||
81 | + if (size > mr->ops->valid.max_access_size | ||
82 | + || size < mr->ops->valid.min_access_size) { | ||
83 | + return false; | ||
84 | } | ||
85 | - | ||
86 | return true; | ||
87 | } | ||
88 | |||
89 | -- | ||
90 | 1.8.3.1 | ||
91 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Tokarev <mjt@tls.msk.ru> | ||
3 | Date: Mon, 20 Jul 2020 19:06:27 +0300 | ||
4 | Subject: [PATCH] acpi: accept byte and word access to core ACPI registers | ||
5 | |||
6 | All ISA registers should be accessible as bytes, words or dwords | ||
7 | (if wide enough). Fix the access constraints for acpi-pm-evt, | ||
8 | acpi-pm-tmr & acpi-cnt registers. | ||
9 | |||
10 | Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") | ||
11 | Fixes: afafe4bbe0 (apci: switch cnt to memory api) | ||
12 | Fixes: 77d58b1e47 (apci: switch timer to memory api) | ||
13 | Fixes: b5a7c024d2 (apci: switch evt to memory api) | ||
14 | Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ | ||
15 | Buglink: https://bugs.debian.org/964793 | ||
16 | BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 | ||
17 | BugLink: https://bugs.launchpad.net/bugs/1886318 | ||
18 | Reported-By: Simon John <git@the-jedi.co.uk> | ||
19 | Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | ||
20 | Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> | ||
21 | Cc: qemu-stable@nongnu.org | ||
22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
24 | |||
25 | https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb | ||
26 | CVE: CVE-2020-13754 | ||
27 | Upstream-Status: Backport | ||
28 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | hw/acpi/core.c | 9 ++++++--- | ||
31 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
32 | |||
33 | diff --git a/hw/acpi/core.c b/hw/acpi/core.c | ||
34 | index f6d9ec4..ac06db3 100644 | ||
35 | --- a/hw/acpi/core.c | ||
36 | +++ b/hw/acpi/core.c | ||
37 | @@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, | ||
38 | static const MemoryRegionOps acpi_pm_evt_ops = { | ||
39 | .read = acpi_pm_evt_read, | ||
40 | .write = acpi_pm_evt_write, | ||
41 | - .valid.min_access_size = 2, | ||
42 | + .impl.min_access_size = 2, | ||
43 | + .valid.min_access_size = 1, | ||
44 | .valid.max_access_size = 2, | ||
45 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
46 | }; | ||
47 | @@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, | ||
48 | static const MemoryRegionOps acpi_pm_tmr_ops = { | ||
49 | .read = acpi_pm_tmr_read, | ||
50 | .write = acpi_pm_tmr_write, | ||
51 | - .valid.min_access_size = 4, | ||
52 | + .impl.min_access_size = 4, | ||
53 | + .valid.min_access_size = 1, | ||
54 | .valid.max_access_size = 4, | ||
55 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
56 | }; | ||
57 | @@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, | ||
58 | static const MemoryRegionOps acpi_pm_cnt_ops = { | ||
59 | .read = acpi_pm_cnt_read, | ||
60 | .write = acpi_pm_cnt_write, | ||
61 | - .valid.min_access_size = 2, | ||
62 | + .impl.min_access_size = 2, | ||
63 | + .valid.min_access_size = 1, | ||
64 | .valid.max_access_size = 2, | ||
65 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
66 | }; | ||
67 | -- | ||
68 | 1.8.3.1 | ||
69 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Laurent Vivier <lvivier@redhat.com> | ||
3 | Date: Tue, 21 Jul 2020 10:33:22 +0200 | ||
4 | Subject: [PATCH] xhci: fix valid.max_access_size to access address registers | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow | ||
10 | 64-bit mode access in "runtime" and "operational" MemoryRegionOps. | ||
11 | |||
12 | Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. | ||
13 | |||
14 | XHCI specs: | ||
15 | "If the xHC supports 64-bit addressing (AC64 = â1â), then software | ||
16 | should write 64-bit registers using only Qword accesses. If a | ||
17 | system is incapable of issuing Qword accesses, then writes to the | ||
18 | 64-bit address fields shall be performed using 2 Dword accesses; | ||
19 | low Dword-first, high-Dword second. If the xHC supports 32-bit | ||
20 | addressing (AC64 = â0â), then the high Dword of registers containing | ||
21 | 64-bit address fields are unused and software should write addresses | ||
22 | using only Dword accesses" | ||
23 | |||
24 | The problem has been detected with SLOF, as linux kernel always accesses | ||
25 | registers using 32-bit access even if AC64 is set and revealed by | ||
26 | 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") | ||
27 | |||
28 | Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> | ||
29 | Signed-off-by: Laurent Vivier <lvivier@redhat.com> | ||
30 | Message-id: 20200721083322.90651-1-lvivier@redhat.com | ||
31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
32 | |||
33 | https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 | ||
34 | CVE: CVE-2020-13754 | ||
35 | Upstream-Status: Backport | ||
36 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
37 | --- | ||
38 | hw/usb/hcd-xhci.c | 4 ++-- | ||
39 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
40 | |||
41 | diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c | ||
42 | index b330e36..67a18fe 100644 | ||
43 | --- a/hw/usb/hcd-xhci.c | ||
44 | +++ b/hw/usb/hcd-xhci.c | ||
45 | @@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { | ||
46 | .read = xhci_oper_read, | ||
47 | .write = xhci_oper_write, | ||
48 | .valid.min_access_size = 4, | ||
49 | - .valid.max_access_size = 4, | ||
50 | + .valid.max_access_size = sizeof(dma_addr_t), | ||
51 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
52 | }; | ||
53 | |||
54 | @@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { | ||
55 | .read = xhci_runtime_read, | ||
56 | .write = xhci_runtime_write, | ||
57 | .valid.min_access_size = 4, | ||
58 | - .valid.max_access_size = 4, | ||
59 | + .valid.max_access_size = sizeof(dma_addr_t), | ||
60 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
61 | }; | ||
62 | |||
63 | -- | ||
64 | 1.8.3.1 | ||
65 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch new file mode 100644 index 0000000000..6bad07d03f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alistair Francis <alistair.francis@wdc.com> | ||
3 | Date: Tue, 30 Jun 2020 13:12:11 -0700 | ||
4 | Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT | ||
5 | |||
6 | Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 | ||
7 | "memory: Revert "memory: accept mismatching sizes in | ||
8 | memory_region_access_valid"" broke most RISC-V boards as they do 64 bit | ||
9 | accesses to the CLINT and QEMU would trigger a fault. Fix this failure | ||
10 | by allowing 8 byte accesses. | ||
11 | |||
12 | Signed-off-by: Alistair Francis <alistair.francis@wdc.com> | ||
13 | Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> | ||
14 | Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> | ||
15 | |||
16 | https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 | ||
17 | CVE: CVE-2020-13754 | ||
18 | Upstream-Status: Backport | ||
19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
20 | --- | ||
21 | hw/riscv/sifive_clint.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c | ||
25 | index b11ffa0..669c21a 100644 | ||
26 | --- a/hw/riscv/sifive_clint.c | ||
27 | +++ b/hw/riscv/sifive_clint.c | ||
28 | @@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { | ||
29 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
30 | .valid = { | ||
31 | .min_access_size = 4, | ||
32 | - .max_access_size = 4 | ||
33 | + .max_access_size = 8 | ||
34 | } | ||
35 | }; | ||
36 | |||
37 | -- | ||
38 | 1.8.3.1 | ||
39 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch new file mode 100644 index 0000000000..1e8278f7b7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | Date: Thu, 4 Jun 2020 16:25:24 +0530 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Subject: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791) | ||
4 | |||
5 | While reading PCI configuration bytes, a guest may send an | ||
6 | address towards the end of the configuration space. It may lead | ||
7 | to an OOB access issue. Add check to ensure 'address + size' is | ||
8 | within PCI configuration space. | ||
9 | |||
10 | CVE: CVE-2020-13791 | ||
11 | |||
12 | Upstream-Status: Submitted | ||
13 | https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00979.html | ||
14 | |||
15 | Reported-by: Ren Ding <rding@gatech.edu> | ||
16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
17 | Reported-by: Yi Ren <c4tren@gmail.com> | ||
18 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
21 | --- | ||
22 | hw/display/ati.c | 4 +++- | ||
23 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
24 | |||
25 | Update v3: avoid modifying 'addr' variable | ||
26 | -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html | ||
27 | |||
28 | diff --git a/hw/display/ati.c b/hw/display/ati.c | ||
29 | index 67604e68de..b4d0fd88b7 100644 | ||
30 | --- a/hw/display/ati.c | ||
31 | +++ b/hw/display/ati.c | ||
32 | @@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) | ||
33 | val = s->regs.crtc_pitch; | ||
34 | break; | ||
35 | case 0xf00 ... 0xfff: | ||
36 | - val = pci_default_read_config(&s->dev, addr - 0xf00, size); | ||
37 | + if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) { | ||
38 | + val = pci_default_read_config(&s->dev, addr - 0xf00, size); | ||
39 | + } | ||
40 | break; | ||
41 | case CUR_OFFSET: | ||
42 | val = s->regs.cur_offset; | ||
43 | -- | ||
44 | 2.26.2 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch new file mode 100644 index 0000000000..20f39f0a26 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:25 +0530 | ||
4 | Subject: [PATCH] hw/pci-host: add pci-intack write method | ||
5 | |||
6 | Add pci-intack mmio write method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Message-Id: <20200811114133.672647-2-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu | ||
18 | https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-1.patch?h=ubuntu/focal-security | ||
19 | Upstream commit https://github.com/qemu/qemu/commit/520f26fc6d17b71a43eaf620e834b3bdf316f3d3 ] | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | --- | ||
22 | hw/pci-host/prep.c | 8 ++++++++ | ||
23 | 1 file changed, 8 insertions(+) | ||
24 | |||
25 | --- a/hw/pci-host/prep.c | ||
26 | +++ b/hw/pci-host/prep.c | ||
27 | @@ -26,6 +26,7 @@ | ||
28 | #include "qemu/osdep.h" | ||
29 | #include "qemu-common.h" | ||
30 | #include "qemu/units.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "qapi/error.h" | ||
33 | #include "hw/pci/pci.h" | ||
34 | #include "hw/pci/pci_bus.h" | ||
35 | @@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void * | ||
36 | return pic_read_irq(isa_pic); | ||
37 | } | ||
38 | |||
39 | +static void raven_intack_write(void *opaque, hwaddr addr, | ||
40 | + uint64_t data, unsigned size) | ||
41 | +{ | ||
42 | + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); | ||
43 | +} | ||
44 | + | ||
45 | static const MemoryRegionOps raven_intack_ops = { | ||
46 | .read = raven_intack_read, | ||
47 | + .write = raven_intack_write, | ||
48 | .valid = { | ||
49 | .max_access_size = 1, | ||
50 | }, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch new file mode 100644 index 0000000000..d6715d337c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:26 +0530 | ||
4 | Subject: [PATCH] pci-host: designware: add pcie-msi read method | ||
5 | |||
6 | Add pcie-msi mmio read method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Message-Id: <20200811114133.672647-3-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/pci-host/designware.c | 19 +++++++++++++++++++ | ||
21 | 1 file changed, 19 insertions(+) | ||
22 | |||
23 | diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c | ||
24 | index f9fb97a..bde3a34 100644 | ||
25 | --- a/hw/pci-host/designware.c | ||
26 | +++ b/hw/pci-host/designware.c | ||
27 | @@ -21,6 +21,7 @@ | ||
28 | #include "qemu/osdep.h" | ||
29 | #include "qapi/error.h" | ||
30 | #include "qemu/module.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "hw/pci/msi.h" | ||
33 | #include "hw/pci/pci_bridge.h" | ||
34 | #include "hw/pci/pci_host.h" | ||
35 | @@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) | ||
36 | return DESIGNWARE_PCIE_HOST(bus->parent); | ||
37 | } | ||
38 | |||
39 | +static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, | ||
40 | + unsigned size) | ||
41 | +{ | ||
42 | + /* | ||
43 | + * Attempts to read from the MSI address are undefined in | ||
44 | + * the PCI specifications. For this hardware, the datasheet | ||
45 | + * specifies that a read from the magic address is simply not | ||
46 | + * intercepted by the MSI controller, and will go out to the | ||
47 | + * AHB/AXI bus like any other PCI-device-initiated DMA read. | ||
48 | + * This is not trivial to implement in QEMU, so since | ||
49 | + * well-behaved guests won't ever ask a PCI device to DMA from | ||
50 | + * this address we just log the missing functionality. | ||
51 | + */ | ||
52 | + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); | ||
53 | + return 0; | ||
54 | +} | ||
55 | + | ||
56 | static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, | ||
57 | uint64_t val, unsigned len) | ||
58 | { | ||
59 | @@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, | ||
60 | } | ||
61 | |||
62 | static const MemoryRegionOps designware_pci_host_msi_ops = { | ||
63 | + .read = designware_pcie_root_msi_read, | ||
64 | .write = designware_pcie_root_msi_write, | ||
65 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
66 | .valid = { | ||
67 | -- | ||
68 | 1.8.3.1 | ||
69 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch new file mode 100644 index 0000000000..85abe8ff32 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:27 +0530 | ||
4 | Subject: [PATCH] vfio: add quirk device write method | ||
5 | |||
6 | Add vfio quirk device mmio write method to avoid NULL pointer | ||
7 | dereference issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Acked-by: Alex Williamson <alex.williamson@redhat.com> | ||
13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
14 | Message-Id: <20200811114133.672647-4-ppandit@redhat.com> | ||
15 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | |||
17 | CVE: CVE-2020-15469 | ||
18 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/24202d2b561c3b4c48bd28383c8c34b4ac66c2bf] | ||
19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
20 | --- | ||
21 | hw/vfio/pci-quirks.c | 8 ++++++++ | ||
22 | 1 file changed, 8 insertions(+) | ||
23 | |||
24 | --- a/hw/vfio/pci-quirks.c | ||
25 | +++ b/hw/vfio/pci-quirks.c | ||
26 | @@ -13,6 +13,7 @@ | ||
27 | #include "qemu/osdep.h" | ||
28 | #include "exec/memop.h" | ||
29 | #include "qemu/units.h" | ||
30 | +#include "qemu/log.h" | ||
31 | #include "qemu/error-report.h" | ||
32 | #include "qemu/main-loop.h" | ||
33 | #include "qemu/module.h" | ||
34 | @@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read( | ||
35 | return data; | ||
36 | } | ||
37 | |||
38 | +static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, | ||
39 | + uint64_t data, unsigned size) | ||
40 | +{ | ||
41 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); | ||
42 | +} | ||
43 | + | ||
44 | static const MemoryRegionOps vfio_ati_3c3_quirk = { | ||
45 | .read = vfio_ati_3c3_quirk_read, | ||
46 | + .write = vfio_ati_3c3_quirk_write, | ||
47 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
48 | }; | ||
49 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch new file mode 100644 index 0000000000..52fac8a051 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From f867cebaedbc9c43189f102e4cdfdff05e88df7f Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:28 +0530 | ||
4 | Subject: [PATCH] prep: add ppc-parity write method | ||
5 | |||
6 | Add ppc-parity mmio write method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Acked-by: David Gibson <david@gibson.dropbear.id.au> | ||
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
13 | Message-Id: <20200811114133.672647-5-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/f867cebaedbc9c43189f102e4cdfdff05e88df7f] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/ppc/prep_systemio.c | 8 ++++++++ | ||
21 | 1 file changed, 8 insertions(+) | ||
22 | |||
23 | diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c | ||
24 | index 4e48ef2..b2bd783 100644 | ||
25 | --- a/hw/ppc/prep_systemio.c | ||
26 | +++ b/hw/ppc/prep_systemio.c | ||
27 | @@ -23,6 +23,7 @@ | ||
28 | */ | ||
29 | |||
30 | #include "qemu/osdep.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "hw/irq.h" | ||
33 | #include "hw/isa/isa.h" | ||
34 | #include "hw/qdev-properties.h" | ||
35 | @@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, | ||
36 | return val; | ||
37 | } | ||
38 | |||
39 | +static void ppc_parity_error_writel(void *opaque, hwaddr addr, | ||
40 | + uint64_t data, unsigned size) | ||
41 | +{ | ||
42 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); | ||
43 | +} | ||
44 | + | ||
45 | static const MemoryRegionOps ppc_parity_error_ops = { | ||
46 | .read = ppc_parity_error_readl, | ||
47 | + .write = ppc_parity_error_writel, | ||
48 | .valid = { | ||
49 | .min_access_size = 4, | ||
50 | .max_access_size = 4, | ||
51 | -- | ||
52 | 1.8.3.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch new file mode 100644 index 0000000000..49c6c5e3e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:29 +0530 | ||
4 | Subject: [PATCH] nvram: add nrf51_soc flash read method | ||
5 | |||
6 | Add nrf51_soc mmio read method to avoid NULL pointer dereference | ||
7 | issue. | ||
8 | |||
9 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
10 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
13 | Message-Id: <20200811114133.672647-6-ppandit@redhat.com> | ||
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15469 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/nvram/nrf51_nvm.c | 10 ++++++++++ | ||
21 | 1 file changed, 10 insertions(+) | ||
22 | |||
23 | diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c | ||
24 | index f2283c1..7b3460d 100644 | ||
25 | --- a/hw/nvram/nrf51_nvm.c | ||
26 | +++ b/hw/nvram/nrf51_nvm.c | ||
27 | @@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = { | ||
28 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
29 | }; | ||
30 | |||
31 | +static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) | ||
32 | +{ | ||
33 | + /* | ||
34 | + * This is a rom_device MemoryRegion which is always in | ||
35 | + * romd_mode (we never put it in MMIO mode), so reads always | ||
36 | + * go directly to RAM and never come here. | ||
37 | + */ | ||
38 | + g_assert_not_reached(); | ||
39 | +} | ||
40 | |||
41 | static void flash_write(void *opaque, hwaddr offset, uint64_t value, | ||
42 | unsigned int size) | ||
43 | @@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, | ||
44 | |||
45 | |||
46 | static const MemoryRegionOps flash_ops = { | ||
47 | + .read = flash_read, | ||
48 | .write = flash_write, | ||
49 | .valid.min_access_size = 4, | ||
50 | .valid.max_access_size = 4, | ||
51 | -- | ||
52 | 1.8.3.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch new file mode 100644 index 0000000000..115be68295 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001 | ||
4 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
5 | Date: Tue, 11 Aug 2020 17:11:30 +0530 | ||
6 | Subject: [PATCH] spapr_pci: add spapr msi read method | ||
7 | |||
8 | Add spapr msi mmio read method to avoid NULL pointer dereference | ||
9 | issue. | ||
10 | |||
11 | Reported-by: Lei Sun <slei.casper@gmail.com> | ||
12 | Acked-by: David Gibson <david@gibson.dropbear.id.au> | ||
13 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Message-Id: <20200811114133.672647-7-ppandit@redhat.com> | ||
16 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
17 | |||
18 | CVE: CVE-2020-15469 | ||
19 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e] | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | --- | ||
22 | hw/ppc/spapr_pci.c | 14 ++++++++++++-- | ||
23 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
24 | |||
25 | --- a/hw/ppc/spapr_pci.c | ||
26 | +++ b/hw/ppc/spapr_pci.c | ||
27 | @@ -52,6 +52,7 @@ | ||
28 | #include "sysemu/kvm.h" | ||
29 | #include "sysemu/hostmem.h" | ||
30 | #include "sysemu/numa.h" | ||
31 | +#include "qemu/log.h" | ||
32 | |||
33 | /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ | ||
34 | #define RTAS_QUERY_FN 0 | ||
35 | @@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin | ||
36 | return route; | ||
37 | } | ||
38 | |||
39 | +static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) | ||
40 | +{ | ||
41 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); | ||
42 | + return 0; | ||
43 | +} | ||
44 | + | ||
45 | /* | ||
46 | * MSI/MSIX memory region implementation. | ||
47 | * The handler handles both MSI and MSIX. | ||
48 | @@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque | ||
49 | } | ||
50 | |||
51 | static const MemoryRegionOps spapr_msi_ops = { | ||
52 | - /* There is no .read as the read result is undefined by PCI spec */ | ||
53 | - .read = NULL, | ||
54 | + /* | ||
55 | + * .read result is undefined by PCI spec. | ||
56 | + * define .read method to avoid assert failure in memory_region_init_io | ||
57 | + */ | ||
58 | + .read = spapr_msi_read, | ||
59 | .write = spapr_msi_write, | ||
60 | .endianness = DEVICE_LITTLE_ENDIAN | ||
61 | }; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch new file mode 100644 index 0000000000..7d8ec32251 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:31 +0530 | ||
4 | Subject: [PATCH] tz-ppc: add dummy read/write methods | ||
5 | |||
6 | Add tz-ppc-dummy mmio read/write methods to avoid assert failure | ||
7 | during initialisation. | ||
8 | |||
9 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
10 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
11 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
12 | Message-Id: <20200811114133.672647-8-ppandit@redhat.com> | ||
13 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
14 | |||
15 | CVE: CVE-2020-15469 | ||
16 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-7.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/2c9fb3b784000c1df32231e1c2464bb2e3fc4620 ] | ||
17 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
18 | --- | ||
19 | hw/misc/tz-ppc.c | 14 ++++++++++++++ | ||
20 | 1 file changed, 14 insertions(+) | ||
21 | |||
22 | diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c | ||
23 | index 6431257..36495c6 100644 | ||
24 | --- a/hw/misc/tz-ppc.c | ||
25 | +++ b/hw/misc/tz-ppc.c | ||
26 | @@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, | ||
27 | g_assert_not_reached(); | ||
28 | } | ||
29 | |||
30 | +static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) | ||
31 | +{ | ||
32 | + g_assert_not_reached(); | ||
33 | +} | ||
34 | + | ||
35 | +static void tz_ppc_dummy_write(void *opaque, hwaddr addr, | ||
36 | + uint64_t data, unsigned size) | ||
37 | +{ | ||
38 | + g_assert_not_reached(); | ||
39 | +} | ||
40 | + | ||
41 | static const MemoryRegionOps tz_ppc_dummy_ops = { | ||
42 | + /* define r/w methods to avoid assert failure in memory_region_init_io */ | ||
43 | + .read = tz_ppc_dummy_read, | ||
44 | + .write = tz_ppc_dummy_write, | ||
45 | .valid.accepts = tz_ppc_dummy_accepts, | ||
46 | }; | ||
47 | |||
48 | -- | ||
49 | 1.8.3.1 | ||
50 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch new file mode 100644 index 0000000000..7857ba266e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 735754aaa15a6ed46db51fd731e88331c446ea54 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 11 Aug 2020 17:11:32 +0530 | ||
4 | Subject: [PATCH] imx7-ccm: add digprog mmio write method | ||
5 | |||
6 | Add digprog mmio write method to avoid assert failure during | ||
7 | initialisation. | ||
8 | |||
9 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
10 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
11 | Message-Id: <20200811114133.672647-9-ppandit@redhat.com> | ||
12 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
13 | |||
14 | CVE: CVE-2020-15469 | ||
15 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-8.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/735754aaa15a6ed46db51fd731e88331c446ea54] | ||
16 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
17 | --- | ||
18 | hw/misc/imx7_ccm.c | 8 ++++++++ | ||
19 | 1 file changed, 8 insertions(+) | ||
20 | |||
21 | diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c | ||
22 | index 02fc1ae..075159e 100644 | ||
23 | --- a/hw/misc/imx7_ccm.c | ||
24 | +++ b/hw/misc/imx7_ccm.c | ||
25 | @@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { | ||
26 | }, | ||
27 | }; | ||
28 | |||
29 | +static void imx7_digprog_write(void *opaque, hwaddr addr, | ||
30 | + uint64_t data, unsigned size) | ||
31 | +{ | ||
32 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
33 | + "Guest write to read-only ANALOG_DIGPROG register\n"); | ||
34 | +} | ||
35 | + | ||
36 | static const struct MemoryRegionOps imx7_digprog_ops = { | ||
37 | .read = imx7_set_clr_tog_read, | ||
38 | + .write = imx7_digprog_write, | ||
39 | .endianness = DEVICE_NATIVE_ENDIAN, | ||
40 | .impl = { | ||
41 | .min_access_size = 4, | ||
42 | -- | ||
43 | 1.8.3.1 | ||
44 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch new file mode 100644 index 0000000000..0f43adeea8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 22 Jul 2020 16:57:46 +0800 | ||
4 | Subject: [PATCH] net: forbid the reentrant RX | ||
5 | |||
6 | The memory API allows DMA into NIC's MMIO area. This means the NIC's | ||
7 | RX routine must be reentrant. Instead of auditing all the NIC, we can | ||
8 | simply detect the reentrancy and return early. The queue->delivering | ||
9 | is set and cleared by qemu_net_queue_deliver() for other queue helpers | ||
10 | to know whether the delivering in on going (NIC's receive is being | ||
11 | called). We can check it and return early in qemu_net_queue_flush() to | ||
12 | forbid reentrant RX. | ||
13 | |||
14 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
15 | |||
16 | CVE: CVE-2020-15859 | ||
17 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | net/queue.c | 3 +++ | ||
21 | 1 file changed, 3 insertions(+) | ||
22 | |||
23 | diff --git a/net/queue.c b/net/queue.c | ||
24 | index 0164727..19e32c8 100644 | ||
25 | --- a/net/queue.c | ||
26 | +++ b/net/queue.c | ||
27 | @@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from) | ||
28 | |||
29 | bool qemu_net_queue_flush(NetQueue *queue) | ||
30 | { | ||
31 | + if (queue->delivering) | ||
32 | + return false; | ||
33 | + | ||
34 | while (!QTAILQ_EMPTY(&queue->packets)) { | ||
35 | NetPacket *packet; | ||
36 | int ret; | ||
37 | -- | ||
38 | 1.8.3.1 | ||
39 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch new file mode 100644 index 0000000000..e0a27331a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | CVE: CVE-2020-24165 | ||
2 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001 | ||
6 | From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org> | ||
7 | Date: Fri, 14 Feb 2020 14:49:52 +0000 | ||
8 | Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) | ||
9 | MIME-Version: 1.0 | ||
10 | Content-Type: text/plain; charset=UTF-8 | ||
11 | Content-Transfer-Encoding: 8bit | ||
12 | |||
13 | The bug describes a race whereby cpu_exec_step_atomic can acquire a TB | ||
14 | which is invalidated by a tb_flush before we execute it. This doesn't | ||
15 | affect the other cpu_exec modes as a tb_flush by it's nature can only | ||
16 | occur on a quiescent system. The race was described as: | ||
17 | |||
18 | B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code | ||
19 | B3. tcg_tb_alloc obtains a new TB | ||
20 | |||
21 | C3. TB obtained with tb_lookup__cpu_state or tb_gen_code | ||
22 | (same TB as B2) | ||
23 | |||
24 | A3. start_exclusive critical section entered | ||
25 | A4. do_tb_flush is called, TB memory freed/re-allocated | ||
26 | A5. end_exclusive exits critical section | ||
27 | |||
28 | B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code | ||
29 | B3. tcg_tb_alloc reallocates TB from B2 | ||
30 | |||
31 | C4. start_exclusive critical section entered | ||
32 | C5. cpu_tb_exec executes the TB code that was free in A4 | ||
33 | |||
34 | The simplest fix is to widen the exclusive period to include the TB | ||
35 | lookup. As a result we can drop the complication of checking we are in | ||
36 | the exclusive region before we end it. | ||
37 | |||
38 | Cc: Yifan <me@yifanlu.com> | ||
39 | Buglink: https://bugs.launchpad.net/qemu/+bug/1863025 | ||
40 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
41 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
42 | Signed-off-by: Alex Bennée <alex.bennee@linaro.org> | ||
43 | Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org> | ||
44 | Signed-off-by: Richard Henderson <richard.henderson@linaro.org> | ||
45 | --- | ||
46 | accel/tcg/cpu-exec.c | 21 +++++++++++---------- | ||
47 | 1 file changed, 11 insertions(+), 10 deletions(-) | ||
48 | |||
49 | diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c | ||
50 | index 2560c90eec79..d95c4848a47b 100644 | ||
51 | --- a/accel/tcg/cpu-exec.c | ||
52 | +++ b/accel/tcg/cpu-exec.c | ||
53 | @@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu) | ||
54 | uint32_t cf_mask = cflags & CF_HASH_MASK; | ||
55 | |||
56 | if (sigsetjmp(cpu->jmp_env, 0) == 0) { | ||
57 | + start_exclusive(); | ||
58 | + | ||
59 | tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask); | ||
60 | if (tb == NULL) { | ||
61 | mmap_lock(); | ||
62 | @@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu) | ||
63 | mmap_unlock(); | ||
64 | } | ||
65 | |||
66 | - start_exclusive(); | ||
67 | - | ||
68 | /* Since we got here, we know that parallel_cpus must be true. */ | ||
69 | parallel_cpus = false; | ||
70 | cc->cpu_exec_enter(cpu); | ||
71 | @@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu) | ||
72 | qemu_plugin_disable_mem_helpers(cpu); | ||
73 | } | ||
74 | |||
75 | - if (cpu_in_exclusive_context(cpu)) { | ||
76 | - /* We might longjump out of either the codegen or the | ||
77 | - * execution, so must make sure we only end the exclusive | ||
78 | - * region if we started it. | ||
79 | - */ | ||
80 | - parallel_cpus = true; | ||
81 | - end_exclusive(); | ||
82 | - } | ||
83 | + | ||
84 | + /* | ||
85 | + * As we start the exclusive region before codegen we must still | ||
86 | + * be in the region if we longjump out of either the codegen or | ||
87 | + * the execution. | ||
88 | + */ | ||
89 | + g_assert(cpu_in_exclusive_context(cpu)); | ||
90 | + parallel_cpus = true; | ||
91 | + end_exclusive(); | ||
92 | } | ||
93 | |||
94 | struct tb_desc { | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch new file mode 100644 index 0000000000..be19256cef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 1 Sep 2020 15:22:06 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The 'Transfer Block Size' field is 12-bit wide. | ||
10 | |||
11 | See section '2.2.2. Block Size Register (Offset 004h)' in datasheet. | ||
12 | |||
13 | Two different bug reproducer available: | ||
14 | - https://bugs.launchpad.net/qemu/+bug/1892960 | ||
15 | - https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 | ||
16 | |||
17 | Cc: qemu-stable@nongnu.org | ||
18 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
19 | Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller") | ||
20 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
22 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
23 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
24 | Message-Id: <20200901140411.112150-3-f4bug@amsat.org> | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2020-25085 | ||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | hw/sd/sdhci.c | 2 +- | ||
32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
33 | |||
34 | Index: qemu-4.2.0/hw/sd/sdhci.c | ||
35 | =================================================================== | ||
36 | --- qemu-4.2.0.orig/hw/sd/sdhci.c | ||
37 | +++ qemu-4.2.0/hw/sd/sdhci.c | ||
38 | @@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset, | ||
39 | break; | ||
40 | case SDHC_BLKSIZE: | ||
41 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
42 | - MASKED_WRITE(s->blksize, mask, value); | ||
43 | + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
44 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
45 | } | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch new file mode 100644 index 0000000000..a46b5be193 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From fbec359e9279ce78908b9f2af2c264e7448336af Mon Sep 17 00:00:00 2001 | ||
2 | From: Guenter Roeck <linux@roeck-us.net> | ||
3 | Date: Mon, 17 Feb 2020 12:48:10 -0800 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI | ||
5 | to include file | ||
6 | |||
7 | We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it | ||
8 | to its include file. | ||
9 | |||
10 | Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> | ||
11 | Signed-off-by: Guenter Roeck <linux@roeck-us.net> | ||
12 | Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> | ||
13 | Message-id: 20200217204812.9857-2-linux@roeck-us.net | ||
14 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2020-25624 patch #1 | ||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | hw/usb/hcd-ohci.c | 15 --------------- | ||
22 | hw/usb/hcd-ohci.h | 16 ++++++++++++++++ | ||
23 | 2 files changed, 16 insertions(+), 15 deletions(-) | ||
24 | |||
25 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
26 | index 8a94bd004a..1e6e85e86a 100644 | ||
27 | --- a/hw/usb/hcd-ohci.c | ||
28 | +++ b/hw/usb/hcd-ohci.c | ||
29 | @@ -1870,21 +1870,6 @@ void ohci_sysbus_die(struct OHCIState *ohci) | ||
30 | ohci_bus_stop(ohci); | ||
31 | } | ||
32 | |||
33 | -#define TYPE_SYSBUS_OHCI "sysbus-ohci" | ||
34 | -#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI) | ||
35 | - | ||
36 | -typedef struct { | ||
37 | - /*< private >*/ | ||
38 | - SysBusDevice parent_obj; | ||
39 | - /*< public >*/ | ||
40 | - | ||
41 | - OHCIState ohci; | ||
42 | - char *masterbus; | ||
43 | - uint32_t num_ports; | ||
44 | - uint32_t firstport; | ||
45 | - dma_addr_t dma_offset; | ||
46 | -} OHCISysBusState; | ||
47 | - | ||
48 | static void ohci_realize_pxa(DeviceState *dev, Error **errp) | ||
49 | { | ||
50 | OHCISysBusState *s = SYSBUS_OHCI(dev); | ||
51 | diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h | ||
52 | index 16e3f1e13a..5c8819aedf 100644 | ||
53 | --- a/hw/usb/hcd-ohci.h | ||
54 | +++ b/hw/usb/hcd-ohci.h | ||
55 | @@ -22,6 +22,7 @@ | ||
56 | #define HCD_OHCI_H | ||
57 | |||
58 | #include "sysemu/dma.h" | ||
59 | +#include "hw/usb.h" | ||
60 | |||
61 | /* Number of Downstream Ports on the root hub: */ | ||
62 | #define OHCI_MAX_PORTS 15 | ||
63 | @@ -90,6 +91,21 @@ typedef struct OHCIState { | ||
64 | void (*ohci_die)(struct OHCIState *ohci); | ||
65 | } OHCIState; | ||
66 | |||
67 | +#define TYPE_SYSBUS_OHCI "sysbus-ohci" | ||
68 | +#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI) | ||
69 | + | ||
70 | +typedef struct { | ||
71 | + /*< private >*/ | ||
72 | + SysBusDevice parent_obj; | ||
73 | + /*< public >*/ | ||
74 | + | ||
75 | + OHCIState ohci; | ||
76 | + char *masterbus; | ||
77 | + uint32_t num_ports; | ||
78 | + uint32_t firstport; | ||
79 | + dma_addr_t dma_offset; | ||
80 | +} OHCISysBusState; | ||
81 | + | ||
82 | extern const VMStateDescription vmstate_ohci_state; | ||
83 | |||
84 | void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports, | ||
85 | -- | ||
86 | 2.25.1 | ||
87 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch new file mode 100644 index 0000000000..8c1275b2f4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 15 Sep 2020 23:52:58 +0530 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables | ||
5 | |||
6 | While servicing the OHCI transfer descriptors(TD), OHCI host | ||
7 | controller derives variables 'start_addr', 'end_addr', 'len' | ||
8 | etc. from values supplied by the host controller driver. | ||
9 | Host controller driver may supply values such that using | ||
10 | above variables leads to out-of-bounds access issues. | ||
11 | Add checks to avoid them. | ||
12 | |||
13 | AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 | ||
14 | READ of size 2 at 0x7ffd53af76a0 thread T0 | ||
15 | #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 | ||
16 | #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 | ||
17 | #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 | ||
18 | #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 | ||
19 | #4 timerlist_run_timers ../util/qemu-timer.c:572 | ||
20 | #5 qemu_clock_run_timers ../util/qemu-timer.c:586 | ||
21 | #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 | ||
22 | #7 main_loop_wait ../util/main-loop.c:527 | ||
23 | #8 qemu_main_loop ../softmmu/vl.c:1676 | ||
24 | #9 main ../softmmu/main.c:50 | ||
25 | |||
26 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
27 | Reported-by: Yongkang Jia <j_kangel@163.com> | ||
28 | Reported-by: Yi Ren <yunye.ry@alibaba-inc.com> | ||
29 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
30 | Message-id: 20200915182259.68522-2-ppandit@redhat.com | ||
31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
32 | |||
33 | Upstream-Status: Backport | ||
34 | CVE: CVE-2020-25624 patch #2 | ||
35 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
36 | |||
37 | --- | ||
38 | hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- | ||
39 | 1 file changed, 22 insertions(+), 2 deletions(-) | ||
40 | |||
41 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
42 | index 1e6e85e86a..9dc59101f9 100644 | ||
43 | --- a/hw/usb/hcd-ohci.c | ||
44 | +++ b/hw/usb/hcd-ohci.c | ||
45 | @@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
46 | } | ||
47 | |||
48 | start_offset = iso_td.offset[relative_frame_number]; | ||
49 | - next_offset = iso_td.offset[relative_frame_number + 1]; | ||
50 | + if (relative_frame_number < frame_count) { | ||
51 | + next_offset = iso_td.offset[relative_frame_number + 1]; | ||
52 | + } else { | ||
53 | + next_offset = iso_td.be; | ||
54 | + } | ||
55 | |||
56 | if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || | ||
57 | ((relative_frame_number < frame_count) && | ||
58 | @@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
59 | } | ||
60 | } else { | ||
61 | /* Last packet in the ISO TD */ | ||
62 | - end_addr = iso_td.be; | ||
63 | + end_addr = next_offset; | ||
64 | + } | ||
65 | + | ||
66 | + if (start_addr > end_addr) { | ||
67 | + trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); | ||
68 | + return 1; | ||
69 | } | ||
70 | |||
71 | if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { | ||
72 | @@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
73 | } else { | ||
74 | len = end_addr - start_addr + 1; | ||
75 | } | ||
76 | + if (len > sizeof(ohci->usb_buf)) { | ||
77 | + len = sizeof(ohci->usb_buf); | ||
78 | + } | ||
79 | |||
80 | if (len && dir != OHCI_TD_DIR_IN) { | ||
81 | if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, | ||
82 | @@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) | ||
83 | if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { | ||
84 | len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); | ||
85 | } else { | ||
86 | + if (td.cbp > td.be) { | ||
87 | + trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); | ||
88 | + ohci_die(ohci); | ||
89 | + return 1; | ||
90 | + } | ||
91 | len = (td.be - td.cbp) + 1; | ||
92 | } | ||
93 | + if (len > sizeof(ohci->usb_buf)) { | ||
94 | + len = sizeof(ohci->usb_buf); | ||
95 | + } | ||
96 | |||
97 | pktlen = len; | ||
98 | if (len && dir != OHCI_TD_DIR_IN) { | ||
99 | -- | ||
100 | 2.25.1 | ||
101 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch new file mode 100644 index 0000000000..374d7c4562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 15 Sep 2020 23:52:59 +0530 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire | ||
5 | |||
6 | While servicing OHCI transfer descriptors(TD), ohci_service_iso_td | ||
7 | retires a TD if it has passed its time frame. It does not check if | ||
8 | the TD was already processed once and holds an error code in TD_CC. | ||
9 | It may happen if the TD list has a loop. Add check to avoid an | ||
10 | infinite loop condition. | ||
11 | |||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
14 | Message-id: 20200915182259.68522-3-ppandit@redhat.com | ||
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2020-25625 | ||
19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
20 | |||
21 | --- | ||
22 | hw/usb/hcd-ohci.c | 4 ++++ | ||
23 | 1 file changed, 4 insertions(+) | ||
24 | |||
25 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
26 | index 9dc59101f9..8b912e95d3 100644 | ||
27 | --- a/hw/usb/hcd-ohci.c | ||
28 | +++ b/hw/usb/hcd-ohci.c | ||
29 | @@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
30 | the next ISO TD of the same ED */ | ||
31 | trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number, | ||
32 | frame_count); | ||
33 | + if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) { | ||
34 | + /* avoid infinite loop */ | ||
35 | + return 1; | ||
36 | + } | ||
37 | OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN); | ||
38 | ed->head &= ~OHCI_DPTR_MASK; | ||
39 | ed->head |= (iso_td.next & OHCI_DPTR_MASK); | ||
40 | -- | ||
41 | 2.25.1 | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch new file mode 100644 index 0000000000..7bfc2beecb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 7564bf7701f00214cdc8a678a9f7df765244def1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Wed, 21 Oct 2020 11:35:50 +0530 | ||
4 | Subject: [PATCH] net: remove an assert call in eth_get_gso_type | ||
5 | |||
6 | eth_get_gso_type() routine returns segmentation offload type based on | ||
7 | L3 protocol type. It calls g_assert_not_reached if L3 protocol is | ||
8 | unknown, making the following return statement unreachable. Remove the | ||
9 | g_assert call, it maybe triggered by a guest user. | ||
10 | |||
11 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | Upsteram-Status: Backport | ||
16 | CVE: CVE-2020-27617 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | net/eth.c | 6 +++--- | ||
21 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/net/eth.c b/net/eth.c | ||
24 | index 0c1d413ee2..1e0821c5f8 100644 | ||
25 | --- a/net/eth.c | ||
26 | +++ b/net/eth.c | ||
27 | @@ -16,6 +16,7 @@ | ||
28 | */ | ||
29 | |||
30 | #include "qemu/osdep.h" | ||
31 | +#include "qemu/log.h" | ||
32 | #include "net/eth.h" | ||
33 | #include "net/checksum.h" | ||
34 | #include "net/tap.h" | ||
35 | @@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) | ||
36 | return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; | ||
37 | } | ||
38 | } | ||
39 | - | ||
40 | - /* Unsupported offload */ | ||
41 | - g_assert_not_reached(); | ||
42 | + qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, " | ||
43 | + "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); | ||
44 | |||
45 | return VIRTIO_NET_HDR_GSO_NONE | ecn_state; | ||
46 | } | ||
47 | -- | ||
48 | 2.25.1 | ||
49 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch new file mode 100644 index 0000000000..e26bc31bbb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 15222d4636d742f3395fd211fad0cd7e36d9f43e Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 16 Aug 2022 10:07:01 +0530 | ||
4 | Subject: [PATCH] CVE-2020-27821 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442] | ||
7 | CVE: CVE-2020-27821 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | memory: clamp cached translation in case it points to an MMIO region | ||
11 | |||
12 | In using the address_space_translate_internal API, address_space_cache_init | ||
13 | forgot one piece of advice that can be found in the code for | ||
14 | address_space_translate_internal: | ||
15 | |||
16 | /* MMIO registers can be expected to perform full-width accesses based only | ||
17 | * on their address, without considering adjacent registers that could | ||
18 | * decode to completely different MemoryRegions. When such registers | ||
19 | * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO | ||
20 | * regions overlap wildly. For this reason we cannot clamp the accesses | ||
21 | * here. | ||
22 | * | ||
23 | * If the length is small (as is the case for address_space_ldl/stl), | ||
24 | * everything works fine. If the incoming length is large, however, | ||
25 | * the caller really has to do the clamping through memory_access_size. | ||
26 | */ | ||
27 | |||
28 | address_space_cache_init is exactly one such case where "the incoming length | ||
29 | is large", therefore we need to clamp the resulting length---not to | ||
30 | memory_access_size though, since we are not doing an access yet, but to | ||
31 | the size of the resulting section. This ensures that subsequent accesses | ||
32 | to the cached MemoryRegionSection will be in range. | ||
33 | |||
34 | With this patch, the enclosed testcase notices that the used ring does | ||
35 | not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" | ||
36 | error. | ||
37 | |||
38 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
39 | --- | ||
40 | exec.c | 10 ++++++++++ | ||
41 | 1 file changed, 10 insertions(+) | ||
42 | |||
43 | diff --git a/exec.c b/exec.c | ||
44 | index 2d6add46..1360051a 100644 | ||
45 | --- a/exec.c | ||
46 | +++ b/exec.c | ||
47 | @@ -3632,6 +3632,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, | ||
48 | AddressSpaceDispatch *d; | ||
49 | hwaddr l; | ||
50 | MemoryRegion *mr; | ||
51 | + Int128 diff; | ||
52 | |||
53 | assert(len > 0); | ||
54 | |||
55 | @@ -3640,6 +3641,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, | ||
56 | d = flatview_to_dispatch(cache->fv); | ||
57 | cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true); | ||
58 | |||
59 | + /* | ||
60 | + * cache->xlat is now relative to cache->mrs.mr, not to the section itself. | ||
61 | + * Take that into account to compute how many bytes are there between | ||
62 | + * cache->xlat and the end of the section. | ||
63 | + */ | ||
64 | + diff = int128_sub(cache->mrs.size, | ||
65 | + int128_make64(cache->xlat - cache->mrs.offset_within_region)); | ||
66 | + l = int128_get64(int128_min(diff, int128_make64(l))); | ||
67 | + | ||
68 | mr = cache->mrs.mr; | ||
69 | memory_region_ref(mr); | ||
70 | if (memory_access_is_direct(mr, is_write)) { | ||
71 | -- | ||
72 | 2.25.1 | ||
73 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch new file mode 100644 index 0000000000..756b1c1495 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Wed, 11 Nov 2020 18:36:36 +0530 | ||
4 | Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor | ||
5 | |||
6 | While receiving packets via e1000e_write_packet_to_guest() routine, | ||
7 | 'desc_offset' is advanced only when RX descriptor is processed. And | ||
8 | RX descriptor is not processed if it has NULL buffer address. | ||
9 | This may lead to an infinite loop condition. Increament 'desc_offset' | ||
10 | to process next descriptor in the ring to avoid infinite loop. | ||
11 | |||
12 | Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> | ||
13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
14 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2020-28916 | ||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | hw/net/e1000e_core.c | 8 ++++---- | ||
22 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
23 | |||
24 | diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c | ||
25 | index d8b9e4b2f4..095c01ebc6 100644 | ||
26 | --- a/hw/net/e1000e_core.c | ||
27 | +++ b/hw/net/e1000e_core.c | ||
28 | @@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, | ||
29 | (const char *) &fcs_pad, e1000x_fcs_len(core->mac)); | ||
30 | } | ||
31 | } | ||
32 | - desc_offset += desc_size; | ||
33 | - if (desc_offset >= total_size) { | ||
34 | - is_last = true; | ||
35 | - } | ||
36 | } else { /* as per intel docs; skip descriptors with null buf addr */ | ||
37 | trace_e1000e_rx_null_descriptor(); | ||
38 | } | ||
39 | + desc_offset += desc_size; | ||
40 | + if (desc_offset >= total_size) { | ||
41 | + is_last = true; | ||
42 | + } | ||
43 | |||
44 | e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, | ||
45 | rss_info, do_ps ? ps_hdr_len : 0, &bastate.written); | ||
46 | -- | ||
47 | 2.25.1 | ||
48 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..1528d5c2fd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paolo Bonzini <pbonzini@redhat.com> | ||
3 | Date: Tue, 1 Dec 2020 13:09:26 +0100 | ||
4 | Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range | ||
5 | |||
6 | A case was reported where s->io_buffer_index can be out of range. | ||
7 | The report skimped on the details but it seems to be triggered | ||
8 | by s->lba == -1 on the READ/READ CD paths (e.g. by sending an | ||
9 | ATAPI command with LBA = 0xFFFFFFFF). For now paper over it | ||
10 | with assertions. The first one ensures that there is no overflow | ||
11 | when incrementing s->io_buffer_index, the second checks for the | ||
12 | buffer overrun. | ||
13 | |||
14 | Note that the buffer overrun is only a read, so I am not sure | ||
15 | if the assertion failure is actually less harmful than the overrun. | ||
16 | |||
17 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
18 | Message-id: 20201201120926.56559-1-pbonzini@redhat.com | ||
19 | Reviewed-by: Kevin Wolf <kwolf@redhat.com> | ||
20 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2020-29443 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | hw/ide/atapi.c | 2 ++ | ||
28 | 1 file changed, 2 insertions(+) | ||
29 | |||
30 | diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c | ||
31 | index 14a2b0bb2f..e79157863f 100644 | ||
32 | --- a/hw/ide/atapi.c | ||
33 | +++ b/hw/ide/atapi.c | ||
34 | @@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s) | ||
35 | s->packet_transfer_size -= size; | ||
36 | s->elementary_transfer_size -= size; | ||
37 | s->io_buffer_index += size; | ||
38 | + assert(size <= s->io_buffer_total_len); | ||
39 | + assert(s->io_buffer_index <= s->io_buffer_total_len); | ||
40 | |||
41 | /* Some adapters process PIO data right away. In that case, we need | ||
42 | * to avoid mutual recursion between ide_transfer_start | ||
43 | -- | ||
44 | 2.25.1 | ||
45 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch new file mode 100644 index 0000000000..97d32589d8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001 | ||
4 | From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
5 | Date: Wed, 7 Apr 2021 20:57:50 +0100 | ||
6 | Subject: [PATCH] esp: always check current_req is not NULL before use in DMA | ||
7 | callbacks | ||
8 | |||
9 | After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel | ||
10 | callback which resets both current_req and current_dev to NULL. If any data | ||
11 | is left in the transfer buffer (async_len != 0) then the next TI (Transfer | ||
12 | Information) command will attempt to reference the NULL pointer causing a | ||
13 | segfault. | ||
14 | |||
15 | Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 | ||
16 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 | ||
17 | Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
18 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> | ||
20 | |||
21 | CVE: CVE-2020-35504 | ||
22 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ] | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/scsi/esp.c | 19 ++++++++++++++----- | ||
26 | 1 file changed, 14 insertions(+), 5 deletions(-) | ||
27 | |||
28 | --- a/hw/scsi/esp.c | ||
29 | +++ b/hw/scsi/esp.c | ||
30 | @@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s) | ||
31 | do_cmd(s, s->cmdbuf); | ||
32 | return; | ||
33 | } | ||
34 | + | ||
35 | + if (!s->current_req) { | ||
36 | + return; | ||
37 | + } | ||
38 | + | ||
39 | s->dma_left -= len; | ||
40 | s->async_buf += len; | ||
41 | s->async_len -= len; | ||
42 | @@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s) | ||
43 | do_cmd(s, s->cmdbuf); | ||
44 | return; | ||
45 | } | ||
46 | + if (!s->current_req) { | ||
47 | + return; | ||
48 | + } | ||
49 | if (s->async_len == 0) { | ||
50 | /* Defer until data is available. */ | ||
51 | return; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch new file mode 100644 index 0000000000..40c0b1e74f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001 | ||
4 | From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
5 | Date: Wed, 7 Apr 2021 20:57:55 +0100 | ||
6 | Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=utf8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | When about to execute a SCSI command, ensure that cmdfifo is not empty and | ||
12 | current_dev is non-NULL. This can happen if the guest tries to execute a TI | ||
13 | (Transfer Information) command without issuing one of the select commands | ||
14 | first. | ||
15 | |||
16 | Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 | ||
17 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 | ||
18 | Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
19 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
20 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> | ||
22 | |||
23 | CVE: CVE-2020-35505 | ||
24 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ] | ||
25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
26 | Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com> | ||
27 | --- | ||
28 | hw/scsi/esp.c | 4 ++++ | ||
29 | 1 file changed, 4 insertions(+) | ||
30 | |||
31 | diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c | ||
32 | index c7d701bf..c2a67bc8 100644 | ||
33 | --- a/hw/scsi/esp.c | ||
34 | +++ b/hw/scsi/esp.c | ||
35 | @@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) | ||
36 | |||
37 | trace_esp_do_busid_cmd(busid); | ||
38 | lun = busid & 7; | ||
39 | + | ||
40 | + if (!s->current_dev) { | ||
41 | + return; | ||
42 | + } | ||
43 | current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); | ||
44 | s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); | ||
45 | datalen = scsi_req_enqueue(s->current_req); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch new file mode 100644 index 0000000000..1b8c77f838 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kurz <groug@kaod.org> | ||
3 | Date: Thu, 14 Jan 2021 17:04:12 +0100 | ||
4 | Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) | ||
5 | |||
6 | Depending on the client activity, the server can be asked to open a huge | ||
7 | number of file descriptors and eventually hit RLIMIT_NOFILE. This is | ||
8 | currently mitigated using a reclaim logic : the server closes the file | ||
9 | descriptors of idle fids, based on the assumption that it will be able | ||
10 | to re-open them later. This assumption doesn't hold of course if the | ||
11 | client requests the file to be unlinked. In this case, we loop on the | ||
12 | entire fid list and mark all related fids as unreclaimable (the reclaim | ||
13 | logic will just ignore them) and, of course, we open or re-open their | ||
14 | file descriptors if needed since we're about to unlink the file. | ||
15 | |||
16 | This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual | ||
17 | opening of a file can cause the coroutine to yield, another client | ||
18 | request could possibly add a new fid that we may want to mark as | ||
19 | non-reclaimable as well. The loop is thus restarted if the re-open | ||
20 | request was actually transmitted to the backend. This is achieved | ||
21 | by keeping a reference on the first fid (head) before traversing | ||
22 | the list. | ||
23 | |||
24 | This is wrong in several ways: | ||
25 | - a potential clunk request from the client could tear the first | ||
26 | fid down and cause the reference to be stale. This leads to a | ||
27 | use-after-free error that can be detected with ASAN, using a | ||
28 | custom 9p client | ||
29 | - fids are added at the head of the list : restarting from the | ||
30 | previous head will always miss fids added by a some other | ||
31 | potential request | ||
32 | |||
33 | All these problems could be avoided if fids were being added at the | ||
34 | end of the list. This can be achieved with a QSIMPLEQ, but this is | ||
35 | probably too much change for a bug fix. For now let's keep it | ||
36 | simple and just restart the loop from the current head. | ||
37 | |||
38 | Fixes: CVE-2021-20181 | ||
39 | Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 | ||
40 | Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com> | ||
41 | Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
42 | Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> | ||
43 | Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> | ||
44 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
45 | |||
46 | Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305] | ||
47 | CVE: CVE-2021-20181 | ||
48 | |||
49 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
50 | --- | ||
51 | hw/9pfs/9p.c | 6 +++--- | ||
52 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
53 | |||
54 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | ||
55 | index 94df440fc..6026b51a1 100644 | ||
56 | --- a/hw/9pfs/9p.c | ||
57 | +++ b/hw/9pfs/9p.c | ||
58 | @@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) | ||
59 | { | ||
60 | int err; | ||
61 | V9fsState *s = pdu->s; | ||
62 | - V9fsFidState *fidp, head_fid; | ||
63 | + V9fsFidState *fidp; | ||
64 | |||
65 | - head_fid.next = s->fid_list; | ||
66 | +again: | ||
67 | for (fidp = s->fid_list; fidp; fidp = fidp->next) { | ||
68 | if (fidp->path.size != path->size) { | ||
69 | continue; | ||
70 | @@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) | ||
71 | * switched to the worker thread | ||
72 | */ | ||
73 | if (err == 0) { | ||
74 | - fidp = &head_fid; | ||
75 | + goto again; | ||
76 | } | ||
77 | } | ||
78 | } | ||
79 | -- | ||
80 | 2.29.2 | ||
81 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch new file mode 100644 index 0000000000..e9b815740f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vivek Kumbhar <vkumbhar@mvista.com> | ||
3 | Date: Tue, 29 Nov 2022 15:57:13 +0530 | ||
4 | Subject: [PATCH] CVE-2021-20196 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233] | ||
7 | CVE: CVE-2021-20196 | ||
8 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
9 | |||
10 | hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 | ||
11 | |||
12 | Guest might select another drive on the bus by setting the | ||
13 | DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). | ||
14 | The current controller model doesn't expect a BlockBackend | ||
15 | to be NULL. A simple way to fix CVE-2021-20196 is to create | ||
16 | an empty BlockBackend when it is missing. All further | ||
17 | accesses will be safely handled, and the controller state | ||
18 | machines keep behaving correctly. | ||
19 | --- | ||
20 | hw/block/fdc.c | 19 ++++++++++++++++++- | ||
21 | 1 file changed, 18 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
24 | index ac5d31e8..e128e975 100644 | ||
25 | --- a/hw/block/fdc.c | ||
26 | +++ b/hw/block/fdc.c | ||
27 | @@ -58,6 +58,11 @@ | ||
28 | } \ | ||
29 | } while (0) | ||
30 | |||
31 | +/* Anonymous BlockBackend for empty drive */ | ||
32 | +static BlockBackend *blk_create_empty_drive(void) | ||
33 | +{ | ||
34 | + return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); | ||
35 | +} | ||
36 | |||
37 | /********************************************************/ | ||
38 | /* qdev floppy bus */ | ||
39 | @@ -1356,7 +1361,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) | ||
40 | |||
41 | static FDrive *get_cur_drv(FDCtrl *fdctrl) | ||
42 | { | ||
43 | - return get_drv(fdctrl, fdctrl->cur_drv); | ||
44 | + FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); | ||
45 | + | ||
46 | + if (!cur_drv->blk) { | ||
47 | + /* | ||
48 | + * Kludge: empty drive line selected. Create an anonymous | ||
49 | + * BlockBackend to avoid NULL deref with various BlockBackend | ||
50 | + * API calls within this model (CVE-2021-20196). | ||
51 | + * Due to the controller QOM model limitations, we don't | ||
52 | + * attach the created to the controller device. | ||
53 | + */ | ||
54 | + cur_drv->blk = blk_create_empty_drive(); | ||
55 | + } | ||
56 | + return cur_drv; | ||
57 | } | ||
58 | |||
59 | /* Status A register : 0x00 (read-only) */ | ||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch new file mode 100644 index 0000000000..31440af0bd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
2 | |||
3 | While activating device in vmxnet3_acticate_device(), it does not | ||
4 | validate guest supplied configuration values against predefined | ||
5 | minimum - maximum limits. This may lead to integer overflow or | ||
6 | OOB access issues. Add checks to avoid it. | ||
7 | |||
8 | Fixes: CVE-2021-20203 | ||
9 | Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 | ||
10 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
11 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | |||
13 | Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] | ||
14 | CVE: CVE-2021-20203 | ||
15 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
16 | --- | ||
17 | hw/net/vmxnet3.c | 13 +++++++++++++ | ||
18 | 1 file changed, 13 insertions(+) | ||
19 | |||
20 | diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c | ||
21 | index eff299f629..4a910ca971 100644 | ||
22 | --- a/hw/net/vmxnet3.c | ||
23 | +++ b/hw/net/vmxnet3.c | ||
24 | @@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
25 | vmxnet3_setup_rx_filtering(s); | ||
26 | /* Cache fields from shared memory */ | ||
27 | s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); | ||
28 | + assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); | ||
29 | VMW_CFPRN("MTU is %u", s->mtu); | ||
30 | |||
31 | s->max_rx_frags = | ||
32 | @@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
33 | /* Read rings memory locations for TX queues */ | ||
34 | pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); | ||
35 | size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); | ||
36 | + if (size > VMXNET3_TX_RING_MAX_SIZE) { | ||
37 | + size = VMXNET3_TX_RING_MAX_SIZE; | ||
38 | + } | ||
39 | |||
40 | vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, | ||
41 | sizeof(struct Vmxnet3_TxDesc), false); | ||
42 | @@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
43 | /* TXC ring */ | ||
44 | pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); | ||
45 | size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); | ||
46 | + if (size > VMXNET3_TC_RING_MAX_SIZE) { | ||
47 | + size = VMXNET3_TC_RING_MAX_SIZE; | ||
48 | + } | ||
49 | vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, | ||
50 | sizeof(struct Vmxnet3_TxCompDesc), true); | ||
51 | VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); | ||
52 | @@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
53 | /* RX rings */ | ||
54 | pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); | ||
55 | size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); | ||
56 | + if (size > VMXNET3_RX_RING_MAX_SIZE) { | ||
57 | + size = VMXNET3_RX_RING_MAX_SIZE; | ||
58 | + } | ||
59 | vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, | ||
60 | sizeof(struct Vmxnet3_RxDesc), false); | ||
61 | VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", | ||
62 | @@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) | ||
63 | /* RXC ring */ | ||
64 | pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); | ||
65 | size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); | ||
66 | + if (size > VMXNET3_RC_RING_MAX_SIZE) { | ||
67 | + size = VMXNET3_RC_RING_MAX_SIZE; | ||
68 | + } | ||
69 | vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, | ||
70 | sizeof(struct Vmxnet3_RxCompDesc), true); | ||
71 | VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); | ||
72 | -- | ||
73 | 2.29.2 | ||
74 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch new file mode 100644 index 0000000000..46c9ab4184 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Sun, 31 Jan 2021 11:34:01 +0100 | ||
4 | Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Per the ARM Generic Interrupt Controller Architecture specification | ||
10 | (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, | ||
11 | not 10: | ||
12 | |||
13 | - 4.3 Distributor register descriptions | ||
14 | - 4.3.15 Software Generated Interrupt Register, GICD_SG | ||
15 | |||
16 | - Table 4-21 GICD_SGIR bit assignments | ||
17 | |||
18 | The Interrupt ID of the SGI to forward to the specified CPU | ||
19 | interfaces. The value of this field is the Interrupt ID, in | ||
20 | the range 0-15, for example a value of 0b0011 specifies | ||
21 | Interrupt ID 3. | ||
22 | |||
23 | Correct the irq mask to fix an undefined behavior (which eventually | ||
24 | lead to a heap-buffer-overflow, see [Buglink]): | ||
25 | |||
26 | $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio | ||
27 | [I 1612088147.116987] OPENED | ||
28 | [R +0.278293] writel 0x8000f00 0xff4affb0 | ||
29 | ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' | ||
30 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 | ||
31 | |||
32 | This fixes a security issue when running with KVM on Arm with | ||
33 | kernel-irqchip=off. (The default is kernel-irqchip=on, which is | ||
34 | unaffected, and which is also the correct choice for performance.) | ||
35 | |||
36 | Cc: qemu-stable@nongnu.org | ||
37 | Fixes: CVE-2021-20221 | ||
38 | Fixes: 9ee6e8bb853 ("ARMv7 support.") | ||
39 | Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 | ||
40 | Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 | ||
41 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
42 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
43 | Message-id: 20210131103401.217160-1-f4bug@amsat.org | ||
44 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
45 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
46 | |||
47 | Upstream-Status: Backport | ||
48 | CVE: CVE-2021-20221 | ||
49 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
50 | |||
51 | --- | ||
52 | hw/intc/arm_gic.c | 2 +- | ||
53 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
54 | |||
55 | Index: qemu-4.2.0/hw/intc/arm_gic.c | ||
56 | =================================================================== | ||
57 | --- qemu-4.2.0.orig/hw/intc/arm_gic.c | ||
58 | +++ qemu-4.2.0/hw/intc/arm_gic.c | ||
59 | @@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque | ||
60 | int target_cpu; | ||
61 | |||
62 | cpu = gic_get_current_cpu(s); | ||
63 | - irq = value & 0x3ff; | ||
64 | + irq = value & 0xf; | ||
65 | switch ((value >> 24) & 3) { | ||
66 | case 0: | ||
67 | mask = (value >> 16) & ALL_CPU_MASK; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch new file mode 100644 index 0000000000..7175b24e99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 13:45:28 +0800 | ||
4 | Subject: [PATCH] e1000: fail early for evil descriptor | ||
5 | |||
6 | During procss_tx_desc(), driver can try to chain data descriptor with | ||
7 | legacy descriptor, when will lead underflow for the following | ||
8 | calculation in process_tx_desc() for bytes: | ||
9 | |||
10 | if (tp->size + bytes > msh) | ||
11 | bytes = msh - tp->size; | ||
12 | |||
13 | This will lead a infinite loop. So check and fail early if tp->size if | ||
14 | greater or equal to msh. | ||
15 | |||
16 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
17 | Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> | ||
18 | Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> | ||
19 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
20 | Cc: qemu-stable@nongnu.org | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] | ||
24 | CVE: CVE-2021-20257 | ||
25 | |||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/net/e1000.c | 4 ++++ | ||
29 | 1 file changed, 4 insertions(+) | ||
30 | |||
31 | diff --git a/hw/net/e1000.c b/hw/net/e1000.c | ||
32 | index cf22c4f07..c3564c7ce 100644 | ||
33 | --- a/hw/net/e1000.c | ||
34 | +++ b/hw/net/e1000.c | ||
35 | @@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | ||
36 | msh = tp->tso_props.hdr_len + tp->tso_props.mss; | ||
37 | do { | ||
38 | bytes = split_size; | ||
39 | + if (tp->size >= msh) { | ||
40 | + goto eop; | ||
41 | + } | ||
42 | if (tp->size + bytes > msh) | ||
43 | bytes = msh - tp->size; | ||
44 | |||
45 | @@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) | ||
46 | tp->size += split_size; | ||
47 | } | ||
48 | |||
49 | +eop: | ||
50 | if (!(txd_lower & E1000_TXD_CMD_EOP)) | ||
51 | return; | ||
52 | if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { | ||
53 | -- | ||
54 | 2.29.2 | ||
55 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 0000000000..45b8a4f1dd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Tokarev <mjt@tls.msk.ru> | ||
3 | Date: Mon, 19 Apr 2021 15:42:47 +0200 | ||
4 | Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field | ||
5 | (CVE-2021-3392) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | While processing SCSI i/o requests in mptsas_process_scsi_io_request(), | ||
11 | the Megaraid emulator appends new MPTSASRequest object 'req' to | ||
12 | the 's->pending' queue. In case of an error, this same object gets | ||
13 | dequeued in mptsas_free_request() only if SCSIRequest object | ||
14 | 'req->sreq' is initialised. This may lead to a use-after-free issue. | ||
15 | |||
16 | Since s->pending is actually not used, simply remove it from | ||
17 | MPTSASState. | ||
18 | |||
19 | Cc: qemu-stable@nongnu.org | ||
20 | Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
23 | Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> | ||
24 | Message-id: 20210419134247.1467982-1-f4bug@amsat.org | ||
25 | Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru> | ||
26 | Suggested-by: Paolo Bonzini <pbonzini@redhat.com> | ||
27 | Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> | ||
28 | BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392) | ||
29 | Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device") | ||
30 | [PMD: Reworded description, added more tags] | ||
31 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
32 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
33 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
34 | |||
35 | Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d ] | ||
36 | CVE: CVE-2021-3392 | ||
37 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
38 | --- | ||
39 | hw/scsi/mptsas.c | 6 ------ | ||
40 | hw/scsi/mptsas.h | 1 - | ||
41 | 2 files changed, 7 deletions(-) | ||
42 | |||
43 | diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c | ||
44 | index 7416e78..db3219e 100644 | ||
45 | --- a/hw/scsi/mptsas.c | ||
46 | +++ b/hw/scsi/mptsas.c | ||
47 | @@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) | ||
48 | |||
49 | static void mptsas_free_request(MPTSASRequest *req) | ||
50 | { | ||
51 | - MPTSASState *s = req->dev; | ||
52 | - | ||
53 | if (req->sreq != NULL) { | ||
54 | req->sreq->hba_private = NULL; | ||
55 | scsi_req_unref(req->sreq); | ||
56 | req->sreq = NULL; | ||
57 | - QTAILQ_REMOVE(&s->pending, req, next); | ||
58 | } | ||
59 | qemu_sglist_destroy(&req->qsg); | ||
60 | g_free(req); | ||
61 | @@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, | ||
62 | } | ||
63 | |||
64 | req = g_new0(MPTSASRequest, 1); | ||
65 | - QTAILQ_INSERT_TAIL(&s->pending, req, next); | ||
66 | req->scsi_io = *scsi_io; | ||
67 | req->dev = s; | ||
68 | |||
69 | @@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp) | ||
70 | |||
71 | s->request_bh = qemu_bh_new(mptsas_fetch_requests, s); | ||
72 | |||
73 | - QTAILQ_INIT(&s->pending); | ||
74 | - | ||
75 | scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL); | ||
76 | } | ||
77 | |||
78 | diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h | ||
79 | index b85ac1a..c046497 100644 | ||
80 | --- a/hw/scsi/mptsas.h | ||
81 | +++ b/hw/scsi/mptsas.h | ||
82 | @@ -79,7 +79,6 @@ struct MPTSASState { | ||
83 | uint16_t reply_frame_size; | ||
84 | |||
85 | SCSIBus bus; | ||
86 | - QTAILQ_HEAD(, MPTSASRequest) pending; | ||
87 | }; | ||
88 | |||
89 | void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req); | ||
90 | -- | ||
91 | 1.8.3.1 | ||
92 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch new file mode 100644 index 0000000000..d53383247e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:35 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | At the end of sdhci_send_command(), it starts a data transfer if the | ||
10 | command register indicates data is associated. But the data transfer | ||
11 | should only be initiated when the command execution has succeeded. | ||
12 | |||
13 | With this fix, the following reproducer: | ||
14 | |||
15 | outl 0xcf8 0x80001810 | ||
16 | outl 0xcfc 0xe1068000 | ||
17 | outl 0xcf8 0x80001804 | ||
18 | outw 0xcfc 0x7 | ||
19 | write 0xe106802c 0x1 0x0f | ||
20 | write 0xe1068004 0xc 0x2801d10101fffffbff28a384 | ||
21 | write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f | ||
22 | write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 | ||
23 | write 0xe1068003 0x1 0xfe | ||
24 | |||
25 | cannot be reproduced with the following QEMU command line: | ||
26 | |||
27 | $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ | ||
28 | -device sdhci-pci,sd-spec-version=3 \ | ||
29 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
30 | -device sd-card,drive=mydrive \ | ||
31 | -monitor none -serial none -qtest stdio | ||
32 | |||
33 | Cc: qemu-stable@nongnu.org | ||
34 | Fixes: CVE-2020-17380 | ||
35 | Fixes: CVE-2020-25085 | ||
36 | Fixes: CVE-2021-3409 | ||
37 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
38 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
39 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
40 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
41 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
42 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
43 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
44 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
45 | Acked-by: Alistair Francis <alistair.francis@wdc.com> | ||
46 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
47 | Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
48 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
49 | Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> | ||
50 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
51 | |||
52 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
53 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ] | ||
54 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
55 | --- | ||
56 | hw/sd/sdhci.c | 4 +++- | ||
57 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
58 | |||
59 | --- a/hw/sd/sdhci.c | ||
60 | +++ b/hw/sd/sdhci.c | ||
61 | @@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat | ||
62 | SDRequest request; | ||
63 | uint8_t response[16]; | ||
64 | int rlen; | ||
65 | + bool timeout = false; | ||
66 | |||
67 | s->errintsts = 0; | ||
68 | s->acmd12errsts = 0; | ||
69 | @@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat | ||
70 | trace_sdhci_response16(s->rspreg[3], s->rspreg[2], | ||
71 | s->rspreg[1], s->rspreg[0]); | ||
72 | } else { | ||
73 | + timeout = true; | ||
74 | trace_sdhci_error("timeout waiting for command response"); | ||
75 | if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { | ||
76 | s->errintsts |= SDHC_EIS_CMDTIMEOUT; | ||
77 | @@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat | ||
78 | |||
79 | sdhci_update_irq(s); | ||
80 | |||
81 | - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
82 | + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
83 | s->data_count = 0; | ||
84 | sdhci_data_transfer(s); | ||
85 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch new file mode 100644 index 0000000000..dc00f76ec9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:36 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when | ||
5 | transfer is in progress | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Per "SD Host Controller Standard Specification Version 7.00" | ||
11 | chapter 2.2.1 SDMA System Address Register: | ||
12 | |||
13 | This register can be accessed only if no transaction is executing | ||
14 | (i.e., after a transaction has stopped). | ||
15 | |||
16 | With this fix, the following reproducer: | ||
17 | |||
18 | outl 0xcf8 0x80001010 | ||
19 | outl 0xcfc 0xfbefff00 | ||
20 | outl 0xcf8 0x80001001 | ||
21 | outl 0xcfc 0x06000000 | ||
22 | write 0xfbefff2c 0x1 0x05 | ||
23 | write 0xfbefff0f 0x1 0x37 | ||
24 | write 0xfbefff0a 0x1 0x01 | ||
25 | write 0xfbefff0f 0x1 0x29 | ||
26 | write 0xfbefff0f 0x1 0x02 | ||
27 | write 0xfbefff0f 0x1 0x03 | ||
28 | write 0xfbefff04 0x1 0x01 | ||
29 | write 0xfbefff05 0x1 0x01 | ||
30 | write 0xfbefff07 0x1 0x02 | ||
31 | write 0xfbefff0c 0x1 0x33 | ||
32 | write 0xfbefff0e 0x1 0x20 | ||
33 | write 0xfbefff0f 0x1 0x00 | ||
34 | write 0xfbefff2a 0x1 0x01 | ||
35 | write 0xfbefff0c 0x1 0x00 | ||
36 | write 0xfbefff03 0x1 0x00 | ||
37 | write 0xfbefff05 0x1 0x00 | ||
38 | write 0xfbefff2a 0x1 0x02 | ||
39 | write 0xfbefff0c 0x1 0x32 | ||
40 | write 0xfbefff01 0x1 0x01 | ||
41 | write 0xfbefff02 0x1 0x01 | ||
42 | write 0xfbefff03 0x1 0x01 | ||
43 | |||
44 | cannot be reproduced with the following QEMU command line: | ||
45 | |||
46 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
47 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
48 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
49 | -device sd-card,drive=mydrive -qtest stdio | ||
50 | |||
51 | Cc: qemu-stable@nongnu.org | ||
52 | Fixes: CVE-2020-17380 | ||
53 | Fixes: CVE-2020-25085 | ||
54 | Fixes: CVE-2021-3409 | ||
55 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
56 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
57 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
58 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
59 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
60 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
61 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
62 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
63 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
64 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
65 | Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> | ||
66 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
67 | |||
68 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
69 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ] | ||
70 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
71 | --- | ||
72 | hw/sd/sdhci.c | 20 +++++++++++--------- | ||
73 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
74 | |||
75 | --- a/hw/sd/sdhci.c | ||
76 | +++ b/hw/sd/sdhci.c | ||
77 | @@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset, | ||
78 | |||
79 | switch (offset & ~0x3) { | ||
80 | case SDHC_SYSAD: | ||
81 | - s->sdmasysad = (s->sdmasysad & mask) | value; | ||
82 | - MASKED_WRITE(s->sdmasysad, mask, value); | ||
83 | - /* Writing to last byte of sdmasysad might trigger transfer */ | ||
84 | - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && | ||
85 | - s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { | ||
86 | - if (s->trnmod & SDHC_TRNS_MULTI) { | ||
87 | - sdhci_sdma_transfer_multi_blocks(s); | ||
88 | - } else { | ||
89 | - sdhci_sdma_transfer_single_block(s); | ||
90 | + if (!TRANSFERRING_DATA(s->prnsts)) { | ||
91 | + s->sdmasysad = (s->sdmasysad & mask) | value; | ||
92 | + MASKED_WRITE(s->sdmasysad, mask, value); | ||
93 | + /* Writing to last byte of sdmasysad might trigger transfer */ | ||
94 | + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && | ||
95 | + SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { | ||
96 | + if (s->trnmod & SDHC_TRNS_MULTI) { | ||
97 | + sdhci_sdma_transfer_multi_blocks(s); | ||
98 | + } else { | ||
99 | + sdhci_sdma_transfer_single_block(s); | ||
100 | + } | ||
101 | } | ||
102 | } | ||
103 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch new file mode 100644 index 0000000000..d06ac0ed3c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001 | ||
4 | From: Bin Meng <bmeng.cn@gmail.com> | ||
5 | Date: Wed, 3 Mar 2021 20:26:37 +0800 | ||
6 | Subject: [PATCH] hw/sd: sdhci: Correctly set the controller status for ADMA | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=utf8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | When an ADMA transfer is started, the codes forget to set the | ||
12 | controller status to indicate a transfer is in progress. | ||
13 | |||
14 | With this fix, the following 2 reproducers: | ||
15 | |||
16 | https://paste.debian.net/plain/1185136 | ||
17 | https://paste.debian.net/plain/1185141 | ||
18 | |||
19 | cannot be reproduced with the following QEMU command line: | ||
20 | |||
21 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
22 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
23 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
24 | -device sd-card,drive=mydrive -qtest stdio | ||
25 | |||
26 | Cc: qemu-stable@nongnu.org | ||
27 | Fixes: CVE-2020-17380 | ||
28 | Fixes: CVE-2020-25085 | ||
29 | Fixes: CVE-2021-3409 | ||
30 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
31 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
32 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
33 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
34 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
35 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
36 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
37 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
38 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
39 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
40 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
41 | Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> | ||
42 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
43 | |||
44 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
45 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/bc6f28995ff88f5d82c38afcfd65406f0ae375aa ] | ||
46 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
47 | --- | ||
48 | hw/sd/sdhci.c | 3 +++ | ||
49 | 1 file changed, 3 insertions(+) | ||
50 | |||
51 | --- a/hw/sd/sdhci.c | ||
52 | +++ b/hw/sd/sdhci.c | ||
53 | @@ -776,8 +776,9 @@ static void sdhci_do_adma(SDHCIState *s) | ||
54 | |||
55 | switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { | ||
56 | case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ | ||
57 | - | ||
58 | + s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; | ||
59 | if (s->trnmod & SDHC_TRNS_READ) { | ||
60 | + s->prnsts |= SDHC_DOING_READ; | ||
61 | while (length) { | ||
62 | if (s->data_count == 0) { | ||
63 | for (n = 0; n < block_size; n++) { | ||
64 | @@ -807,6 +808,7 @@ static void sdhci_do_adma(SDHCIState *s) | ||
65 | } | ||
66 | } | ||
67 | } else { | ||
68 | + s->prnsts |= SDHC_DOING_WRITE; | ||
69 | while (length) { | ||
70 | begin = s->data_count; | ||
71 | if ((length + begin) < block_size) { | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch new file mode 100644 index 0000000000..2e49e3bc18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001 | ||
4 | From: Bin Meng <bmeng.cn@gmail.com> | ||
5 | Date: Wed, 3 Mar 2021 20:26:38 +0800 | ||
6 | Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE | ||
7 | register is writable | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=utf8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | The codes to limit the maximum block size is only necessary when | ||
13 | SDHC_BLKSIZE register is writable. | ||
14 | |||
15 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
16 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
17 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
18 | Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> | ||
19 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
20 | |||
21 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
22 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ] | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/sd/sdhci.c | 14 +++++++------- | ||
26 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
27 | |||
28 | --- a/hw/sd/sdhci.c | ||
29 | +++ b/hw/sd/sdhci.c | ||
30 | @@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset, | ||
31 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
32 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
33 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
34 | - } | ||
35 | |||
36 | - /* Limit block size to the maximum buffer size */ | ||
37 | - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { | ||
38 | - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \ | ||
39 | - "the maximum buffer 0x%x", __func__, s->blksize, | ||
40 | - s->buf_maxsz); | ||
41 | + /* Limit block size to the maximum buffer size */ | ||
42 | + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " | ||
44 | + "the maximum buffer 0x%x\n", __func__, s->blksize, | ||
45 | + s->buf_maxsz); | ||
46 | |||
47 | - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
48 | + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
49 | + } | ||
50 | } | ||
51 | |||
52 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch new file mode 100644 index 0000000000..7b436809e9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:39 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when | ||
5 | a different block size is programmed | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If the block size is programmed to a different value from the | ||
11 | previous one, reset the data pointer of s->fifo_buffer[] so that | ||
12 | s->fifo_buffer[] can be filled in using the new block size in | ||
13 | the next transfer. | ||
14 | |||
15 | With this fix, the following reproducer: | ||
16 | |||
17 | outl 0xcf8 0x80001010 | ||
18 | outl 0xcfc 0xe0000000 | ||
19 | outl 0xcf8 0x80001001 | ||
20 | outl 0xcfc 0x06000000 | ||
21 | write 0xe000002c 0x1 0x05 | ||
22 | write 0xe0000005 0x1 0x02 | ||
23 | write 0xe0000007 0x1 0x01 | ||
24 | write 0xe0000028 0x1 0x10 | ||
25 | write 0x0 0x1 0x23 | ||
26 | write 0x2 0x1 0x08 | ||
27 | write 0xe000000c 0x1 0x01 | ||
28 | write 0xe000000e 0x1 0x20 | ||
29 | write 0xe000000f 0x1 0x00 | ||
30 | write 0xe000000c 0x1 0x32 | ||
31 | write 0xe0000004 0x2 0x0200 | ||
32 | write 0xe0000028 0x1 0x00 | ||
33 | write 0xe0000003 0x1 0x40 | ||
34 | |||
35 | cannot be reproduced with the following QEMU command line: | ||
36 | |||
37 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
38 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
39 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
40 | -device sd-card,drive=mydrive -qtest stdio | ||
41 | |||
42 | Cc: qemu-stable@nongnu.org | ||
43 | Fixes: CVE-2020-17380 | ||
44 | Fixes: CVE-2020-25085 | ||
45 | Fixes: CVE-2021-3409 | ||
46 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
47 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
48 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
49 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
50 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
51 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
52 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
53 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
54 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
55 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
56 | Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> | ||
57 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
58 | |||
59 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
60 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ] | ||
61 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
62 | --- | ||
63 | hw/sd/sdhci.c | 12 ++++++++++++ | ||
64 | 1 file changed, 12 insertions(+) | ||
65 | |||
66 | --- a/hw/sd/sdhci.c | ||
67 | +++ b/hw/sd/sdhci.c | ||
68 | @@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset, | ||
69 | break; | ||
70 | case SDHC_BLKSIZE: | ||
71 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
72 | + uint16_t blksize = s->blksize; | ||
73 | + | ||
74 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
75 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
76 | |||
77 | @@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset, | ||
78 | |||
79 | s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
80 | } | ||
81 | + | ||
82 | + /* | ||
83 | + * If the block size is programmed to a different value from | ||
84 | + * the previous one, reset the data pointer of s->fifo_buffer[] | ||
85 | + * so that s->fifo_buffer[] can be filled in using the new block | ||
86 | + * size in the next transfer. | ||
87 | + */ | ||
88 | + if (blksize != s->blksize) { | ||
89 | + s->data_count = 0; | ||
90 | + } | ||
91 | } | ||
92 | |||
93 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch new file mode 100644 index 0000000000..5bacd67481 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch | |||
@@ -0,0 +1,177 @@ | |||
1 | From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 11:44:36 +0800 | ||
4 | Subject: [PATCH 01/10] net: introduce qemu_receive_packet() | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Some NIC supports loopback mode and this is done by calling | ||
10 | nc->info->receive() directly which in fact suppresses the effort of | ||
11 | reentrancy check that is done in qemu_net_queue_send(). | ||
12 | |||
13 | Unfortunately we can't use qemu_net_queue_send() here since for | ||
14 | loopback there's no sender as peer, so this patch introduce a | ||
15 | qemu_receive_packet() which is used for implementing loopback mode | ||
16 | for a NIC with this check. | ||
17 | |||
18 | NIC that supports loopback mode will be converted to this helper. | ||
19 | |||
20 | This is intended to address CVE-2021-3416. | ||
21 | |||
22 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
23 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
24 | Cc: qemu-stable@nongnu.org | ||
25 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
26 | |||
27 | Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7] | ||
28 | CVE: CVE-2021-3416 | ||
29 | |||
30 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
31 | --- | ||
32 | include/net/net.h | 5 +++++ | ||
33 | include/net/queue.h | 8 ++++++++ | ||
34 | net/net.c | 38 +++++++++++++++++++++++++++++++------- | ||
35 | net/queue.c | 22 ++++++++++++++++++++++ | ||
36 | 4 files changed, 66 insertions(+), 7 deletions(-) | ||
37 | |||
38 | diff --git a/include/net/net.h b/include/net/net.h | ||
39 | index 778fc787c..03f058ecb 100644 | ||
40 | --- a/include/net/net.h | ||
41 | +++ b/include/net/net.h | ||
42 | @@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); | ||
43 | void qemu_del_net_client(NetClientState *nc); | ||
44 | typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); | ||
45 | void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); | ||
46 | +int qemu_can_receive_packet(NetClientState *nc); | ||
47 | int qemu_can_send_packet(NetClientState *nc); | ||
48 | ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, | ||
49 | int iovcnt); | ||
50 | ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, | ||
51 | int iovcnt, NetPacketSent *sent_cb); | ||
52 | ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); | ||
53 | +ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); | ||
54 | +ssize_t qemu_receive_packet_iov(NetClientState *nc, | ||
55 | + const struct iovec *iov, | ||
56 | + int iovcnt); | ||
57 | ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); | ||
58 | ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, | ||
59 | int size, NetPacketSent *sent_cb); | ||
60 | diff --git a/include/net/queue.h b/include/net/queue.h | ||
61 | index c0269bb1d..9f2f289d7 100644 | ||
62 | --- a/include/net/queue.h | ||
63 | +++ b/include/net/queue.h | ||
64 | @@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, | ||
65 | |||
66 | void qemu_del_net_queue(NetQueue *queue); | ||
67 | |||
68 | +ssize_t qemu_net_queue_receive(NetQueue *queue, | ||
69 | + const uint8_t *data, | ||
70 | + size_t size); | ||
71 | + | ||
72 | +ssize_t qemu_net_queue_receive_iov(NetQueue *queue, | ||
73 | + const struct iovec *iov, | ||
74 | + int iovcnt); | ||
75 | + | ||
76 | ssize_t qemu_net_queue_send(NetQueue *queue, | ||
77 | NetClientState *sender, | ||
78 | unsigned flags, | ||
79 | diff --git a/net/net.c b/net/net.c | ||
80 | index 6a2c3d956..5e15e5d27 100644 | ||
81 | --- a/net/net.c | ||
82 | +++ b/net/net.c | ||
83 | @@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) | ||
84 | #endif | ||
85 | } | ||
86 | |||
87 | +int qemu_can_receive_packet(NetClientState *nc) | ||
88 | +{ | ||
89 | + if (nc->receive_disabled) { | ||
90 | + return 0; | ||
91 | + } else if (nc->info->can_receive && | ||
92 | + !nc->info->can_receive(nc)) { | ||
93 | + return 0; | ||
94 | + } | ||
95 | + return 1; | ||
96 | +} | ||
97 | + | ||
98 | int qemu_can_send_packet(NetClientState *sender) | ||
99 | { | ||
100 | int vm_running = runstate_is_running(); | ||
101 | @@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender) | ||
102 | return 1; | ||
103 | } | ||
104 | |||
105 | - if (sender->peer->receive_disabled) { | ||
106 | - return 0; | ||
107 | - } else if (sender->peer->info->can_receive && | ||
108 | - !sender->peer->info->can_receive(sender->peer)) { | ||
109 | - return 0; | ||
110 | - } | ||
111 | - return 1; | ||
112 | + return qemu_can_receive_packet(sender->peer); | ||
113 | } | ||
114 | |||
115 | static ssize_t filter_receive_iov(NetClientState *nc, | ||
116 | @@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) | ||
117 | return qemu_send_packet_async(nc, buf, size, NULL); | ||
118 | } | ||
119 | |||
120 | +ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) | ||
121 | +{ | ||
122 | + if (!qemu_can_receive_packet(nc)) { | ||
123 | + return 0; | ||
124 | + } | ||
125 | + | ||
126 | + return qemu_net_queue_receive(nc->incoming_queue, buf, size); | ||
127 | +} | ||
128 | + | ||
129 | +ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, | ||
130 | + int iovcnt) | ||
131 | +{ | ||
132 | + if (!qemu_can_receive_packet(nc)) { | ||
133 | + return 0; | ||
134 | + } | ||
135 | + | ||
136 | + return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); | ||
137 | +} | ||
138 | + | ||
139 | ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) | ||
140 | { | ||
141 | return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, | ||
142 | diff --git a/net/queue.c b/net/queue.c | ||
143 | index 19e32c80f..c872d51df 100644 | ||
144 | --- a/net/queue.c | ||
145 | +++ b/net/queue.c | ||
146 | @@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, | ||
147 | return ret; | ||
148 | } | ||
149 | |||
150 | +ssize_t qemu_net_queue_receive(NetQueue *queue, | ||
151 | + const uint8_t *data, | ||
152 | + size_t size) | ||
153 | +{ | ||
154 | + if (queue->delivering) { | ||
155 | + return 0; | ||
156 | + } | ||
157 | + | ||
158 | + return qemu_net_queue_deliver(queue, NULL, 0, data, size); | ||
159 | +} | ||
160 | + | ||
161 | +ssize_t qemu_net_queue_receive_iov(NetQueue *queue, | ||
162 | + const struct iovec *iov, | ||
163 | + int iovcnt) | ||
164 | +{ | ||
165 | + if (queue->delivering) { | ||
166 | + return 0; | ||
167 | + } | ||
168 | + | ||
169 | + return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); | ||
170 | +} | ||
171 | + | ||
172 | ssize_t qemu_net_queue_send(NetQueue *queue, | ||
173 | NetClientState *sender, | ||
174 | unsigned flags, | ||
175 | -- | ||
176 | 2.29.2 | ||
177 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch new file mode 100644 index 0000000000..fdb4894e44 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Bulekov <alxndr@bu.edu> | ||
3 | Date: Mon, 1 Mar 2021 14:35:30 -0500 | ||
4 | Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for | ||
5 | loopback | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch switches to use qemu_receive_packet() which can detect | ||
11 | reentrancy and return early. | ||
12 | |||
13 | This is intended to address CVE-2021-3416. | ||
14 | |||
15 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com | ||
18 | Signed-off-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1] | ||
22 | CVE: CVE-2021-3416 | ||
23 | |||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | hw/net/lan9118.c | 2 +- | ||
27 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
28 | |||
29 | Index: qemu-4.2.0/hw/net/lan9118.c | ||
30 | =================================================================== | ||
31 | --- qemu-4.2.0.orig/hw/net/lan9118.c | ||
32 | +++ qemu-4.2.0/hw/net/lan9118.c | ||
33 | @@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state * | ||
34 | /* FIXME: Honor TX disable, and allow queueing of packets. */ | ||
35 | if (s->phy_control & 0x4000) { | ||
36 | /* This assumes the receive routine doesn't touch the VLANClient. */ | ||
37 | - lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); | ||
38 | + qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); | ||
39 | } else { | ||
40 | qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); | ||
41 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch new file mode 100644 index 0000000000..5e53e20bac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 12:13:22 +0800 | ||
4 | Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This patch switches to use qemu_receive_packet() which can detect | ||
10 | reentrancy and return early. | ||
11 | |||
12 | This is intended to address CVE-2021-3416. | ||
13 | |||
14 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
15 | Cc: qemu-stable@nongnu.org | ||
16 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
18 | |||
19 | Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c] | ||
20 | CVE: CVE-2021-3416 | ||
21 | |||
22 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
23 | --- | ||
24 | hw/net/e1000.c | 2 +- | ||
25 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/hw/net/e1000.c b/hw/net/e1000.c | ||
28 | index d7d05ae30..cf22c4f07 100644 | ||
29 | --- a/hw/net/e1000.c | ||
30 | +++ b/hw/net/e1000.c | ||
31 | @@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) | ||
32 | |||
33 | NetClientState *nc = qemu_get_queue(s->nic); | ||
34 | if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { | ||
35 | - nc->info->receive(nc, buf, size); | ||
36 | + qemu_receive_packet(nc, buf, size); | ||
37 | } else { | ||
38 | qemu_send_packet(nc, buf, size); | ||
39 | } | ||
40 | -- | ||
41 | 2.29.2 | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch new file mode 100644 index 0000000000..3fc469e3e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 12:57:40 +0800 | ||
4 | Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for | ||
5 | loopback packet | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch switches to use qemu_receive_packet() which can detect | ||
11 | reentrancy and return early. | ||
12 | |||
13 | This is intended to address CVE-2021-3416. | ||
14 | |||
15 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com | ||
18 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
19 | |||
20 | Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33] | ||
21 | CVE: CVE-2021-3416 | ||
22 | |||
23 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
24 | --- | ||
25 | hw/net/dp8393x.c | 2 +- | ||
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
29 | index 205c0decc..533a8304d 100644 | ||
30 | --- a/hw/net/dp8393x.c | ||
31 | +++ b/hw/net/dp8393x.c | ||
32 | @@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) | ||
33 | s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; | ||
34 | if (nc->info->can_receive(nc)) { | ||
35 | s->loopback_packet = 1; | ||
36 | - nc->info->receive(nc, s->tx_buffer, tx_len); | ||
37 | + qemu_receive_packet(nc, s->tx_buffer, tx_len); | ||
38 | } | ||
39 | } else { | ||
40 | /* Transmit packet */ | ||
41 | -- | ||
42 | 2.29.2 | ||
43 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch new file mode 100644 index 0000000000..93202ebcef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 13:14:35 +0800 | ||
4 | Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for | ||
5 | loopback | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch switches to use qemu_receive_packet() which can detect | ||
11 | reentrancy and return early. | ||
12 | |||
13 | This is intended to address CVE-2021-3416. | ||
14 | |||
15 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
18 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
19 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
20 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4] | ||
23 | CVE: CVE-2021-3416 | ||
24 | |||
25 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
26 | --- | ||
27 | hw/net/sungem.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | Index: qemu-4.2.0/hw/net/sungem.c | ||
31 | =================================================================== | ||
32 | --- qemu-4.2.0.orig/hw/net/sungem.c | ||
33 | +++ qemu-4.2.0/hw/net/sungem.c | ||
34 | @@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMSta | ||
35 | NetClientState *nc = qemu_get_queue(s->nic); | ||
36 | |||
37 | if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { | ||
38 | - nc->info->receive(nc, buf, size); | ||
39 | + qemu_receive_packet(nc, buf, size); | ||
40 | } else { | ||
41 | qemu_send_packet(nc, buf, size); | ||
42 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch new file mode 100644 index 0000000000..40b4bd96e7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 13:27:52 +0800 | ||
4 | Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for | ||
5 | loopback | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch switches to use qemu_receive_receive_iov() which can detect | ||
11 | reentrancy and return early. | ||
12 | |||
13 | This is intended to address CVE-2021-3416. | ||
14 | |||
15 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
18 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
19 | |||
20 | Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73] | ||
21 | CVE: CVE-2021-3416 | ||
22 | |||
23 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
24 | --- | ||
25 | hw/net/net_tx_pkt.c | 2 +- | ||
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
27 | |||
28 | Index: qemu-4.2.0/hw/net/net_tx_pkt.c | ||
29 | =================================================================== | ||
30 | --- qemu-4.2.0.orig/hw/net/net_tx_pkt.c | ||
31 | +++ qemu-4.2.0/hw/net/net_tx_pkt.c | ||
32 | @@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(stru | ||
33 | NetClientState *nc, const struct iovec *iov, int iov_cnt) | ||
34 | { | ||
35 | if (pkt->is_loopback) { | ||
36 | - nc->info->receive_iov(nc, iov, iov_cnt); | ||
37 | + qemu_receive_packet_iov(nc, iov, iov_cnt); | ||
38 | } else { | ||
39 | qemu_sendv_packet(nc, iov, iov_cnt); | ||
40 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch new file mode 100644 index 0000000000..b3b702cca4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Bulekov <alxndr@bu.edu> | ||
3 | Date: Fri, 26 Feb 2021 13:47:53 -0500 | ||
4 | Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for | ||
5 | loopback | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch switches to use qemu_receive_packet() which can detect | ||
11 | reentrancy and return early. | ||
12 | |||
13 | This is intended to address CVE-2021-3416. | ||
14 | |||
15 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 | ||
18 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com | ||
19 | Signed-off-by: Alexander Bulekov <alxndr@bu.edu> | ||
20 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4] | ||
23 | CVE: CVE-2021-3416 | ||
24 | |||
25 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
26 | --- | ||
27 | hw/net/rtl8139.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | Index: qemu-4.2.0/hw/net/rtl8139.c | ||
31 | =================================================================== | ||
32 | --- qemu-4.2.0.orig/hw/net/rtl8139.c | ||
33 | +++ qemu-4.2.0/hw/net/rtl8139.c | ||
34 | @@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81 | ||
35 | } | ||
36 | |||
37 | DPRINTF("+++ transmit loopback mode\n"); | ||
38 | - rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); | ||
39 | + qemu_receive_packet(qemu_get_queue(s->nic), buf, size); | ||
40 | |||
41 | if (iov) { | ||
42 | g_free(buf2); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch new file mode 100644 index 0000000000..ed716468dc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Bulekov <alxndr@bu.edu> | ||
3 | Date: Mon, 1 Mar 2021 10:33:34 -0500 | ||
4 | Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This patch switches to use qemu_receive_packet() which can detect | ||
10 | reentrancy and return early. | ||
11 | |||
12 | This is intended to address CVE-2021-3416. | ||
13 | |||
14 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
15 | Cc: qemu-stable@nongnu.org | ||
16 | Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 | ||
17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com | ||
18 | Signed-off-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928] | ||
22 | CVE: CVE-2021-3416 | ||
23 | |||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | hw/net/pcnet.c | 2 +- | ||
27 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c | ||
30 | index f3f18d859..dcd3fc494 100644 | ||
31 | --- a/hw/net/pcnet.c | ||
32 | +++ b/hw/net/pcnet.c | ||
33 | @@ -1250,7 +1250,7 @@ txagain: | ||
34 | if (BCR_SWSTYLE(s) == 1) | ||
35 | add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); | ||
36 | s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; | ||
37 | - pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); | ||
38 | + qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); | ||
39 | s->looptest = 0; | ||
40 | } else { | ||
41 | if (s->nic) { | ||
42 | -- | ||
43 | 2.29.2 | ||
44 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch new file mode 100644 index 0000000000..f4a985604e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Bulekov <alxndr@bu.edu> | ||
3 | Date: Mon, 1 Mar 2021 14:33:43 -0500 | ||
4 | Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for | ||
5 | loopback | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch switches to use qemu_receive_packet() which can detect | ||
11 | reentrancy and return early. | ||
12 | |||
13 | This is intended to address CVE-2021-3416. | ||
14 | |||
15 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
16 | Cc: qemu-stable@nongnu.org | ||
17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
18 | Signed-off-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed] | ||
22 | CVE: CVE-2021-3416 | ||
23 | |||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | hw/net/cadence_gem.c | 4 ++-- | ||
27 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
28 | |||
29 | Index: qemu-4.2.0/hw/net/cadence_gem.c | ||
30 | =================================================================== | ||
31 | --- qemu-4.2.0.orig/hw/net/cadence_gem.c | ||
32 | +++ qemu-4.2.0/hw/net/cadence_gem.c | ||
33 | @@ -1225,7 +1225,7 @@ static void gem_transmit(CadenceGEMState | ||
34 | /* Send the packet somewhere */ | ||
35 | if (s->phy_loop || (s->regs[GEM_NWCTRL] & | ||
36 | GEM_NWCTRL_LOCALLOOP)) { | ||
37 | - gem_receive(qemu_get_queue(s->nic), tx_packet, | ||
38 | + qemu_receive_packet(qemu_get_queue(s->nic), tx_packet, | ||
39 | total_bytes); | ||
40 | } else { | ||
41 | qemu_send_packet(qemu_get_queue(s->nic), tx_packet, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch new file mode 100644 index 0000000000..4ff3413f8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> | ||
3 | Date: Thu, 18 Nov 2021 12:57:32 +0100 | ||
4 | Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Per the 82078 datasheet, if the end-of-track (EOT byte in | ||
10 | the FIFO) is more than the number of sectors per side, the | ||
11 | command is terminated unsuccessfully: | ||
12 | |||
13 | * 5.2.5 DATA TRANSFER TERMINATION | ||
14 | |||
15 | The 82078 supports terminal count explicitly through | ||
16 | the TC pin and implicitly through the underrun/over- | ||
17 | run and end-of-track (EOT) functions. For full sector | ||
18 | transfers, the EOT parameter can define the last | ||
19 | sector to be transferred in a single or multisector | ||
20 | transfer. If the last sector to be transferred is a par- | ||
21 | tial sector, the host can stop transferring the data in | ||
22 | mid-sector, and the 82078 will continue to complete | ||
23 | the sector as if a hardware TC was received. The | ||
24 | only difference between these implicit functions and | ||
25 | TC is that they return "abnormal termination" result | ||
26 | status. Such status indications can be ignored if they | ||
27 | were expected. | ||
28 | |||
29 | * 6.1.3 READ TRACK | ||
30 | |||
31 | This command terminates when the EOT specified | ||
32 | number of sectors have been read. If the 82078 | ||
33 | does not find an I D Address Mark on the diskette | ||
34 | after the second· occurrence of a pulse on the | ||
35 | INDX# pin, then it sets the IC code in Status Regis- | ||
36 | ter 0 to "01" (Abnormal termination), sets the MA bit | ||
37 | in Status Register 1 to "1", and terminates the com- | ||
38 | mand. | ||
39 | |||
40 | * 6.1.6 VERIFY | ||
41 | |||
42 | Refer to Table 6-6 and Table 6-7 for information | ||
43 | concerning the values of MT and EC versus SC and | ||
44 | EOT value. | ||
45 | |||
46 | * Table 6·6. Result Phase Table | ||
47 | |||
48 | * Table 6-7. Verify Command Result Phase Table | ||
49 | |||
50 | Fix by aborting the transfer when EOT > # Sectors Per Side. | ||
51 | |||
52 | Cc: qemu-stable@nongnu.org | ||
53 | Cc: Hervé Poussineau <hpoussin@reactos.org> | ||
54 | Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") | ||
55 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
56 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 | ||
57 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
58 | Message-Id: <20211118115733.4038610-2-philmd@redhat.com> | ||
59 | Reviewed-by: Hanna Reitz <hreitz@redhat.com> | ||
60 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
61 | |||
62 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367] | ||
63 | CVE: CVE-2021-3507 | ||
64 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
65 | --- | ||
66 | hw/block/fdc.c | 8 ++++++++ | ||
67 | 1 file changed, 8 insertions(+) | ||
68 | |||
69 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
70 | index 347875a0cdae..57bb355794a9 100644 | ||
71 | --- a/hw/block/fdc.c | ||
72 | +++ b/hw/block/fdc.c | ||
73 | @@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) | ||
74 | int tmp; | ||
75 | fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); | ||
76 | tmp = (fdctrl->fifo[6] - ks + 1); | ||
77 | + if (tmp < 0) { | ||
78 | + FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); | ||
79 | + fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); | ||
80 | + fdctrl->fifo[3] = kt; | ||
81 | + fdctrl->fifo[4] = kh; | ||
82 | + fdctrl->fifo[5] = ks; | ||
83 | + return; | ||
84 | + } | ||
85 | if (fdctrl->fifo[0] & 0x80) | ||
86 | tmp += fdctrl->fifo[6]; | ||
87 | fdctrl->data_len *= tmp; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 0000000000..77a5385692 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 3 May 2021 15:29:15 +0200 | ||
4 | Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) | ||
5 | |||
6 | usb-host and usb-redirect try to batch bulk transfers by combining many | ||
7 | small usb packets into a single, large transfer request, to reduce the | ||
8 | overhead and improve performance. | ||
9 | |||
10 | This patch adds a size limit of 1 MiB for those combined packets to | ||
11 | restrict the host resources the guest can bind that way. | ||
12 | |||
13 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
14 | Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c | ||
18 | CVE: CVE-2021-3527 | ||
19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
20 | |||
21 | --- | ||
22 | hw/usb/combined-packet.c | 4 +++- | ||
23 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c | ||
26 | index 5d57e883dc..e56802f89a 100644 | ||
27 | --- a/hw/usb/combined-packet.c | ||
28 | +++ b/hw/usb/combined-packet.c | ||
29 | @@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) | ||
30 | if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || | ||
31 | next == NULL || | ||
32 | /* Work around for Linux usbfs bulk splitting + migration */ | ||
33 | - (totalsize == (16 * KiB - 36) && p->int_req)) { | ||
34 | + (totalsize == (16 * KiB - 36) && p->int_req) || | ||
35 | + /* Next package may grow combined package over 1MiB */ | ||
36 | + totalsize > 1 * MiB - ep->max_packet_size) { | ||
37 | usb_device_handle_data(ep->dev, first); | ||
38 | assert(first->status == USB_RET_ASYNC); | ||
39 | if (first->combined) { | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch new file mode 100644 index 0000000000..6371aced12 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 3 May 2021 15:29:12 +0200 | ||
4 | Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Use autofree heap allocation instead. | ||
10 | |||
11 | Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") | ||
12 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
13 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
14 | Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
15 | Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 | ||
19 | CVE: CVE-2021-3527 | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | |||
22 | --- | ||
23 | hw/usb/redirect.c | 6 +++--- | ||
24 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
25 | |||
26 | diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c | ||
27 | index 17f06f3417..6a75b0dc4a 100644 | ||
28 | --- a/hw/usb/redirect.c | ||
29 | +++ b/hw/usb/redirect.c | ||
30 | @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, | ||
31 | .endpoint = ep, | ||
32 | .length = p->iov.size | ||
33 | }; | ||
34 | - uint8_t buf[p->iov.size]; | ||
35 | + g_autofree uint8_t *buf = g_malloc(p->iov.size); | ||
36 | /* No id, we look at the ep when receiving a status back */ | ||
37 | usb_packet_copy(p, buf, p->iov.size); | ||
38 | usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, | ||
39 | @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, | ||
40 | usbredirparser_send_bulk_packet(dev->parser, p->id, | ||
41 | &bulk_packet, NULL, 0); | ||
42 | } else { | ||
43 | - uint8_t buf[size]; | ||
44 | + g_autofree uint8_t *buf = g_malloc(size); | ||
45 | usb_packet_copy(p, buf, size); | ||
46 | usbredir_log_data(dev, "bulk data out:", buf, size); | ||
47 | usbredirparser_send_bulk_packet(dev->parser, p->id, | ||
48 | @@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, | ||
49 | USBPacket *p, uint8_t ep) | ||
50 | { | ||
51 | struct usb_redir_interrupt_packet_header interrupt_packet; | ||
52 | - uint8_t buf[p->iov.size]; | ||
53 | + g_autofree uint8_t *buf = g_malloc(p->iov.size); | ||
54 | |||
55 | DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, | ||
56 | p->iov.size, p->id); | ||
57 | -- | ||
58 | GitLab | ||
59 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch new file mode 100644 index 0000000000..1b4fcbfb60 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) | ||
2 | |||
3 | Call 'vugbm_buffer_destroy' in error path to avoid resource leak. | ||
4 | |||
5 | Fixes: CVE-2021-3544 | ||
6 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
7 | Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
8 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
9 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
10 | Message-Id: <20210516030403.107723-3-liq3ea@163.com> | ||
11 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [vhost-user-gpu does not exist in 4.2.0] | ||
15 | CVE: CVE-2021-3544 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
19 | =================================================================== | ||
20 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
21 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
22 | @@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, | ||
23 | g_critical("%s: resource creation failed %d %d %d", | ||
24 | __func__, c2d.resource_id, c2d.width, c2d.height); | ||
25 | g_free(res); | ||
26 | + vugbm_buffer_destroy(&res->buffer); | ||
27 | cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; | ||
28 | return; | ||
29 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch new file mode 100644 index 0000000000..36cbb127f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) | ||
2 | |||
3 | |||
4 | Check whether the 'res' has already been attach_backing to avoid | ||
5 | memory leak. | ||
6 | |||
7 | Fixes: CVE-2021-3544 | ||
8 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
9 | virtio-gpu fix: 204f01b3 | ||
10 | |||
11 | ("virtio-gpu: fix memory leak | ||
12 | in resource attach backing") | ||
13 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
14 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
15 | Message-Id: <20210516030403.107723-4-liq3ea@163.com> | ||
16 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | [vhost-user-gpu does not exist in 4.2.0 context] | ||
20 | CVE: CVE-2021-3544 | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | |||
24 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
25 | =================================================================== | ||
26 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
27 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
28 | @@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, | ||
29 | return; | ||
30 | } | ||
31 | |||
32 | + if (res->iov) { | ||
33 | + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; | ||
34 | + return; | ||
35 | + } | ||
36 | + | ||
37 | ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); | ||
38 | if (ret != 0) { | ||
39 | cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch new file mode 100644 index 0000000000..c534f4c24f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) | ||
2 | |||
3 | If the guest trigger following sequences, the attach_backing will be leaked: | ||
4 | |||
5 | vg_resource_create_2d | ||
6 | vg_resource_attach_backing | ||
7 | vg_resource_unref | ||
8 | |||
9 | This patch fix this by freeing 'res->iov' in vg_resource_destroy. | ||
10 | |||
11 | Fixes: CVE-2021-3544 | ||
12 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
13 | virtio-gpu fix: 5e8e3c4c | ||
14 | |||
15 | ("virtio-gpu: fix resource leak | ||
16 | in virgl_cmd_resource_unref") | ||
17 | Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
18 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
19 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
20 | Message-Id: <20210516030403.107723-5-liq3ea@163.com> | ||
21 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2021-3544 | ||
25 | [vhost-user-gpu does not exist in the 4.2.0] | ||
26 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
27 | |||
28 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
29 | =================================================================== | ||
30 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
31 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
32 | @@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, | ||
33 | } | ||
34 | |||
35 | vugbm_buffer_destroy(&res->buffer); | ||
36 | + g_free(res->iov); | ||
37 | pixman_image_unref(res->image); | ||
38 | QTAILQ_REMOVE(&g->reslist, res, next); | ||
39 | g_free(res); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch new file mode 100644 index 0000000000..96e36eb854 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) | ||
2 | |||
3 | The 'res->iov' will be leaked if the guest trigger following sequences: | ||
4 | |||
5 | virgl_cmd_create_resource_2d | ||
6 | virgl_resource_attach_backing | ||
7 | virgl_cmd_resource_unref | ||
8 | |||
9 | This patch fixes this. | ||
10 | |||
11 | Fixes: CVE-2021-3544 | ||
12 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
13 | virtio-gpu fix: 5e8e3c4c | ||
14 | |||
15 | ("virtio-gpu: fix resource leak | ||
16 | in virgl_cmd_resource_unref" | ||
17 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
18 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
19 | Message-Id: <20210516030403.107723-6-liq3ea@163.com> | ||
20 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2021-3544 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
27 | =================================================================== | ||
28 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c | ||
29 | +++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
30 | @@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g, | ||
31 | struct virtio_gpu_ctrl_command *cmd) | ||
32 | { | ||
33 | struct virtio_gpu_resource_unref unref; | ||
34 | + struct iovec *res_iovs = NULL; | ||
35 | + int num_iovs = 0; | ||
36 | |||
37 | VUGPU_FILL_CMD(unref); | ||
38 | |||
39 | + virgl_renderer_resource_detach_iov(unref.resource_id, | ||
40 | + &res_iovs, | ||
41 | + &num_iovs); | ||
42 | + g_free(res_iovs); | ||
43 | + | ||
44 | virgl_renderer_resource_unref(unref.resource_id); | ||
45 | } | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch new file mode 100644 index 0000000000..e592ce50e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Qiang <liq3ea@163.com> | ||
3 | Date: Sat, 15 May 2021 20:04:01 -0700 | ||
4 | Subject: [PATCH] vhost-user-gpu: fix memory leak in | ||
5 | 'virgl_resource_attach_backing' (CVE-2021-3544) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will | ||
11 | be leaked. | ||
12 | |||
13 | Fixes: CVE-2021-3544 | ||
14 | Reported-by: Li Qiang <liq3ea@163.com> | ||
15 | virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak | ||
16 | in resource attach backing") | ||
17 | |||
18 | Signed-off-by: Li Qiang <liq3ea@163.com> | ||
19 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
20 | Message-Id: <20210516030403.107723-7-liq3ea@163.com> | ||
21 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2021-3544 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | contrib/vhost-user-gpu/virgl.c | 5 ++++- | ||
29 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
30 | |||
31 | Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
32 | =================================================================== | ||
33 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c | ||
34 | +++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
35 | @@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g, | ||
36 | return; | ||
37 | } | ||
38 | |||
39 | - virgl_renderer_resource_attach_iov(att_rb.resource_id, | ||
40 | + ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, | ||
41 | res_iovs, att_rb.nr_entries); | ||
42 | + if (ret != 0) { | ||
43 | + g_free(res_iovs); | ||
44 | + } | ||
45 | } | ||
46 | |||
47 | static void | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch new file mode 100644 index 0000000000..fcdda64437 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Qiang <liq3ea@163.com> | ||
3 | Date: Sat, 15 May 2021 20:03:56 -0700 | ||
4 | Subject: [PATCH] vhost-user-gpu: fix memory disclosure in | ||
5 | virgl_cmd_get_capset_info (CVE-2021-3545) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Otherwise some of the 'resp' will be leaked to guest. | ||
11 | |||
12 | Fixes: CVE-2021-3545 | ||
13 | Reported-by: Li Qiang <liq3ea@163.com> | ||
14 | virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak | ||
15 | in getting capset info dispatch") | ||
16 | |||
17 | Signed-off-by: Li Qiang <liq3ea@163.com> | ||
18 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
19 | Message-Id: <20210516030403.107723-2-liq3ea@163.com> | ||
20 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2021-3545 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | contrib/vhost-user-gpu/virgl.c | 1 + | ||
28 | 1 file changed, 1 insertion(+) | ||
29 | |||
30 | Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
31 | =================================================================== | ||
32 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c | ||
33 | +++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
34 | @@ -132,6 +132,7 @@ virgl_cmd_get_capset_info(VuGpu *g, | ||
35 | |||
36 | VUGPU_FILL_CMD(info); | ||
37 | |||
38 | + memset(&resp, 0, sizeof(resp)); | ||
39 | if (info.capset_index == 0) { | ||
40 | resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; | ||
41 | virgl_renderer_get_cap_set(resp.capset_id, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch new file mode 100644 index 0000000000..f8da428233 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Qiang <liq3ea@163.com> | ||
3 | Date: Sat, 15 May 2021 20:04:02 -0700 | ||
4 | Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' | ||
5 | (CVE-2021-3546) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If 'virgl_cmd_get_capset' set 'max_size' to 0, | ||
11 | the 'virgl_renderer_fill_caps' will write the data after the 'resp'. | ||
12 | This patch avoid this by checking the returned 'max_size'. | ||
13 | |||
14 | virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check | ||
15 | virgl capabilities max_size") | ||
16 | |||
17 | Fixes: CVE-2021-3546 | ||
18 | Reported-by: Li Qiang <liq3ea@163.com> | ||
19 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Signed-off-by: Li Qiang <liq3ea@163.com> | ||
21 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
22 | Message-Id: <20210516030403.107723-8-liq3ea@163.com> | ||
23 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | CVE: CVE-2021-3546 | ||
27 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
28 | |||
29 | --- | ||
30 | contrib/vhost-user-gpu/virgl.c | 4 ++++ | ||
31 | 1 file changed, 4 insertions(+) | ||
32 | |||
33 | Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
34 | =================================================================== | ||
35 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c | ||
36 | +++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
37 | @@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g, | ||
38 | |||
39 | virgl_renderer_get_cap_set(gc.capset_id, &max_ver, | ||
40 | &max_size); | ||
41 | + if (!max_size) { | ||
42 | + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; | ||
43 | + return; | ||
44 | + } | ||
45 | resp = g_malloc0(sizeof(*resp) + max_size); | ||
46 | |||
47 | resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch new file mode 100644 index 0000000000..7a88e29384 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marcel Apfelbaum <marcel@redhat.com> | ||
3 | Date: Wed, 16 Jun 2021 14:06:00 +0300 | ||
4 | Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device | ||
5 | (CVE-2021-3582) | ||
6 | |||
7 | Ensure mremap boundaries not trusting the guest kernel to | ||
8 | pass the correct buffer length. | ||
9 | |||
10 | Fixes: CVE-2021-3582 | ||
11 | Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> | ||
12 | Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> | ||
13 | Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> | ||
14 | Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> | ||
15 | Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
16 | Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
17 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
19 | |||
20 | CVE: CVE-2021-3582 | ||
21 | Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4] | ||
22 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
23 | --- | ||
24 | hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ | ||
25 | 1 file changed, 7 insertions(+) | ||
26 | |||
27 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
28 | index f59879e257..da7ddfa548 100644 | ||
29 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
30 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
31 | @@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, | ||
32 | return NULL; | ||
33 | } | ||
34 | |||
35 | + length = ROUND_UP(length, TARGET_PAGE_SIZE); | ||
36 | + if (nchunks * TARGET_PAGE_SIZE != length) { | ||
37 | + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, | ||
38 | + (unsigned long)length); | ||
39 | + return NULL; | ||
40 | + } | ||
41 | + | ||
42 | dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); | ||
43 | if (!dir) { | ||
44 | rdma_error_report("Failed to map to page directory"); | ||
45 | -- | ||
46 | 2.25.1 | ||
47 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch new file mode 100644 index 0000000000..0547c74484 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
3 | Date: Wed, 30 Jun 2021 14:46:34 +0300 | ||
4 | Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) | ||
5 | |||
6 | Check the guest passed a non zero page count | ||
7 | for pvrdma device ring buffers. | ||
8 | |||
9 | Fixes: CVE-2021-3607 | ||
10 | Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> | ||
11 | Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> | ||
12 | Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> | ||
13 | Message-Id: <20210630114634.2168872-1-marcel@redhat.com> | ||
14 | Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
15 | Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
16 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
17 | |||
18 | CVE: CVE-2021-3607 | ||
19 | Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534] | ||
20 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
21 | --- | ||
22 | hw/rdma/vmw/pvrdma_main.c | 5 +++++ | ||
23 | 1 file changed, 5 insertions(+) | ||
24 | |||
25 | diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c | ||
26 | index 84ae8024fc..7c0c3551a8 100644 | ||
27 | --- a/hw/rdma/vmw/pvrdma_main.c | ||
28 | +++ b/hw/rdma/vmw/pvrdma_main.c | ||
29 | @@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, | ||
30 | uint64_t *dir, *tbl; | ||
31 | int rc = 0; | ||
32 | |||
33 | + if (!num_pages) { | ||
34 | + rdma_error_report("Ring pages count must be strictly positive"); | ||
35 | + return -EINVAL; | ||
36 | + } | ||
37 | + | ||
38 | dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); | ||
39 | if (!dir) { | ||
40 | rdma_error_report("Failed to map to page directory (ring %s)", name); | ||
41 | -- | ||
42 | 2.25.1 | ||
43 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch new file mode 100644 index 0000000000..7055ec3d23 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
3 | Date: Wed, 30 Jun 2021 14:52:46 +0300 | ||
4 | Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Do not unmap uninitialized dma addresses. | ||
10 | |||
11 | Fixes: CVE-2021-3608 | ||
12 | Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> | ||
13 | Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> | ||
14 | Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> | ||
15 | Message-Id: <20210630115246.2178219-1-marcel@redhat.com> | ||
16 | Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
17 | Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
18 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
19 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
20 | |||
21 | CVE: CVE-2021-3608 | ||
22 | Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3] | ||
23 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
24 | --- | ||
25 | hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- | ||
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
27 | |||
28 | Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c | ||
29 | =================================================================== | ||
30 | --- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c | ||
31 | +++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c | ||
32 | @@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c | ||
33 | atomic_set(&ring->ring_state->cons_head, 0); | ||
34 | */ | ||
35 | ring->npages = npages; | ||
36 | - ring->pages = g_malloc(npages * sizeof(void *)); | ||
37 | + ring->pages = g_malloc0(npages * sizeof(void *)); | ||
38 | |||
39 | for (i = 0; i < npages; i++) { | ||
40 | if (!tbl[i]) { | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..6e7af8540a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From b68d13531d8882ba66994b9f767b6a8f822464f3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vivek Kumbhar <vkumbhar@mvista.com> | ||
3 | Date: Fri, 11 Nov 2022 12:43:26 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3638 | ||
5 | |||
6 | Upstream-Status: Backport [https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html] | ||
7 | CVE: CVE-2021-3638 | ||
8 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
9 | |||
10 | When building QEMU with DEBUG_ATI defined then running with | ||
11 | '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' | ||
12 | we get: | ||
13 | |||
14 | ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 | ||
15 | ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 | ||
16 | ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 | ||
17 | ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 | ||
18 | ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 | ||
19 | ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 | ||
20 | ati_mm_write 4 0x1420 DST_Y <- 0x3fff | ||
21 | ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff | ||
22 | ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff | ||
23 | ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 | ||
24 | rop:0xff | ||
25 | ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ | ||
26 | ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, | ||
27 | y:16383, w:16383, h:16383, xor:0xff000000) | ||
28 | Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. | ||
29 | (gdb) bt | ||
30 | #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 | ||
31 | #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 | ||
32 | #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at | ||
33 | hw/display/ati_2d.c:196 | ||
34 | #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, | ||
35 | data=1073692671, size=4) at hw/display/ati.c:843 | ||
36 | #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, | ||
37 | addr=5512, ..., size=4, ...) at softmmu/memory.c:492 | ||
38 | |||
39 | Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced | ||
40 | the local dst_x and dst_y which adjust the (x, y) coordinates | ||
41 | depending on the direction in the SRCCOPY ROP3 operation, but | ||
42 | forgot to address the same issue for the PATCOPY, BLACKNESS and | ||
43 | WHITENESS operations, which also call pixman_fill(). | ||
44 | |||
45 | Fix that now by using the adjusted coordinates in the pixman_fill | ||
46 | call, and update the related debug printf(). | ||
47 | --- | ||
48 | hw/display/ati_2d.c | 6 +++--- | ||
49 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
50 | |||
51 | diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c | ||
52 | index 4dc10ea7..692bec91 100644 | ||
53 | --- a/hw/display/ati_2d.c | ||
54 | +++ b/hw/display/ati_2d.c | ||
55 | @@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) | ||
56 | DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", | ||
57 | s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, | ||
58 | s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, | ||
59 | - s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, | ||
60 | + s->regs.src_x, s->regs.src_y, dst_x, dst_y, | ||
61 | s->regs.dst_width, s->regs.dst_height, | ||
62 | (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), | ||
63 | (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); | ||
64 | @@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) | ||
65 | dst_stride /= sizeof(uint32_t); | ||
66 | DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", | ||
67 | dst_bits, dst_stride, bpp, | ||
68 | - s->regs.dst_x, s->regs.dst_y, | ||
69 | + dst_x, dst_y, | ||
70 | s->regs.dst_width, s->regs.dst_height, | ||
71 | filler); | ||
72 | pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, | ||
73 | - s->regs.dst_x, s->regs.dst_y, | ||
74 | + dst_x, dst_y, | ||
75 | s->regs.dst_width, s->regs.dst_height, | ||
76 | filler); | ||
77 | if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && | ||
78 | -- | ||
79 | 2.25.1 | ||
80 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch new file mode 100644 index 0000000000..50a49233d3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Thu, 22 Jul 2021 09:27:56 +0200 | ||
4 | Subject: [PATCH] usbredir: fix free call | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | data might point into the middle of a larger buffer, there is a separate | ||
10 | free_on_destroy pointer passed into bufp_alloc() to handle that. It is | ||
11 | only used in the normal workflow though, not when dropping packets due | ||
12 | to the queue being full. Fix that. | ||
13 | |||
14 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 | ||
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20210722072756.647673-1-kraxel@redhat.com> | ||
18 | |||
19 | CVE: CVE-2021-3682 | ||
20 | Upstream-Status: Backport [5e796671e6b8d5de4b0b423dce1b3eba144a92c9] | ||
21 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
22 | --- | ||
23 | hw/usb/redirect.c | 2 +- | ||
24 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c | ||
27 | index 4ec9326e05..1ec909a63a 100644 | ||
28 | --- a/hw/usb/redirect.c | ||
29 | +++ b/hw/usb/redirect.c | ||
30 | @@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, | ||
31 | if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { | ||
32 | if (dev->endpoint[EP2I(ep)].bufpq_size > | ||
33 | dev->endpoint[EP2I(ep)].bufpq_target_size) { | ||
34 | - free(data); | ||
35 | + free(free_on_destroy); | ||
36 | return -1; | ||
37 | } | ||
38 | dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; | ||
39 | -- | ||
40 | 2.25.1 | ||
41 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Wed, 18 Aug 2021 14:05:05 +0200 | ||
4 | Subject: [PATCH] uas: add stream number sanity checks. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | MIME-Version: 1.0 | ||
10 | Content-Type: text/plain; charset=UTF-8 | ||
11 | Content-Transfer-Encoding: 8bit | ||
12 | |||
13 | The device uses the guest-supplied stream number unchecked, which can | ||
14 | lead to guest-triggered out-of-band access to the UASDevice->data3 and | ||
15 | UASDevice->status3 fields. Add the missing checks. | ||
16 | |||
17 | Fixes: CVE-2021-3713 | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | Reported-by: Chen Zhe <chenzhe@huawei.com> | ||
20 | Reported-by: Tan Jingguo <tanjingguo@huawei.com> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> | ||
23 | |||
24 | https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a | ||
25 | CVE: CVE-2021-3713 | ||
26 | Upstream-Status: Backport | ||
27 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
28 | --- | ||
29 | hw/usb/dev-uas.c | 11 +++++++++++ | ||
30 | 1 file changed, 11 insertions(+) | ||
31 | |||
32 | diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c | ||
33 | index 6d6d1073..0b8cd4dd 100644 | ||
34 | --- a/hw/usb/dev-uas.c | ||
35 | +++ b/hw/usb/dev-uas.c | ||
36 | @@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
37 | } | ||
38 | break; | ||
39 | case UAS_PIPE_ID_STATUS: | ||
40 | + if (p->stream > UAS_MAX_STREAMS) { | ||
41 | + goto err_stream; | ||
42 | + } | ||
43 | if (p->stream) { | ||
44 | QTAILQ_FOREACH(st, &uas->results, next) { | ||
45 | if (st->stream == p->stream) { | ||
46 | @@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
47 | break; | ||
48 | case UAS_PIPE_ID_DATA_IN: | ||
49 | case UAS_PIPE_ID_DATA_OUT: | ||
50 | + if (p->stream > UAS_MAX_STREAMS) { | ||
51 | + goto err_stream; | ||
52 | + } | ||
53 | if (p->stream) { | ||
54 | req = usb_uas_find_request(uas, p->stream); | ||
55 | } else { | ||
56 | @@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
57 | p->status = USB_RET_STALL; | ||
58 | break; | ||
59 | } | ||
60 | + | ||
61 | +err_stream: | ||
62 | + error_report("%s: invalid stream %d", __func__, p->stream); | ||
63 | + p->status = USB_RET_STALL; | ||
64 | + return; | ||
65 | } | ||
66 | |||
67 | static void usb_uas_unrealize(USBDevice *dev, Error **errp) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..b291ade4e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Thu, 2 Sep 2021 13:44:12 +0800 | ||
4 | Subject: [PATCH] virtio-net: fix use after unmap/free for sg | ||
5 | |||
6 | When mergeable buffer is enabled, we try to set the num_buffers after | ||
7 | the virtqueue elem has been unmapped. This will lead several issues, | ||
8 | E.g a use after free when the descriptor has an address which belongs | ||
9 | to the non direct access region. In this case we use bounce buffer | ||
10 | that is allocated during address_space_map() and freed during | ||
11 | address_space_unmap(). | ||
12 | |||
13 | Fixing this by storing the elems temporarily in an array and delay the | ||
14 | unmap after we set the the num_buffers. | ||
15 | |||
16 | This addresses CVE-2021-3748. | ||
17 | |||
18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Fixes: fbe78f4f55c6 ("virtio-net support") | ||
20 | Cc: qemu-stable@nongnu.org | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 | ||
24 | CVE: CVE-2021-3748 | ||
25 | Upstream-Status: Backport | ||
26 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
27 | --- | ||
28 | hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- | ||
29 | 1 file changed, 32 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c | ||
32 | index 16d20cdee52a..f205331dcf8c 100644 | ||
33 | --- a/hw/net/virtio-net.c | ||
34 | +++ b/hw/net/virtio-net.c | ||
35 | @@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
36 | VirtIONet *n = qemu_get_nic_opaque(nc); | ||
37 | VirtIONetQueue *q = virtio_net_get_subqueue(nc); | ||
38 | VirtIODevice *vdev = VIRTIO_DEVICE(n); | ||
39 | + VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; | ||
40 | + size_t lens[VIRTQUEUE_MAX_SIZE]; | ||
41 | struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; | ||
42 | struct virtio_net_hdr_mrg_rxbuf mhdr; | ||
43 | unsigned mhdr_cnt = 0; | ||
44 | - size_t offset, i, guest_offset; | ||
45 | + size_t offset, i, guest_offset, j; | ||
46 | + ssize_t err; | ||
47 | |||
48 | if (!virtio_net_can_receive(nc)) { | ||
49 | return -1; | ||
50 | @@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
51 | |||
52 | total = 0; | ||
53 | |||
54 | + if (i == VIRTQUEUE_MAX_SIZE) { | ||
55 | + virtio_error(vdev, "virtio-net unexpected long buffer chain"); | ||
56 | + err = size; | ||
57 | + goto err; | ||
58 | + } | ||
59 | + | ||
60 | elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); | ||
61 | if (!elem) { | ||
62 | if (i) { | ||
63 | @@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
64 | n->guest_hdr_len, n->host_hdr_len, | ||
65 | vdev->guest_features); | ||
66 | } | ||
67 | - return -1; | ||
68 | + err = -1; | ||
69 | + goto err; | ||
70 | } | ||
71 | |||
72 | if (elem->in_num < 1) { | ||
73 | @@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
74 | "virtio-net receive queue contains no in buffers"); | ||
75 | virtqueue_detach_element(q->rx_vq, elem, 0); | ||
76 | g_free(elem); | ||
77 | - return -1; | ||
78 | + err = -1; | ||
79 | + goto err; | ||
80 | } | ||
81 | |||
82 | sg = elem->in_sg; | ||
83 | @@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
84 | if (!n->mergeable_rx_bufs && offset < size) { | ||
85 | virtqueue_unpop(q->rx_vq, elem, total); | ||
86 | g_free(elem); | ||
87 | - return size; | ||
88 | + err = size; | ||
89 | + goto err; | ||
90 | } | ||
91 | |||
92 | - /* signal other side */ | ||
93 | - virtqueue_fill(q->rx_vq, elem, total, i++); | ||
94 | - g_free(elem); | ||
95 | + elems[i] = elem; | ||
96 | + lens[i] = total; | ||
97 | + i++; | ||
98 | } | ||
99 | |||
100 | if (mhdr_cnt) { | ||
101 | @@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
102 | &mhdr.num_buffers, sizeof mhdr.num_buffers); | ||
103 | } | ||
104 | |||
105 | + for (j = 0; j < i; j++) { | ||
106 | + /* signal other side */ | ||
107 | + virtqueue_fill(q->rx_vq, elems[j], lens[j], j); | ||
108 | + g_free(elems[j]); | ||
109 | + } | ||
110 | + | ||
111 | virtqueue_flush(q->rx_vq, i); | ||
112 | virtio_notify(vdev, q->rx_vq); | ||
113 | |||
114 | return size; | ||
115 | + | ||
116 | +err: | ||
117 | + for (j = 0; j < i; j++) { | ||
118 | + g_free(elems[j]); | ||
119 | + } | ||
120 | + | ||
121 | + return err; | ||
122 | } | ||
123 | |||
124 | static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch new file mode 100644 index 0000000000..43630e71fb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch | |||
@@ -0,0 +1,180 @@ | |||
1 | From 1938fbc7ec197e2612ab2ce36dd69bff19208aa5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Mon, 10 Oct 2022 17:44:41 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3750 | ||
5 | |||
6 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] | ||
7 | CVE: CVE-2021-3750 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | exec.c | 55 +++++++++++++++++++++++++++++++------- | ||
11 | hw/intc/arm_gicv3_redist.c | 4 +-- | ||
12 | include/exec/memattrs.h | 9 +++++++ | ||
13 | 3 files changed, 56 insertions(+), 12 deletions(-) | ||
14 | |||
15 | diff --git a/exec.c b/exec.c | ||
16 | index 1360051a..10581d8d 100644 | ||
17 | --- a/exec.c | ||
18 | +++ b/exec.c | ||
19 | @@ -39,6 +39,7 @@ | ||
20 | #include "qemu/config-file.h" | ||
21 | #include "qemu/error-report.h" | ||
22 | #include "qemu/qemu-print.h" | ||
23 | +#include "qemu/log.h" | ||
24 | #if defined(CONFIG_USER_ONLY) | ||
25 | #include "qemu.h" | ||
26 | #else /* !CONFIG_USER_ONLY */ | ||
27 | @@ -3118,6 +3119,33 @@ static bool prepare_mmio_access(MemoryRegion *mr) | ||
28 | return release_lock; | ||
29 | } | ||
30 | |||
31 | +/** | ||
32 | ++ * flatview_access_allowed | ||
33 | ++ * @mr: #MemoryRegion to be accessed | ||
34 | ++ * @attrs: memory transaction attributes | ||
35 | ++ * @addr: address within that memory region | ||
36 | ++ * @len: the number of bytes to access | ||
37 | ++ * | ||
38 | ++ * Check if a memory transaction is allowed. | ||
39 | ++ * | ||
40 | ++ * Returns: true if transaction is allowed, false if denied. | ||
41 | ++ */ | ||
42 | +static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, | ||
43 | + hwaddr addr, hwaddr len) | ||
44 | +{ | ||
45 | + if (likely(!attrs.memory)) { | ||
46 | + return true; | ||
47 | + } | ||
48 | + if (memory_region_is_ram(mr)) { | ||
49 | + return true; | ||
50 | + } | ||
51 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
52 | + "Invalid access to non-RAM device at " | ||
53 | + "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " | ||
54 | + "region '%s'\n", addr, len, memory_region_name(mr)); | ||
55 | + return false; | ||
56 | +} | ||
57 | + | ||
58 | /* Called within RCU critical section. */ | ||
59 | static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, | ||
60 | MemTxAttrs attrs, | ||
61 | @@ -3131,7 +3159,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, | ||
62 | bool release_lock = false; | ||
63 | |||
64 | for (;;) { | ||
65 | - if (!memory_access_is_direct(mr, true)) { | ||
66 | + if (!flatview_access_allowed(mr, attrs, addr1, l)) { | ||
67 | + result |= MEMTX_ACCESS_ERROR; | ||
68 | + /* Keep going. */ | ||
69 | + } else if (!memory_access_is_direct(mr, true)) { | ||
70 | release_lock |= prepare_mmio_access(mr); | ||
71 | l = memory_access_size(mr, l, addr1); | ||
72 | /* XXX: could force current_cpu to NULL to avoid | ||
73 | @@ -3173,14 +3204,14 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, | ||
74 | hwaddr l; | ||
75 | hwaddr addr1; | ||
76 | MemoryRegion *mr; | ||
77 | - MemTxResult result = MEMTX_OK; | ||
78 | |||
79 | l = len; | ||
80 | mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); | ||
81 | - result = flatview_write_continue(fv, addr, attrs, buf, len, | ||
82 | - addr1, l, mr); | ||
83 | - | ||
84 | - return result; | ||
85 | + if (!flatview_access_allowed(mr, attrs, addr, len)) { | ||
86 | + return MEMTX_ACCESS_ERROR; | ||
87 | + } | ||
88 | + return flatview_write_continue(fv, addr, attrs, buf, len, | ||
89 | + addr1, l, mr); | ||
90 | } | ||
91 | |||
92 | /* Called within RCU critical section. */ | ||
93 | @@ -3195,7 +3226,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, | ||
94 | bool release_lock = false; | ||
95 | |||
96 | for (;;) { | ||
97 | - if (!memory_access_is_direct(mr, false)) { | ||
98 | + if (!flatview_access_allowed(mr, attrs, addr1, l)) { | ||
99 | + result |= MEMTX_ACCESS_ERROR; | ||
100 | + /* Keep going. */ | ||
101 | + } else if (!memory_access_is_direct(mr, false)) { | ||
102 | /* I/O case */ | ||
103 | release_lock |= prepare_mmio_access(mr); | ||
104 | l = memory_access_size(mr, l, addr1); | ||
105 | @@ -3238,6 +3272,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, | ||
106 | |||
107 | l = len; | ||
108 | mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); | ||
109 | + if (!flatview_access_allowed(mr, attrs, addr, len)) { | ||
110 | + return MEMTX_ACCESS_ERROR; | ||
111 | + } | ||
112 | return flatview_read_continue(fv, addr, attrs, buf, len, | ||
113 | addr1, l, mr); | ||
114 | } | ||
115 | @@ -3474,12 +3511,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, | ||
116 | MemTxAttrs attrs) | ||
117 | { | ||
118 | FlatView *fv; | ||
119 | - bool result; | ||
120 | |||
121 | RCU_READ_LOCK_GUARD(); | ||
122 | fv = address_space_to_flatview(as); | ||
123 | - result = flatview_access_valid(fv, addr, len, is_write, attrs); | ||
124 | - return result; | ||
125 | + return flatview_access_valid(fv, addr, len, is_write, attrs); | ||
126 | } | ||
127 | |||
128 | static hwaddr | ||
129 | diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c | ||
130 | index 8645220d..44368e28 100644 | ||
131 | --- a/hw/intc/arm_gicv3_redist.c | ||
132 | +++ b/hw/intc/arm_gicv3_redist.c | ||
133 | @@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, | ||
134 | break; | ||
135 | } | ||
136 | |||
137 | - if (r == MEMTX_ERROR) { | ||
138 | + if (r != MEMTX_OK) { | ||
139 | qemu_log_mask(LOG_GUEST_ERROR, | ||
140 | "%s: invalid guest read at offset " TARGET_FMT_plx | ||
141 | "size %u\n", __func__, offset, size); | ||
142 | @@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, | ||
143 | break; | ||
144 | } | ||
145 | |||
146 | - if (r == MEMTX_ERROR) { | ||
147 | + if (r != MEMTX_OK) { | ||
148 | qemu_log_mask(LOG_GUEST_ERROR, | ||
149 | "%s: invalid guest write at offset " TARGET_FMT_plx | ||
150 | "size %u\n", __func__, offset, size); | ||
151 | diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h | ||
152 | index 95f2d20d..9fb98bc1 100644 | ||
153 | --- a/include/exec/memattrs.h | ||
154 | +++ b/include/exec/memattrs.h | ||
155 | @@ -35,6 +35,14 @@ typedef struct MemTxAttrs { | ||
156 | unsigned int secure:1; | ||
157 | /* Memory access is usermode (unprivileged) */ | ||
158 | unsigned int user:1; | ||
159 | + /* | ||
160 | + * Bus interconnect and peripherals can access anything (memories, | ||
161 | + * devices) by default. By setting the 'memory' bit, bus transaction | ||
162 | + * are restricted to "normal" memories (per the AMBA documentation) | ||
163 | + * versus devices. Access to devices will be logged and rejected | ||
164 | + * (see MEMTX_ACCESS_ERROR). | ||
165 | + */ | ||
166 | + unsigned int memory:1; | ||
167 | /* Requester ID (for MSI for example) */ | ||
168 | unsigned int requester_id:16; | ||
169 | /* Invert endianness for this page */ | ||
170 | @@ -66,6 +74,7 @@ typedef struct MemTxAttrs { | ||
171 | #define MEMTX_OK 0 | ||
172 | #define MEMTX_ERROR (1U << 0) /* device returned an error */ | ||
173 | #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ | ||
174 | +#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ | ||
175 | typedef uint32_t MemTxResult; | ||
176 | |||
177 | #endif | ||
178 | -- | ||
179 | 2.25.1 | ||
180 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..a1862f1226 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gaurav Gupta <gauragup@cisco.com> | ||
3 | Date: Wed, 29 Mar 2023 14:36:16 -0700 | ||
4 | Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type: | ||
5 | text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the | ||
11 | device itself. This still allows DMA to MMIO regions of other devices | ||
12 | (e.g. doing P2P DMA to the controller memory buffer of another NVMe | ||
13 | device). | ||
14 | |||
15 | Fixes: CVE-2021-3929 | ||
16 | Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> | ||
17 | Reviewed-by: Keith Busch <kbusch@kernel.org> | ||
18 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
19 | Signed-off-by: Klaus Jensen <k.jensen@samsung.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | [https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385] | ||
23 | CVE: CVE-2021-3929 | ||
24 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
25 | Signed-off-by: Gaurav Gupta <gauragup@cisco.com> | ||
26 | --- | ||
27 | hw/block/nvme.c | 23 +++++++++++++++++++++++ | ||
28 | hw/block/nvme.h | 1 + | ||
29 | 2 files changed, 24 insertions(+) | ||
30 | |||
31 | diff --git a/hw/block/nvme.c b/hw/block/nvme.c | ||
32 | index bda446d..ae9b19f 100644 | ||
33 | --- a/hw/block/nvme.c | ||
34 | +++ b/hw/block/nvme.c | ||
35 | @@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) | ||
36 | return addr >= low && addr < hi; | ||
37 | } | ||
38 | |||
39 | +static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) | ||
40 | +{ | ||
41 | + hwaddr hi, lo; | ||
42 | + | ||
43 | + /* | ||
44 | + * The purpose of this check is to guard against invalid "local" access to | ||
45 | + * the iomem (i.e. controller registers). Thus, we check against the range | ||
46 | + * covered by the 'bar0' MemoryRegion since that is currently composed of | ||
47 | + * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, | ||
48 | + * that if the device model is ever changed to allow the CMB to be located | ||
49 | + * in BAR0 as well, then this must be changed. | ||
50 | + */ | ||
51 | + lo = n->bar0.addr; | ||
52 | + hi = lo + int128_get64(n->bar0.size); | ||
53 | + | ||
54 | + return addr >= lo && addr < hi; | ||
55 | +} | ||
56 | + | ||
57 | static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) | ||
58 | { | ||
59 | + | ||
60 | + if (nvme_addr_is_iomem(n, addr)) { | ||
61 | + return NVME_DATA_TRAS_ERROR; | ||
62 | + } | ||
63 | + | ||
64 | if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { | ||
65 | memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); | ||
66 | return 0; | ||
67 | diff --git a/hw/block/nvme.h b/hw/block/nvme.h | ||
68 | index 557194e..5a2b119 100644 | ||
69 | --- a/hw/block/nvme.h | ||
70 | +++ b/hw/block/nvme.h | ||
71 | @@ -59,6 +59,7 @@ typedef struct NvmeNamespace { | ||
72 | |||
73 | typedef struct NvmeCtrl { | ||
74 | PCIDevice parent_obj; | ||
75 | + MemoryRegion bar0; | ||
76 | MemoryRegion iomem; | ||
77 | MemoryRegion ctrl_mem; | ||
78 | NvmeBar bar; | ||
79 | -- | ||
80 | 1.8.3.1 | ||
81 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..b1b5558647 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 4 Nov 2021 17:31:38 +0100 | ||
4 | Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT | ||
5 | commands | ||
6 | |||
7 | This avoids an off-by-one read of 'mode_sense_valid' buffer in | ||
8 | hw/scsi/scsi-disk.c:mode_sense_page(). | ||
9 | |||
10 | Fixes: CVE-2021-3930 | ||
11 | Cc: qemu-stable@nongnu.org | ||
12 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
13 | Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") | ||
14 | Fixes: #546 | ||
15 | Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> | ||
16 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
17 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
18 | |||
19 | https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 | ||
20 | CVE: CVE-2021-3930 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
23 | --- | ||
24 | hw/scsi/scsi-disk.c | 6 ++++++ | ||
25 | 1 file changed, 6 insertions(+) | ||
26 | |||
27 | diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c | ||
28 | index e8a547dbb7..d4914178ea 100644 | ||
29 | --- a/hw/scsi/scsi-disk.c | ||
30 | +++ b/hw/scsi/scsi-disk.c | ||
31 | @@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, | ||
32 | uint8_t *p = *p_outbuf + 2; | ||
33 | int length; | ||
34 | |||
35 | + assert(page < ARRAY_SIZE(mode_sense_valid)); | ||
36 | if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { | ||
37 | return -1; | ||
38 | } | ||
39 | @@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, | ||
40 | return -1; | ||
41 | } | ||
42 | |||
43 | + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ | ||
44 | + if (page == MODE_PAGE_ALLS) { | ||
45 | + return -1; | ||
46 | + } | ||
47 | + | ||
48 | p = mode_current; | ||
49 | memset(mode_current, 0, inlen + 2); | ||
50 | len = mode_sense_page(s, page, &p, 0); | ||
51 | -- | ||
52 | GitLab | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 10:17:12 +0200 | ||
4 | Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc | ||
5 | (CVE-2021-4206) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Prevent potential integer overflow by limiting 'width' and 'height' to | ||
11 | 512x512. Also change 'datasize' type to size_t. Refer to security | ||
12 | advisory https://starlabs.sg/advisories/22-4206/ for more information. | ||
13 | |||
14 | Fixes: CVE-2021-4206 | ||
15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20220407081712.345609-1-mcascell@redhat.com> | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | |||
20 | https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a | ||
21 | CVE: CVE-2021-4206 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/display/qxl-render.c | 7 +++++++ | ||
26 | hw/display/vmware_vga.c | 2 ++ | ||
27 | ui/cursor.c | 8 +++++++- | ||
28 | 3 files changed, 16 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
31 | index 237ed293ba..ca217004bf 100644 | ||
32 | --- a/hw/display/qxl-render.c | ||
33 | +++ b/hw/display/qxl-render.c | ||
34 | @@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
35 | size_t size; | ||
36 | |||
37 | c = cursor_alloc(cursor->header.width, cursor->header.height); | ||
38 | + | ||
39 | + if (!c) { | ||
40 | + qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, | ||
41 | + cursor->header.width, cursor->header.height); | ||
42 | + goto fail; | ||
43 | + } | ||
44 | + | ||
45 | c->hot_x = cursor->header.hot_spot_x; | ||
46 | c->hot_y = cursor->header.hot_spot_y; | ||
47 | switch (cursor->header.type) { | ||
48 | diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c | ||
49 | index 98c83474ad..45d06cbe25 100644 | ||
50 | --- a/hw/display/vmware_vga.c | ||
51 | +++ b/hw/display/vmware_vga.c | ||
52 | @@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, | ||
53 | int i, pixels; | ||
54 | |||
55 | qc = cursor_alloc(c->width, c->height); | ||
56 | + assert(qc != NULL); | ||
57 | + | ||
58 | qc->hot_x = c->hot_x; | ||
59 | qc->hot_y = c->hot_y; | ||
60 | switch (c->bpp) { | ||
61 | diff --git a/ui/cursor.c b/ui/cursor.c | ||
62 | index 1d62ddd4d0..835f0802f9 100644 | ||
63 | --- a/ui/cursor.c | ||
64 | +++ b/ui/cursor.c | ||
65 | @@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) | ||
66 | |||
67 | /* parse pixel data */ | ||
68 | c = cursor_alloc(width, height); | ||
69 | + assert(c != NULL); | ||
70 | + | ||
71 | for (pixel = 0, y = 0; y < height; y++, line++) { | ||
72 | for (x = 0; x < height; x++, pixel++) { | ||
73 | idx = xpm[line][x]; | ||
74 | @@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) | ||
75 | QEMUCursor *cursor_alloc(int width, int height) | ||
76 | { | ||
77 | QEMUCursor *c; | ||
78 | - int datasize = width * height * sizeof(uint32_t); | ||
79 | + size_t datasize = width * height * sizeof(uint32_t); | ||
80 | + | ||
81 | + if (width > 512 || height > 512) { | ||
82 | + return NULL; | ||
83 | + } | ||
84 | |||
85 | c = g_malloc0(sizeof(QEMUCursor) + datasize); | ||
86 | c->width = width; | ||
87 | -- | ||
88 | GitLab | ||
89 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..8418246247 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 10:11:06 +0200 | ||
4 | Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor | ||
5 | (CVE-2021-4207) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Avoid fetching 'width' and 'height' a second time to prevent possible | ||
11 | race condition. Refer to security advisory | ||
12 | https://starlabs.sg/advisories/22-4207/ for more information. | ||
13 | |||
14 | Fixes: CVE-2021-4207 | ||
15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20220407081106.343235-1-mcascell@redhat.com> | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | |||
20 | https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb | ||
21 | CVE: CVE-2021-4207 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/display/qxl-render.c | 2 +- | ||
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
29 | index d28849b121..237ed293ba 100644 | ||
30 | --- a/hw/display/qxl-render.c | ||
31 | +++ b/hw/display/qxl-render.c | ||
32 | @@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
33 | } | ||
34 | break; | ||
35 | case SPICE_CURSOR_TYPE_ALPHA: | ||
36 | - size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; | ||
37 | + size = sizeof(uint32_t) * c->width * c->height; | ||
38 | qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); | ||
39 | if (qxl->debug > 2) { | ||
40 | cursor_print_ascii_art(c, "qxl/alpha"); | ||
41 | -- | ||
42 | GitLab | ||
43 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch new file mode 100644 index 0000000000..6a7ce0e26c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Tue, 5 Jul 2022 22:05:43 +0200 | ||
4 | Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout | ||
5 | (CVE-2022-0216) | ||
6 | |||
7 | Set current_req->req to NULL to prevent reusing a free'd buffer in case of | ||
8 | repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. | ||
9 | |||
10 | Fixes: CVE-2022-0216 | ||
11 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 | ||
12 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
13 | Reviewed-by: Thomas Huth <thuth@redhat.com> | ||
14 | Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> | ||
15 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | |||
17 | https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 | ||
18 | CVE: CVE-2022-0216 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | --- | ||
22 | hw/scsi/lsi53c895a.c | 3 ++- | ||
23 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c | ||
26 | index c8773f73f7..99ea42d49b 100644 | ||
27 | --- a/hw/scsi/lsi53c895a.c | ||
28 | +++ b/hw/scsi/lsi53c895a.c | ||
29 | @@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) | ||
30 | case 0x0d: | ||
31 | /* The ABORT TAG message clears the current I/O process only. */ | ||
32 | trace_lsi_do_msgout_abort(current_tag); | ||
33 | - if (current_req) { | ||
34 | + if (current_req && current_req->req) { | ||
35 | scsi_req_cancel(current_req->req); | ||
36 | + current_req->req = NULL; | ||
37 | } | ||
38 | lsi_disconnect(s); | ||
39 | break; | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Mon, 11 Jul 2022 14:33:16 +0200 | ||
4 | Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout | ||
5 | (CVE-2022-0216) | ||
6 | |||
7 | Set current_req to NULL, not current_req->req, to prevent reusing a free'd | ||
8 | buffer in case of repeated SCSI cancel requests. Also apply the fix to | ||
9 | CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel | ||
10 | the request. | ||
11 | |||
12 | Thanks to Alexander Bulekov for providing a reproducer. | ||
13 | |||
14 | Fixes: CVE-2022-0216 | ||
15 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 | ||
16 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
17 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
18 | Message-Id: <20220711123316.421279-1-mcascell@redhat.com> | ||
19 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
20 | |||
21 | https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 | ||
22 | CVE: CVE-2022-0216 | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | hw/scsi/lsi53c895a.c | 3 +- | ||
27 | 1 files changed, 2 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c | ||
30 | index 99ea42d49b..ad5f5e5f39 100644 | ||
31 | --- a/hw/scsi/lsi53c895a.c | ||
32 | +++ b/hw/scsi/lsi53c895a.c | ||
33 | @@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) | ||
34 | trace_lsi_do_msgout_abort(current_tag); | ||
35 | if (current_req && current_req->req) { | ||
36 | scsi_req_cancel(current_req->req); | ||
37 | - current_req->req = NULL; | ||
38 | + current_req = NULL; | ||
39 | } | ||
40 | lsi_disconnect(s); | ||
41 | break; | ||
42 | @@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) | ||
43 | /* clear the current I/O process */ | ||
44 | if (s->current) { | ||
45 | scsi_req_cancel(s->current->req); | ||
46 | + current_req = NULL; | ||
47 | } | ||
48 | |||
49 | /* As the current implemented devices scsi_disk and scsi_generic | ||
50 | -- | ||
51 | GitLab | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch new file mode 100644 index 0000000000..fc4d6cf3df --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefano Garzarella <sgarzare@redhat.com> | ||
5 | Date: Mon, 28 Feb 2022 10:50:58 +0100 | ||
6 | Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error | ||
7 | |||
8 | In vhost_vsock_common_send_transport_reset(), if an element popped from | ||
9 | the virtqueue is invalid, we should call virtqueue_detach_element() to | ||
10 | detach it from the virtqueue before freeing its memory. | ||
11 | |||
12 | Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") | ||
13 | Fixes: CVE-2022-26354 | ||
14 | Cc: qemu-stable@nongnu.org | ||
15 | Reported-by: VictorV <vv474172261@gmail.com> | ||
16 | Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> | ||
17 | Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> | ||
18 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
19 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
21 | |||
22 | CVE: CVE-2022-26354 | ||
23 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ] | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | hw/virtio/vhost-vsock-common.c | 10 +++++++--- | ||
27 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
28 | |||
29 | --- a/hw/virtio/vhost-vsock.c | ||
30 | +++ b/hw/virtio/vhost-vsock.c | ||
31 | @@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r | ||
32 | if (elem->out_num) { | ||
33 | error_report("invalid vhost-vsock event virtqueue element with " | ||
34 | "out buffers"); | ||
35 | - goto out; | ||
36 | + goto err; | ||
37 | } | ||
38 | |||
39 | if (iov_from_buf(elem->in_sg, elem->in_num, 0, | ||
40 | &event, sizeof(event)) != sizeof(event)) { | ||
41 | error_report("vhost-vsock event virtqueue element is too short"); | ||
42 | - goto out; | ||
43 | + goto err; | ||
44 | } | ||
45 | |||
46 | virtqueue_push(vq, elem, sizeof(event)); | ||
47 | virtio_notify(VIRTIO_DEVICE(vsock), vq); | ||
48 | |||
49 | -out: | ||
50 | + g_free(elem); | ||
51 | + return; | ||
52 | + | ||
53 | +err: | ||
54 | + virtqueue_detach_element(vq, elem, 0); | ||
55 | g_free(elem); | ||
56 | } | ||
57 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch new file mode 100644 index 0000000000..4196ebcf98 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 09a07b5b39c87423df9e8f6574c19a14d36beac5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 27 Jul 2022 10:34:12 +0530 | ||
4 | Subject: [PATCH] CVE-2022-35414 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] | ||
7 | CVE: CVE-2022-35414 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | exec.c | 13 ++++++++++++- | ||
11 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/exec.c b/exec.c | ||
14 | index 43c70ffb..2d6add46 100644 | ||
15 | --- a/exec.c | ||
16 | +++ b/exec.c | ||
17 | @@ -685,7 +685,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu) | ||
18 | |||
19 | /* Called from RCU critical section */ | ||
20 | MemoryRegionSection * | ||
21 | -address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, | ||
22 | +address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, | ||
23 | hwaddr *xlat, hwaddr *plen, | ||
24 | MemTxAttrs attrs, int *prot) | ||
25 | { | ||
26 | @@ -694,6 +694,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, | ||
27 | IOMMUMemoryRegionClass *imrc; | ||
28 | IOMMUTLBEntry iotlb; | ||
29 | int iommu_idx; | ||
30 | + hwaddr addr = orig_addr; | ||
31 | AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); | ||
32 | |||
33 | for (;;) { | ||
34 | @@ -737,6 +738,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, | ||
35 | return section; | ||
36 | |||
37 | translate_fail: | ||
38 | + /* | ||
39 | + * We should be given a page-aligned address -- certainly | ||
40 | + * tlb_set_page_with_attrs() does so. The page offset of xlat | ||
41 | + * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. | ||
42 | + * The page portion of xlat will be logged by memory_region_access_valid() | ||
43 | + * when this memory access is rejected, so use the original untranslated | ||
44 | + * physical address. | ||
45 | + */ | ||
46 | + assert((orig_addr & ~TARGET_PAGE_MASK) == 0); | ||
47 | + *xlat = orig_addr; | ||
48 | return &d->map.sections[PHYS_SECTION_UNASSIGNED]; | ||
49 | } | ||
50 | #endif | ||
51 | -- | ||
52 | 2.25.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..3f0d5fbd5c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> | ||
3 | Date: Mon, 28 Nov 2022 21:27:40 +0100 | ||
4 | Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt | ||
5 | (CVE-2022-4144) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Have qxl_get_check_slot_offset() return false if the requested | ||
11 | buffer size does not fit within the slot memory region. | ||
12 | |||
13 | Similarly qxl_phys2virt() now returns NULL in such case, and | ||
14 | qxl_dirty_one_surface() aborts. | ||
15 | |||
16 | This avoids buffer overrun in the host pointer returned by | ||
17 | memory_region_get_ram_ptr(). | ||
18 | |||
19 | Fixes: CVE-2022-4144 (out-of-bounds read) | ||
20 | Reported-by: Wenxu Yin (@awxylitol) | ||
21 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 | ||
22 | |||
23 | Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
24 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
25 | Message-Id: <20221128202741.4945-5-philmd@linaro.org> | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] | ||
28 | CVE: CVE-2022-4144 | ||
29 | Comments: Deleted patch hunk in qxl.h,as it contains change | ||
30 | in comments which is not present in current version of qemu. | ||
31 | |||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | hw/display/qxl.c | 27 +++++++++++++++++++++++---- | ||
35 | 1 file changed, 23 insertions(+), 4 deletions(-) | ||
36 | |||
37 | diff --git a/hw/display/qxl.c b/hw/display/qxl.c | ||
38 | index cd7eb39d..6bc8385b 100644 | ||
39 | --- a/hw/display/qxl.c | ||
40 | +++ b/hw/display/qxl.c | ||
41 | @@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) | ||
42 | |||
43 | /* can be also called from spice server thread context */ | ||
44 | static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
45 | - uint32_t *s, uint64_t *o) | ||
46 | + uint32_t *s, uint64_t *o, | ||
47 | + size_t size_requested) | ||
48 | { | ||
49 | uint64_t phys = le64_to_cpu(pqxl); | ||
50 | uint32_t slot = (phys >> (64 - 8)) & 0xff; | ||
51 | uint64_t offset = phys & 0xffffffffffff; | ||
52 | + uint64_t size_available; | ||
53 | |||
54 | if (slot >= NUM_MEMSLOTS) { | ||
55 | qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, | ||
56 | @@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
57 | slot, offset, qxl->guest_slots[slot].size); | ||
58 | return false; | ||
59 | } | ||
60 | + size_available = memory_region_size(qxl->guest_slots[slot].mr); | ||
61 | + if (qxl->guest_slots[slot].offset + offset >= size_available) { | ||
62 | + qxl_set_guest_bug(qxl, | ||
63 | + "slot %d offset %"PRIu64" > region size %"PRIu64"\n", | ||
64 | + slot, qxl->guest_slots[slot].offset + offset, | ||
65 | + size_available); | ||
66 | + return false; | ||
67 | + } | ||
68 | + size_available -= qxl->guest_slots[slot].offset + offset; | ||
69 | + if (size_requested > size_available) { | ||
70 | + qxl_set_guest_bug(qxl, | ||
71 | + "slot %d offset %"PRIu64" size %zu: " | ||
72 | + "overrun by %"PRIu64" bytes\n", | ||
73 | + slot, offset, size_requested, | ||
74 | + size_requested - size_available); | ||
75 | + return false; | ||
76 | + } | ||
77 | |||
78 | *s = slot; | ||
79 | *o = offset; | ||
80 | @@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) | ||
81 | offset = le64_to_cpu(pqxl) & 0xffffffffffff; | ||
82 | return (void *)(intptr_t)offset; | ||
83 | case MEMSLOT_GROUP_GUEST: | ||
84 | - if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { | ||
85 | + if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { | ||
86 | return NULL; | ||
87 | } | ||
88 | ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); | ||
89 | @@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
90 | uint32_t slot; | ||
91 | bool rc; | ||
92 | |||
93 | - rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); | ||
94 | - assert(rc == true); | ||
95 | size = (uint64_t)height * abs(stride); | ||
96 | + rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); | ||
97 | + assert(rc == true); | ||
98 | trace_qxl_surfaces_dirty(qxl->id, offset, size); | ||
99 | qxl_set_dirty(qxl->guest_slots[slot].mr, | ||
100 | qxl->guest_slots[slot].offset + offset, | ||
101 | -- | ||
102 | 2.25.1 | ||
103 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..26e22b4c31 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | [Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not | ||
2 | exist for this release] | ||
3 | From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 | ||
4 | From: Thomas Huth <thuth@redhat.com> | ||
5 | Date: Mon, 22 May 2023 11:10:11 +0200 | ||
6 | Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI | ||
7 | controller (CVE-2023-0330) | ||
8 | |||
9 | We cannot use the generic reentrancy guard in the LSI code, so | ||
10 | we have to manually prevent endless reentrancy here. The problematic | ||
11 | lsi_execute_script() function has already a way to detect whether | ||
12 | too many instructions have been executed - we just have to slightly | ||
13 | change the logic here that it also takes into account if the function | ||
14 | has been called too often in a reentrant way. | ||
15 | |||
16 | The code in fuzz-lsi53c895a-test.c has been taken from an earlier | ||
17 | patch by Mauro Matteo Cascella. | ||
18 | |||
19 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 | ||
20 | Message-Id: <20230522091011.1082574-1-thuth@redhat.com> | ||
21 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
22 | Reviewed-by: Alexander Bulekov <alxndr@bu.edu> | ||
23 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
24 | |||
25 | Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27 | ||
26 | |||
27 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security | ||
28 | Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] | ||
29 | CVE: CVE-2023-0330 | ||
30 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
31 | --- | ||
32 | hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ | ||
33 | tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ | ||
34 | 2 files changed, 50 insertions(+), 6 deletions(-) | ||
35 | |||
36 | --- qemu-4.2.orig/hw/scsi/lsi53c895a.c | ||
37 | +++ qemu-4.2/hw/scsi/lsi53c895a.c | ||
38 | @@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState | ||
39 | uint32_t addr, addr_high; | ||
40 | int opcode; | ||
41 | int insn_processed = 0; | ||
42 | + static int reentrancy_level; | ||
43 | + | ||
44 | + reentrancy_level++; | ||
45 | |||
46 | s->istat1 |= LSI_ISTAT1_SRUN; | ||
47 | again: | ||
48 | - if (++insn_processed > LSI_MAX_INSN) { | ||
49 | - /* Some windows drivers make the device spin waiting for a memory | ||
50 | - location to change. If we have been executed a lot of code then | ||
51 | - assume this is the case and force an unexpected device disconnect. | ||
52 | - This is apparently sufficient to beat the drivers into submission. | ||
53 | - */ | ||
54 | + /* | ||
55 | + * Some windows drivers make the device spin waiting for a memory location | ||
56 | + * to change. If we have executed more than LSI_MAX_INSN instructions then | ||
57 | + * assume this is the case and force an unexpected device disconnect. This | ||
58 | + * is apparently sufficient to beat the drivers into submission. | ||
59 | + * | ||
60 | + * Another issue (CVE-2023-0330) can occur if the script is programmed to | ||
61 | + * trigger itself again and again. Avoid this problem by stopping after | ||
62 | + * being called multiple times in a reentrant way (8 is an arbitrary value | ||
63 | + * which should be enough for all valid use cases). | ||
64 | + */ | ||
65 | + if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { | ||
66 | if (!(s->sien0 & LSI_SIST0_UDC)) { | ||
67 | qemu_log_mask(LOG_GUEST_ERROR, | ||
68 | "lsi_scsi: inf. loop with UDC masked"); | ||
69 | @@ -1597,6 +1606,8 @@ again: | ||
70 | } | ||
71 | } | ||
72 | trace_lsi_execute_script_stop(); | ||
73 | + | ||
74 | + reentrancy_level--; | ||
75 | } | ||
76 | |||
77 | static uint8_t lsi_reg_readb(LSIState *s, int offset) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..70b7d6c562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
3 | Date: Wed, 7 Jun 2023 18:29:33 +0200 | ||
4 | Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) | ||
5 | |||
6 | The 9p protocol does not specifically define how server shall behave when | ||
7 | client tries to open a special file, however from security POV it does | ||
8 | make sense for 9p server to prohibit opening any special file on host side | ||
9 | in general. A sane Linux 9p client for instance would never attempt to | ||
10 | open a special file on host side, it would always handle those exclusively | ||
11 | on its guest side. A malicious client however could potentially escape | ||
12 | from the exported 9p tree by creating and opening a device file on host | ||
13 | side. | ||
14 | |||
15 | With QEMU this could only be exploited in the following unsafe setups: | ||
16 | |||
17 | - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' | ||
18 | security model. | ||
19 | |||
20 | or | ||
21 | |||
22 | - Using 9p 'proxy' fs driver (which is running its helper daemon as | ||
23 | root). | ||
24 | |||
25 | These setups were already discouraged for safety reasons before, | ||
26 | however for obvious reasons we are now tightening behaviour on this. | ||
27 | |||
28 | Fixes: CVE-2023-2861 | ||
29 | Reported-by: Yanwu Shen <ywsPlz@gmail.com> | ||
30 | Reported-by: Jietao Xiao <shawtao1125@gmail.com> | ||
31 | Reported-by: Jinku Li <jkli@xidian.edu.cn> | ||
32 | Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> | ||
33 | Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
34 | Reviewed-by: Greg Kurz <groug@kaod.org> | ||
35 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
36 | Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> | ||
37 | |||
38 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda] | ||
39 | CVE: CVE-2023-2861 | ||
40 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
41 | --- | ||
42 | fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- | ||
43 | hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++ | ||
44 | 2 files changed, 65 insertions(+), 2 deletions(-) | ||
45 | |||
46 | diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c | ||
47 | index 6f132c5f..300c9765 100644 | ||
48 | --- a/fsdev/virtfs-proxy-helper.c | ||
49 | +++ b/fsdev/virtfs-proxy-helper.c | ||
50 | @@ -26,6 +26,7 @@ | ||
51 | #include "qemu/xattr.h" | ||
52 | #include "9p-iov-marshal.h" | ||
53 | #include "hw/9pfs/9p-proxy.h" | ||
54 | +#include "hw/9pfs/9p-util.h" | ||
55 | #include "fsdev/9p-iov-marshal.h" | ||
56 | |||
57 | #define PROGNAME "virtfs-proxy-helper" | ||
58 | @@ -350,6 +351,28 @@ static void resetugid(int suid, int sgid) | ||
59 | } | ||
60 | } | ||
61 | |||
62 | +/* | ||
63 | + * Open regular file or directory. Attempts to open any special file are | ||
64 | + * rejected. | ||
65 | + * | ||
66 | + * returns file descriptor or -1 on error | ||
67 | + */ | ||
68 | +static int open_regular(const char *pathname, int flags, mode_t mode) | ||
69 | +{ | ||
70 | + int fd; | ||
71 | + | ||
72 | + fd = open(pathname, flags, mode); | ||
73 | + if (fd < 0) { | ||
74 | + return fd; | ||
75 | + } | ||
76 | + | ||
77 | + if (close_if_special_file(fd) < 0) { | ||
78 | + return -1; | ||
79 | + } | ||
80 | + | ||
81 | + return fd; | ||
82 | +} | ||
83 | + | ||
84 | /* | ||
85 | * send response in two parts | ||
86 | * 1) ProxyHeader | ||
87 | @@ -694,7 +717,7 @@ static int do_create(struct iovec *iovec) | ||
88 | if (ret < 0) { | ||
89 | goto unmarshal_err_out; | ||
90 | } | ||
91 | - ret = open(path.data, flags, mode); | ||
92 | + ret = open_regular(path.data, flags, mode); | ||
93 | if (ret < 0) { | ||
94 | ret = -errno; | ||
95 | } | ||
96 | @@ -719,7 +742,7 @@ static int do_open(struct iovec *iovec) | ||
97 | if (ret < 0) { | ||
98 | goto err_out; | ||
99 | } | ||
100 | - ret = open(path.data, flags); | ||
101 | + ret = open_regular(path.data, flags, 0); | ||
102 | if (ret < 0) { | ||
103 | ret = -errno; | ||
104 | } | ||
105 | diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h | ||
106 | index 546f46dc..79fdd2a3 100644 | ||
107 | --- a/hw/9pfs/9p-util.h | ||
108 | +++ b/hw/9pfs/9p-util.h | ||
109 | @@ -13,12 +13,16 @@ | ||
110 | #ifndef QEMU_9P_UTIL_H | ||
111 | #define QEMU_9P_UTIL_H | ||
112 | |||
113 | +#include "qemu/error-report.h" | ||
114 | + | ||
115 | #ifdef O_PATH | ||
116 | #define O_PATH_9P_UTIL O_PATH | ||
117 | #else | ||
118 | #define O_PATH_9P_UTIL 0 | ||
119 | #endif | ||
120 | |||
121 | +#define qemu_fstat fstat | ||
122 | + | ||
123 | static inline void close_preserve_errno(int fd) | ||
124 | { | ||
125 | int serrno = errno; | ||
126 | @@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) | ||
127 | errno = serrno; | ||
128 | } | ||
129 | |||
130 | +/** | ||
131 | + * close_if_special_file() - Close @fd if neither regular file nor directory. | ||
132 | + * | ||
133 | + * @fd: file descriptor of open file | ||
134 | + * Return: 0 on regular file or directory, -1 otherwise | ||
135 | + * | ||
136 | + * CVE-2023-2861: Prohibit opening any special file directly on host | ||
137 | + * (especially device files), as a compromised client could potentially gain | ||
138 | + * access outside exported tree under certain, unsafe setups. We expect | ||
139 | + * client to handle I/O on special files exclusively on guest side. | ||
140 | + */ | ||
141 | +static inline int close_if_special_file(int fd) | ||
142 | +{ | ||
143 | + struct stat stbuf; | ||
144 | + | ||
145 | + if (qemu_fstat(fd, &stbuf) < 0) { | ||
146 | + close_preserve_errno(fd); | ||
147 | + return -1; | ||
148 | + } | ||
149 | + if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { | ||
150 | + error_report_once( | ||
151 | + "9p: broken or compromised client detected; attempt to open " | ||
152 | + "special file (i.e. neither regular file, nor directory)" | ||
153 | + ); | ||
154 | + close(fd); | ||
155 | + errno = ENXIO; | ||
156 | + return -1; | ||
157 | + } | ||
158 | + | ||
159 | + return 0; | ||
160 | +} | ||
161 | + | ||
162 | static inline int openat_dir(int dirfd, const char *name) | ||
163 | { | ||
164 | return openat(dirfd, name, | ||
165 | @@ -56,6 +92,10 @@ again: | ||
166 | return -1; | ||
167 | } | ||
168 | |||
169 | + if (close_if_special_file(fd) < 0) { | ||
170 | + return -1; | ||
171 | + } | ||
172 | + | ||
173 | serrno = errno; | ||
174 | /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't | ||
175 | * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() | ||
176 | -- | ||
177 | 2.25.1 | ||
178 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch new file mode 100644 index 0000000000..7144bdca46 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001 | ||
2 | From: zhenwei pi <pizhenwei@bytedance.com> | ||
3 | Date: Thu, 3 Aug 2023 10:43:13 +0800 | ||
4 | Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request | ||
5 | |||
6 | For symmetric algorithms, the length of ciphertext must be as same | ||
7 | as the plaintext. | ||
8 | The missing verification of the src_len and the dst_len in | ||
9 | virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. | ||
10 | |||
11 | This patch is originally written by Yiming Tao for QEMU-SECURITY, | ||
12 | resend it(a few changes of error message) in qemu-devel. | ||
13 | |||
14 | Fixes: CVE-2023-3180 | ||
15 | Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") | ||
16 | Cc: Gonglei <arei.gonglei@huawei.com> | ||
17 | Cc: Mauro Matteo Cascella <mcascell@redhat.com> | ||
18 | Cc: Yiming Tao <taoym@zju.edu.cn> | ||
19 | Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> | ||
20 | Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> | ||
21 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980] | ||
25 | CVE: CVE-2023-3180 | ||
26 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
27 | |||
28 | hw/virtio/virtio-crypto.c | 5 +++++ | ||
29 | 1 file changed, 5 insertions(+) | ||
30 | |||
31 | diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c | ||
32 | index 44faf5a522b..13aec771e11 100644 | ||
33 | --- a/hw/virtio/virtio-crypto.c | ||
34 | +++ b/hw/virtio/virtio-crypto.c | ||
35 | @@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, | ||
36 | return NULL; | ||
37 | } | ||
38 | |||
39 | + if (unlikely(src_len != dst_len)) { | ||
40 | + virtio_error(vdev, "sym request src len is different from dst len"); | ||
41 | + return NULL; | ||
42 | + } | ||
43 | + | ||
44 | max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; | ||
45 | if (unlikely(max_len > vcrypto->conf.max_size)) { | ||
46 | virtio_error(vdev, "virtio-crypto too big length"); | ||
47 | -- | ||
48 | GitLab | ||
49 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..2942e84cac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
3 | Date: Tue, 20 Jun 2023 09:45:34 +0100 | ||
4 | Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The TLS handshake make take some time to complete, during which time an | ||
10 | I/O watch might be registered with the main loop. If the owner of the | ||
11 | I/O channel invokes qio_channel_close() while the handshake is waiting | ||
12 | to continue the I/O watch must be removed. Failing to remove it will | ||
13 | later trigger the completion callback which the owner is not expecting | ||
14 | to receive. In the case of the VNC server, this results in a SEGV as | ||
15 | vnc_disconnect_start() tries to shutdown a client connection that is | ||
16 | already gone / NULL. | ||
17 | |||
18 | CVE-2023-3354 | ||
19 | Reported-by: jiangyegen <jiangyegen@huawei.com> | ||
20 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] | ||
23 | CVE: CVE-2023-3354 | ||
24 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
25 | --- | ||
26 | include/io/channel-tls.h | 1 + | ||
27 | io/channel-tls.c | 18 ++++++++++++------ | ||
28 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
29 | |||
30 | diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h | ||
31 | index fdbdf12f..e49e2831 100644 | ||
32 | --- a/include/io/channel-tls.h | ||
33 | +++ b/include/io/channel-tls.h | ||
34 | @@ -49,6 +49,7 @@ struct QIOChannelTLS { | ||
35 | QIOChannel *master; | ||
36 | QCryptoTLSSession *session; | ||
37 | QIOChannelShutdown shutdown; | ||
38 | + guint hs_ioc_tag; | ||
39 | }; | ||
40 | |||
41 | /** | ||
42 | diff --git a/io/channel-tls.c b/io/channel-tls.c | ||
43 | index 7ec8ceff..8b32fbde 100644 | ||
44 | --- a/io/channel-tls.c | ||
45 | +++ b/io/channel-tls.c | ||
46 | @@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, | ||
47 | } | ||
48 | |||
49 | trace_qio_channel_tls_handshake_pending(ioc, status); | ||
50 | - qio_channel_add_watch_full(ioc->master, | ||
51 | - condition, | ||
52 | - qio_channel_tls_handshake_io, | ||
53 | - data, | ||
54 | - NULL, | ||
55 | - context); | ||
56 | + ioc->hs_ioc_tag = | ||
57 | + qio_channel_add_watch_full(ioc->master, | ||
58 | + condition, | ||
59 | + qio_channel_tls_handshake_io, | ||
60 | + data, | ||
61 | + NULL, | ||
62 | + context); | ||
63 | } | ||
64 | } | ||
65 | |||
66 | @@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, | ||
67 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS( | ||
68 | qio_task_get_source(task)); | ||
69 | |||
70 | + tioc->hs_ioc_tag = 0; | ||
71 | g_free(data); | ||
72 | qio_channel_tls_handshake_task(tioc, task, context); | ||
73 | |||
74 | @@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, | ||
75 | { | ||
76 | QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); | ||
77 | |||
78 | + if (tioc->hs_ioc_tag) { | ||
79 | + g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); | ||
80 | + } | ||
81 | + | ||
82 | return qio_channel_close(tioc->master, errp); | ||
83 | } | ||
84 | |||
85 | -- | ||
86 | 2.25.1 | ||
87 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch new file mode 100644 index 0000000000..db02210fa4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001 | ||
2 | From: Fiona Ebner <f.ebner@proxmox.com> | ||
3 | Date: Wed, 6 Sep 2023 15:09:21 +0200 | ||
4 | Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting | ||
5 | state | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If there is a pending DMA operation during ide_bus_reset(), the fact | ||
11 | that the IDEState is already reset before the operation is canceled | ||
12 | can be problematic. In particular, ide_dma_cb() might be called and | ||
13 | then use the reset IDEState which contains the signature after the | ||
14 | reset. When used to construct the IO operation this leads to | ||
15 | ide_get_sector() returning 0 and nsector being 1. This is particularly | ||
16 | bad, because a write command will thus destroy the first sector which | ||
17 | often contains a partition table or similar. | ||
18 | |||
19 | Traces showing the unsolicited write happening with IDEState | ||
20 | 0x5595af6949d0 being used after reset: | ||
21 | |||
22 | > ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 | ||
23 | > ahci_reset_port ahci(0x5595af6923f0)[0]: reset port | ||
24 | > ide_reset IDEstate 0x5595af6949d0 | ||
25 | > ide_reset IDEstate 0x5595af694da8 | ||
26 | > ide_bus_reset_aio aio_cancel | ||
27 | > dma_aio_cancel dbs=0x7f64600089a0 | ||
28 | > dma_blk_cb dbs=0x7f64600089a0 ret=0 | ||
29 | > dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 | ||
30 | > ahci_populate_sglist ahci(0x5595af6923f0)[0] | ||
31 | > ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 | ||
32 | > ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE | ||
33 | > dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 | ||
34 | > dma_blk_cb dbs=0x7f6420802010 ret=0 | ||
35 | |||
36 | > (gdb) p *qiov | ||
37 | > $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, | ||
38 | > iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", | ||
39 | > size = 512}}} | ||
40 | > (gdb) bt | ||
41 | > #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, | ||
42 | > cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010) | ||
43 | > at ../block/block-backend.c:1682 | ||
44 | > #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>) | ||
45 | > at ../softmmu/dma-helpers.c:179 | ||
46 | > #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, | ||
47 | > sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, | ||
48 | > io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>, | ||
49 | > io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, | ||
50 | > cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0, | ||
51 | > dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 | ||
52 | > #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, | ||
53 | > sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, | ||
54 | > cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0) | ||
55 | > at ../softmmu/dma-helpers.c:280 | ||
56 | > #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>) | ||
57 | > at ../hw/ide/core.c:953 | ||
58 | > #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) | ||
59 | > at ../softmmu/dma-helpers.c:107 | ||
60 | > #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 | ||
61 | > #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) | ||
62 | > at ../block/block-backend.c:1527 | ||
63 | > #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 | ||
64 | > #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 | ||
65 | > #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>, | ||
66 | > i1=<optimized out>) at ../util/coroutine-ucontext.c:177 | ||
67 | |||
68 | Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> | ||
69 | Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
70 | Tested-by: simon.rowe@nutanix.com | ||
71 | Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> | ||
72 | Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
73 | |||
74 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e] | ||
75 | CVE: CVE-2023-5088 | ||
76 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
77 | --- | ||
78 | hw/ide/core.c | 14 +++++++------- | ||
79 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
80 | |||
81 | diff --git a/hw/ide/core.c b/hw/ide/core.c | ||
82 | index b5e0dcd29b2..63ba665f3d2 100644 | ||
83 | --- a/hw/ide/core.c | ||
84 | +++ b/hw/ide/core.c | ||
85 | @@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s) | ||
86 | |||
87 | void ide_bus_reset(IDEBus *bus) | ||
88 | { | ||
89 | - bus->unit = 0; | ||
90 | - bus->cmd = 0; | ||
91 | - ide_reset(&bus->ifs[0]); | ||
92 | - ide_reset(&bus->ifs[1]); | ||
93 | - ide_clear_hob(bus); | ||
94 | - | ||
95 | - /* pending async DMA */ | ||
96 | + /* pending async DMA - needs the IDEState before it is reset */ | ||
97 | if (bus->dma->aiocb) { | ||
98 | trace_ide_bus_reset_aio(); | ||
99 | blk_aio_cancel(bus->dma->aiocb); | ||
100 | bus->dma->aiocb = NULL; | ||
101 | } | ||
102 | |||
103 | + bus->unit = 0; | ||
104 | + bus->cmd = 0; | ||
105 | + ide_reset(&bus->ifs[0]); | ||
106 | + ide_reset(&bus->ifs[1]); | ||
107 | + ide_clear_hob(bus); | ||
108 | + | ||
109 | /* reset dma provider too */ | ||
110 | if (bus->dma->ops->reset) { | ||
111 | bus->dma->ops->reset(bus->dma); | ||
112 | -- | ||
113 | GitLab | ||
114 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch new file mode 100644 index 0000000000..0fdae8351a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | From ea2a7c7676d8eb9d1458eaa4b717df46782dcb3a Mon Sep 17 00:00:00 2001 | ||
2 | From: Gaurav Gupta <gauragup@cisco.com> | ||
3 | Date: Wed, 29 Mar 2023 14:07:17 -0700 | ||
4 | Subject: [PATCH 2/2] hw/block/nvme: handle dma errors | ||
5 | |||
6 | Handling DMA errors gracefully is required for the device to pass the | ||
7 | block/011 test ("disable PCI device while doing I/O") in the blktests | ||
8 | suite. | ||
9 | |||
10 | With this patch the device sets the Controller Fatal Status bit in the | ||
11 | CSTS register when failing to read from a submission queue or writing to | ||
12 | a completion queue; expecting the host to reset the controller. | ||
13 | |||
14 | If DMA errors occur at any other point in the execution of the command | ||
15 | (say, while mapping the PRPs), the command is aborted with a Data | ||
16 | Transfer Error status code. | ||
17 | |||
18 | Signed-off-by: Klaus Jensen <k.jensen@samsung.com> | ||
19 | Signed-off-by: Gaurav Gupta <gauragup@cisco.com> | ||
20 | --- | ||
21 | hw/block/nvme.c | 41 +++++++++++++++++++++++++++++++---------- | ||
22 | hw/block/trace-events | 3 +++ | ||
23 | 2 files changed, 34 insertions(+), 10 deletions(-) | ||
24 | |||
25 | diff --git a/hw/block/nvme.c b/hw/block/nvme.c | ||
26 | index e6f24a6..bda446d 100644 | ||
27 | --- a/hw/block/nvme.c | ||
28 | +++ b/hw/block/nvme.c | ||
29 | @@ -60,14 +60,14 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) | ||
30 | return addr >= low && addr < hi; | ||
31 | } | ||
32 | |||
33 | -static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) | ||
34 | +static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) | ||
35 | { | ||
36 | if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { | ||
37 | memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); | ||
38 | - return; | ||
39 | + return 0; | ||
40 | } | ||
41 | |||
42 | - pci_dma_read(&n->parent_obj, addr, buf, size); | ||
43 | + return pci_dma_read(&n->parent_obj, addr, buf, size); | ||
44 | } | ||
45 | |||
46 | static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid) | ||
47 | @@ -152,6 +152,7 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, | ||
48 | hwaddr trans_len = n->page_size - (prp1 % n->page_size); | ||
49 | trans_len = MIN(len, trans_len); | ||
50 | int num_prps = (len >> n->page_bits) + 1; | ||
51 | + int ret; | ||
52 | |||
53 | if (unlikely(!prp1)) { | ||
54 | trace_nvme_err_invalid_prp(); | ||
55 | @@ -178,7 +179,11 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, | ||
56 | |||
57 | nents = (len + n->page_size - 1) >> n->page_bits; | ||
58 | prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t); | ||
59 | - nvme_addr_read(n, prp2, (void *)prp_list, prp_trans); | ||
60 | + ret = nvme_addr_read(n, prp2, (void *)prp_list, prp_trans); | ||
61 | + if (ret) { | ||
62 | + trace_pci_nvme_err_addr_read(prp2); | ||
63 | + return NVME_DATA_TRAS_ERROR; | ||
64 | + } | ||
65 | while (len != 0) { | ||
66 | uint64_t prp_ent = le64_to_cpu(prp_list[i]); | ||
67 | |||
68 | @@ -191,8 +196,12 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, | ||
69 | i = 0; | ||
70 | nents = (len + n->page_size - 1) >> n->page_bits; | ||
71 | prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t); | ||
72 | - nvme_addr_read(n, prp_ent, (void *)prp_list, | ||
73 | - prp_trans); | ||
74 | + ret = nvme_addr_read(n, prp_ent, (void *)prp_list, | ||
75 | + prp_trans); | ||
76 | + if (ret) { | ||
77 | + trace_pci_nvme_err_addr_read(prp_ent); | ||
78 | + return NVME_DATA_TRAS_ERROR; | ||
79 | + } | ||
80 | prp_ent = le64_to_cpu(prp_list[i]); | ||
81 | } | ||
82 | |||
83 | @@ -286,6 +295,7 @@ static void nvme_post_cqes(void *opaque) | ||
84 | NvmeCQueue *cq = opaque; | ||
85 | NvmeCtrl *n = cq->ctrl; | ||
86 | NvmeRequest *req, *next; | ||
87 | + int ret; | ||
88 | |||
89 | QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next) { | ||
90 | NvmeSQueue *sq; | ||
91 | @@ -295,15 +305,21 @@ static void nvme_post_cqes(void *opaque) | ||
92 | break; | ||
93 | } | ||
94 | |||
95 | - QTAILQ_REMOVE(&cq->req_list, req, entry); | ||
96 | sq = req->sq; | ||
97 | req->cqe.status = cpu_to_le16((req->status << 1) | cq->phase); | ||
98 | req->cqe.sq_id = cpu_to_le16(sq->sqid); | ||
99 | req->cqe.sq_head = cpu_to_le16(sq->head); | ||
100 | addr = cq->dma_addr + cq->tail * n->cqe_size; | ||
101 | + ret = pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe, | ||
102 | + sizeof(req->cqe)); | ||
103 | + if (ret) { | ||
104 | + trace_pci_nvme_err_addr_write(addr); | ||
105 | + trace_pci_nvme_err_cfs(); | ||
106 | + n->bar.csts = NVME_CSTS_FAILED; | ||
107 | + break; | ||
108 | + } | ||
109 | + QTAILQ_REMOVE(&cq->req_list, req, entry); | ||
110 | nvme_inc_cq_tail(cq); | ||
111 | - pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe, | ||
112 | - sizeof(req->cqe)); | ||
113 | QTAILQ_INSERT_TAIL(&sq->req_list, req, entry); | ||
114 | } | ||
115 | if (cq->tail != cq->head) { | ||
116 | @@ -888,7 +904,12 @@ static void nvme_process_sq(void *opaque) | ||
117 | |||
118 | while (!(nvme_sq_empty(sq) || QTAILQ_EMPTY(&sq->req_list))) { | ||
119 | addr = sq->dma_addr + sq->head * n->sqe_size; | ||
120 | - nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd)); | ||
121 | + if (nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd))) { | ||
122 | + trace_pci_nvme_err_addr_read(addr); | ||
123 | + trace_pci_nvme_err_cfs(); | ||
124 | + n->bar.csts = NVME_CSTS_FAILED; | ||
125 | + break; | ||
126 | + } | ||
127 | nvme_inc_sq_head(sq); | ||
128 | |||
129 | req = QTAILQ_FIRST(&sq->req_list); | ||
130 | diff --git a/hw/block/trace-events b/hw/block/trace-events | ||
131 | index c03e80c..4e4ad4e 100644 | ||
132 | --- a/hw/block/trace-events | ||
133 | +++ b/hw/block/trace-events | ||
134 | @@ -60,6 +60,9 @@ nvme_mmio_shutdown_set(void) "shutdown bit set" | ||
135 | nvme_mmio_shutdown_cleared(void) "shutdown bit cleared" | ||
136 | |||
137 | # nvme traces for error conditions | ||
138 | +pci_nvme_err_addr_read(uint64_t addr) "addr 0x%"PRIx64"" | ||
139 | +pci_nvme_err_addr_write(uint64_t addr) "addr 0x%"PRIx64"" | ||
140 | +pci_nvme_err_cfs(void) "controller fatal status" | ||
141 | nvme_err_invalid_dma(void) "PRP/SGL is too small for transfer size" | ||
142 | nvme_err_invalid_prplist_ent(uint64_t prplist) "PRP list entry is null or not page aligned: 0x%"PRIx64"" | ||
143 | nvme_err_invalid_prp2_align(uint64_t prp2) "PRP2 is not page aligned: 0x%"PRIx64"" | ||
144 | -- | ||
145 | 1.8.3.1 | ||
146 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch new file mode 100644 index 0000000000..66ada52efb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 55428706d5b0b8889b8e009eac77137bb556a4f0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Klaus Jensen <k.jensen@samsung.com> | ||
3 | Date: Tue, 9 Jun 2020 21:03:17 +0200 | ||
4 | Subject: [PATCH 1/2] hw/block/nvme: refactor nvme_addr_read | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Pull the controller memory buffer check to its own function. The check | ||
10 | will be used on its own in later patches. | ||
11 | |||
12 | Signed-off-by: Klaus Jensen <k.jensen@samsung.com> | ||
13 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
14 | Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> | ||
15 | Reviewed-by: Keith Busch <kbusch@kernel.org> | ||
16 | Message-Id: <20200609190333.59390-7-its@irrelevant.dk> | ||
17 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
18 | --- | ||
19 | hw/block/nvme.c | 16 ++++++++++++---- | ||
20 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
21 | |||
22 | diff --git a/hw/block/nvme.c b/hw/block/nvme.c | ||
23 | index 12d8254..e6f24a6 100644 | ||
24 | --- a/hw/block/nvme.c | ||
25 | +++ b/hw/block/nvme.c | ||
26 | @@ -52,14 +52,22 @@ | ||
27 | |||
28 | static void nvme_process_sq(void *opaque); | ||
29 | |||
30 | +static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) | ||
31 | +{ | ||
32 | + hwaddr low = n->ctrl_mem.addr; | ||
33 | + hwaddr hi = n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size); | ||
34 | + | ||
35 | + return addr >= low && addr < hi; | ||
36 | +} | ||
37 | + | ||
38 | static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) | ||
39 | { | ||
40 | - if (n->cmbsz && addr >= n->ctrl_mem.addr && | ||
41 | - addr < (n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size))) { | ||
42 | + if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { | ||
43 | memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); | ||
44 | - } else { | ||
45 | - pci_dma_read(&n->parent_obj, addr, buf, size); | ||
46 | + return; | ||
47 | } | ||
48 | + | ||
49 | + pci_dma_read(&n->parent_obj, addr, buf, size); | ||
50 | } | ||
51 | |||
52 | static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid) | ||
53 | -- | ||
54 | 1.8.3.1 | ||
55 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch new file mode 100644 index 0000000000..f380be486c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch | |||
@@ -0,0 +1,236 @@ | |||
1 | From 5a44a01c9eca6507be45d107c27377a3e8d0ee8c Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> | ||
3 | Date: Mon, 28 Nov 2022 21:27:39 +0100 | ||
4 | Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Currently qxl_phys2virt() doesn't check for buffer overrun. | ||
10 | In order to do so in the next commit, pass the buffer size | ||
11 | as argument. | ||
12 | |||
13 | For QXLCursor in qxl_render_cursor() -> qxl_cursor() we | ||
14 | verify the size of the chunked data ahead, checking we can | ||
15 | access 'sizeof(QXLCursor) + chunk->data_size' bytes. | ||
16 | Since in the SPICE_CURSOR_TYPE_MONO case the cursor is | ||
17 | assumed to fit in one chunk, no change are required. | ||
18 | In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in | ||
19 | qxl_unpack_chunks(). | ||
20 | |||
21 | Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
22 | Acked-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
24 | Message-Id: <20221128202741.4945-4-philmd@linaro.org> | ||
25 | |||
26 | Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch: | ||
27 | |||
28 | /qxl.c: In function 'qxl_phys2virt': | ||
29 | | /home/hitendra/work/yocto-work/cgx-data/dunfell-3.1/x86-generic-64-5.4-3.1-cgx/project/tmp/work/i586-montavistamllib32-linux/lib32-qemu/4.2.0-r0.8/qemu-4.2.0/hw/display/qxl.c:1508:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'? | ||
30 | | 1508 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { | ||
31 | | | ^~~~ | ||
32 | | | gsize | ||
33 | |||
34 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc && https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f] | ||
35 | |||
36 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
37 | --- | ||
38 | hw/display/qxl-logger.c | 22 +++++++++++++++++++--- | ||
39 | hw/display/qxl-render.c | 20 ++++++++++++++++---- | ||
40 | hw/display/qxl.c | 17 +++++++++++------ | ||
41 | hw/display/qxl.h | 3 ++- | ||
42 | 4 files changed, 48 insertions(+), 14 deletions(-) | ||
43 | |||
44 | diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c | ||
45 | index 2ec6d8fa..031ddfec 100644 | ||
46 | --- a/hw/display/qxl-logger.c | ||
47 | +++ b/hw/display/qxl-logger.c | ||
48 | @@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id) | ||
49 | QXLImage *image; | ||
50 | QXLImageDescriptor *desc; | ||
51 | |||
52 | - image = qxl_phys2virt(qxl, addr, group_id); | ||
53 | + image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); | ||
54 | if (!image) { | ||
55 | return 1; | ||
56 | } | ||
57 | @@ -216,7 +216,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id) | ||
58 | cmd->u.set.position.y, | ||
59 | cmd->u.set.visible ? "yes" : "no", | ||
60 | cmd->u.set.shape); | ||
61 | - cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); | ||
62 | + cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, | ||
63 | + sizeof(QXLCursor)); | ||
64 | if (!cursor) { | ||
65 | return 1; | ||
66 | } | ||
67 | @@ -238,6 +239,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) | ||
68 | { | ||
69 | bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; | ||
70 | void *data; | ||
71 | + size_t datasz; | ||
72 | int ret; | ||
73 | |||
74 | if (!qxl->cmdlog) { | ||
75 | @@ -249,7 +251,20 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) | ||
76 | qxl_name(qxl_type, ext->cmd.type), | ||
77 | compat ? "(compat)" : ""); | ||
78 | |||
79 | - data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); | ||
80 | + switch (ext->cmd.type) { | ||
81 | + case QXL_CMD_DRAW: | ||
82 | + datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); | ||
83 | + break; | ||
84 | + case QXL_CMD_SURFACE: | ||
85 | + datasz = sizeof(QXLSurfaceCmd); | ||
86 | + break; | ||
87 | + case QXL_CMD_CURSOR: | ||
88 | + datasz = sizeof(QXLCursorCmd); | ||
89 | + break; | ||
90 | + default: | ||
91 | + goto out; | ||
92 | + } | ||
93 | + data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); | ||
94 | if (!data) { | ||
95 | return 1; | ||
96 | } | ||
97 | @@ -271,6 +286,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) | ||
98 | qxl_log_cmd_cursor(qxl, data, ext->group_id); | ||
99 | break; | ||
100 | } | ||
101 | +out: | ||
102 | fprintf(stderr, "\n"); | ||
103 | return 0; | ||
104 | } | ||
105 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
106 | index d532e157..a65a6d64 100644 | ||
107 | --- a/hw/display/qxl-render.c | ||
108 | +++ b/hw/display/qxl-render.c | ||
109 | @@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) | ||
110 | qxl->guest_primary.resized = 0; | ||
111 | qxl->guest_primary.data = qxl_phys2virt(qxl, | ||
112 | qxl->guest_primary.surface.mem, | ||
113 | - MEMSLOT_GROUP_GUEST); | ||
114 | + MEMSLOT_GROUP_GUEST, | ||
115 | + qxl->guest_primary.abs_stride | ||
116 | + * height); | ||
117 | if (!qxl->guest_primary.data) { | ||
118 | return; | ||
119 | } | ||
120 | @@ -222,7 +224,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, | ||
121 | if (offset == size) { | ||
122 | return; | ||
123 | } | ||
124 | - chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); | ||
125 | + chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, | ||
126 | + sizeof(QXLDataChunk) + chunk->data_size); | ||
127 | if (!chunk) { | ||
128 | return; | ||
129 | } | ||
130 | @@ -289,7 +292,8 @@ fail: | ||
131 | /* called from spice server thread context only */ | ||
132 | int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) | ||
133 | { | ||
134 | - QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); | ||
135 | + QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, | ||
136 | + sizeof(QXLCursorCmd)); | ||
137 | QXLCursor *cursor; | ||
138 | QEMUCursor *c; | ||
139 | |||
140 | @@ -308,7 +312,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) | ||
141 | } | ||
142 | switch (cmd->type) { | ||
143 | case QXL_CURSOR_SET: | ||
144 | - cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id); | ||
145 | + /* First read the QXLCursor to get QXLDataChunk::data_size ... */ | ||
146 | + cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, | ||
147 | + sizeof(QXLCursor)); | ||
148 | + if (!cursor) { | ||
149 | + return 1; | ||
150 | + } | ||
151 | + /* Then read including the chunked data following QXLCursor. */ | ||
152 | + cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, | ||
153 | + sizeof(QXLCursor) + cursor->chunk.data_size); | ||
154 | if (!cursor) { | ||
155 | return 1; | ||
156 | } | ||
157 | diff --git a/hw/display/qxl.c b/hw/display/qxl.c | ||
158 | index 6bc8385b..858d3e93 100644 | ||
159 | --- a/hw/display/qxl.c | ||
160 | +++ b/hw/display/qxl.c | ||
161 | @@ -275,7 +275,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) | ||
162 | QXL_IO_MONITORS_CONFIG_ASYNC)); | ||
163 | } | ||
164 | |||
165 | - cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST); | ||
166 | + cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST, | ||
167 | + sizeof(QXLMonitorsConfig)); | ||
168 | if (cfg != NULL && cfg->count == 1) { | ||
169 | qxl->guest_primary.resized = 1; | ||
170 | qxl->guest_head0_width = cfg->heads[0].width; | ||
171 | @@ -460,7 +461,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) | ||
172 | switch (le32_to_cpu(ext->cmd.type)) { | ||
173 | case QXL_CMD_SURFACE: | ||
174 | { | ||
175 | - QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); | ||
176 | + QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, | ||
177 | + sizeof(QXLSurfaceCmd)); | ||
178 | |||
179 | if (!cmd) { | ||
180 | return 1; | ||
181 | @@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) | ||
182 | } | ||
183 | case QXL_CMD_CURSOR: | ||
184 | { | ||
185 | - QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); | ||
186 | + QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, | ||
187 | + sizeof(QXLCursorCmd)); | ||
188 | |||
189 | if (!cmd) { | ||
190 | return 1; | ||
191 | @@ -674,7 +677,8 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) | ||
192 | * | ||
193 | * https://cgit.freedesktop.org/spice/win32/qxl-wddm-dod/commit/?id=f6e099db39e7d0787f294d5fd0dce328b5210faa | ||
194 | */ | ||
195 | - void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); | ||
196 | + void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, | ||
197 | + sizeof(QXLCommandRing)); | ||
198 | if (msg != NULL && ( | ||
199 | msg < (void *)qxl->vga.vram_ptr || | ||
200 | msg > ((void *)qxl->vga.vram_ptr + qxl->vga.vram_size))) { | ||
201 | @@ -1494,7 +1498,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
202 | } | ||
203 | |||
204 | /* can be also called from spice server thread context */ | ||
205 | -void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) | ||
206 | +void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, | ||
207 | + size_t size) | ||
208 | { | ||
209 | uint64_t offset; | ||
210 | uint32_t slot; | ||
211 | @@ -1994,7 +1999,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl) | ||
212 | } | ||
213 | |||
214 | cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i], | ||
215 | - MEMSLOT_GROUP_GUEST); | ||
216 | + MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd)); | ||
217 | assert(cmd); | ||
218 | assert(cmd->type == QXL_SURFACE_CMD_CREATE); | ||
219 | qxl_dirty_one_surface(qxl, cmd->u.surface_create.data, | ||
220 | diff --git a/hw/display/qxl.h b/hw/display/qxl.h | ||
221 | index 80eb0d26..fcfd133a 100644 | ||
222 | --- a/hw/display/qxl.h | ||
223 | +++ b/hw/display/qxl.h | ||
224 | @@ -147,7 +147,8 @@ typedef struct PCIQXLDevice { | ||
225 | #define QXL_DEFAULT_REVISION QXL_REVISION_STABLE_V12 | ||
226 | |||
227 | /* qxl.c */ | ||
228 | -void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); | ||
229 | +void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id, | ||
230 | + size_t size); | ||
231 | void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) | ||
232 | GCC_FMT_ATTR(2, 3); | ||
233 | |||
234 | -- | ||
235 | 2.25.1 | ||
236 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_4.2.0.bb b/meta/recipes-devtools/qemu/qemu_4.2.0.bb index 9c76144749..05449afe4e 100644 --- a/meta/recipes-devtools/qemu/qemu_4.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_4.2.0.bb | |||
@@ -24,7 +24,8 @@ do_install_append_class-nativesdk() { | |||
24 | } | 24 | } |
25 | 25 | ||
26 | PACKAGECONFIG ??= " \ | 26 | PACKAGECONFIG ??= " \ |
27 | fdt sdl kvm \ | 27 | fdt sdl kvm slirp \ |
28 | ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ | 28 | ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ |
29 | ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ | ||
29 | " | 30 | " |
30 | PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm" | 31 | PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm slirp" |