From 1b52dc06632a0a958bdfb30cf75cfa2dbbf426e8 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Mon, 11 Sep 2023 12:09:27 +0530 Subject: qemu: Backport fix for CVE-2023-0330 A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com Reference: https://gitlab.com/qemu-project/qemu/-/issues/556 qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) a2e1753b80 memory: prevent dma-reentracy issues Included second commit as well as commit log of a2e1753b80 says it resolves CVE-2023-0330 (From OE-Core rev: 45ce9885351a2344737170e6e810dc67ab3e7ea9) Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 3 +- .../recipes-devtools/qemu/qemu/CVE-2023-0330.patch | 77 ------------ .../qemu/qemu/CVE-2023-0330_1.patch | 77 ++++++++++++ .../qemu/qemu/CVE-2023-0330_2.patch | 135 +++++++++++++++++++++ 4 files changed, 214 insertions(+), 78 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3789d77046..2669ba4ec8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3409-4.patch \ file://CVE-2021-3409-5.patch \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ - file://CVE-2023-0330.patch \ + file://CVE-2023-0330_1.patch \ + file://CVE-2023-0330_2.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ " diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch deleted file mode 100644 index 26e22b4c31..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch +++ /dev/null @@ -1,77 +0,0 @@ -[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not - exist for this release] -From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 -From: Thomas Huth -Date: Mon, 22 May 2023 11:10:11 +0200 -Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI - controller (CVE-2023-0330) - -We cannot use the generic reentrancy guard in the LSI code, so -we have to manually prevent endless reentrancy here. The problematic -lsi_execute_script() function has already a way to detect whether -too many instructions have been executed - we just have to slightly -change the logic here that it also takes into account if the function -has been called too often in a reentrant way. - -The code in fuzz-lsi53c895a-test.c has been taken from an earlier -patch by Mauro Matteo Cascella. - -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 -Message-Id: <20230522091011.1082574-1-thuth@redhat.com> -Reviewed-by: Stefan Hajnoczi -Reviewed-by: Alexander Bulekov -Signed-off-by: Thomas Huth - -Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27 - -Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security -Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] -CVE: CVE-2023-0330 -Signed-off-by: Vijay Anusuri ---- - hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ - tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ - 2 files changed, 50 insertions(+), 6 deletions(-) - ---- qemu-4.2.orig/hw/scsi/lsi53c895a.c -+++ qemu-4.2/hw/scsi/lsi53c895a.c -@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState - uint32_t addr, addr_high; - int opcode; - int insn_processed = 0; -+ static int reentrancy_level; -+ -+ reentrancy_level++; - - s->istat1 |= LSI_ISTAT1_SRUN; - again: -- if (++insn_processed > LSI_MAX_INSN) { -- /* Some windows drivers make the device spin waiting for a memory -- location to change. If we have been executed a lot of code then -- assume this is the case and force an unexpected device disconnect. -- This is apparently sufficient to beat the drivers into submission. -- */ -+ /* -+ * Some windows drivers make the device spin waiting for a memory location -+ * to change. If we have executed more than LSI_MAX_INSN instructions then -+ * assume this is the case and force an unexpected device disconnect. This -+ * is apparently sufficient to beat the drivers into submission. -+ * -+ * Another issue (CVE-2023-0330) can occur if the script is programmed to -+ * trigger itself again and again. Avoid this problem by stopping after -+ * being called multiple times in a reentrant way (8 is an arbitrary value -+ * which should be enough for all valid use cases). -+ */ -+ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { - if (!(s->sien0 & LSI_SIST0_UDC)) { - qemu_log_mask(LOG_GUEST_ERROR, - "lsi_scsi: inf. loop with UDC masked"); -@@ -1597,6 +1606,8 @@ again: - } - } - trace_lsi_execute_script_stop(); -+ -+ reentrancy_level--; - } - - static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch new file mode 100644 index 0000000000..26e22b4c31 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch @@ -0,0 +1,77 @@ +[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not + exist for this release] +From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Mon, 22 May 2023 11:10:11 +0200 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Alexander Bulekov +Signed-off-by: Thomas Huth + +Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 6 deletions(-) + +--- qemu-4.2.orig/hw/scsi/lsi53c895a.c ++++ qemu-4.2/hw/scsi/lsi53c895a.c +@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1597,6 +1606,8 @@ again: + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch new file mode 100644 index 0000000000..3b45bc0411 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch @@ -0,0 +1,135 @@ +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Thu, 27 Apr 2023 17:10:06 -0400 +Subject: [PATCH] memory: prevent dma-reentracy issues + +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. +This flag is set/checked prior to calling a device's MemoryRegion +handlers, and set when device code initiates DMA. The purpose of this +flag is to prevent two types of DMA-based reentrancy issues: + +1.) mmio -> dma -> mmio case +2.) bh -> dma write -> mmio case + +These issues have led to problems such as stack-exhaustion and +use-after-frees. + +Summary of the problem from Peter Maydell: +https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 +Resolves: CVE-2023-0330 + +Signed-off-by: Alexander Bulekov +Reviewed-by: Thomas Huth +Message-Id: <20230427211013.2994127-2-alxndr@bu.edu> +[thuth: Replace warn_report() with warn_report_once()] +Signed-off-by: Thomas Huth + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri +--- + include/exec/memory.h | 5 +++++ + include/hw/qdev-core.h | 7 +++++++ + memory.c | 16 ++++++++++++++++ + 3 files changed, 28 insertions(+) + +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 2b8bccdd..0c8cdb8e 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -378,6 +378,8 @@ struct MemoryRegion { + bool is_iommu; + RAMBlock *ram_block; + Object *owner; ++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ ++ DeviceState *dev; + + const MemoryRegionOps *ops; + void *opaque; +@@ -400,6 +402,9 @@ struct MemoryRegion { + const char *name; + unsigned ioeventfd_nb; + MemoryRegionIoeventfd *ioeventfds; ++ ++ /* For devices designed to perform re-entrant IO into their own IO MRs */ ++ bool disable_reentrancy_guard; + }; + + struct IOMMUMemoryRegion { +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h +index 1518495b..206f0a70 100644 +--- a/include/hw/qdev-core.h ++++ b/include/hw/qdev-core.h +@@ -138,6 +138,10 @@ struct NamedGPIOList { + QLIST_ENTRY(NamedGPIOList) node; + }; + ++typedef struct { ++ bool engaged_in_io; ++} MemReentrancyGuard; ++ + /** + * DeviceState: + * @realized: Indicates whether the device has been fully constructed. +@@ -163,6 +167,9 @@ struct DeviceState { + int num_child_bus; + int instance_id_alias; + int alias_required_for_version; ++ ++ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */ ++ MemReentrancyGuard mem_reentrancy_guard; + }; + + struct DeviceListener { +diff --git a/memory.c b/memory.c +index 8cafb86a..94ebcaf9 100644 +--- a/memory.c ++++ b/memory.c +@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_size_max = 4; + } + ++ /* Do not allow more than one simultaneous access to a device's IO Regions */ ++ if (mr->dev && !mr->disable_reentrancy_guard && ++ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) { ++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { ++ warn_report_once("Blocked re-entrant IO on MemoryRegion: " ++ "%s at addr: 0x%" HWADDR_PRIX, ++ memory_region_name(mr), addr); ++ return MEMTX_ACCESS_ERROR; ++ } ++ mr->dev->mem_reentrancy_guard.engaged_in_io = true; ++ } ++ + /* FIXME: support unaligned access? */ + access_size = MAX(MIN(size, access_size_max), access_size_min); + access_mask = MAKE_64BIT_MASK(0, access_size * 8); +@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_mask, attrs); + } + } ++ if (mr->dev) { ++ mr->dev->mem_reentrancy_guard.engaged_in_io = false; ++ } + return r; + } + +@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr, + } + mr->name = g_strdup(name); + mr->owner = owner; ++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE); + mr->ram_block = NULL; + + if (name) { +-- +2.25.1 + -- cgit v1.2.3-54-g00ecf