qemu: backport Debian patch to fix CVE-2023-0330

import patch from ubuntu to fix CVE-2023-0330 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] (From OE-Core rev: aae5bf06ad3c67386544f9da55aa21fbf32c3418) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-07-18 11:31:04 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-07-26 05:20:36 -1000
commit: 81874924a71fb6061ae1eb27186bab8f74dea60c (patch)
tree: 59e37adfcfa61f67c601ae0226df87cc0d2c29ad
parent: cc3287637c30080333d89a368e40473dfffb2fb7 (diff)
download: poky-81874924a71fb6061ae1eb27186bab8f74dea60c.tar.gz
2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 7f2b52fa88..c6c6e49ebf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -93,6 +93,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2022-4144.patch \
           file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \
           file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
+           file://CVE-2023-0330.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 0000000000..025075fd6d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
+[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
+ exist for this release]
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/scsi/lsi53c895a.c               | 23 +++++++++++++++------
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+--- qemu-6.2+dfsg.orig/hw/scsi/lsi53c895a.c
+++ qemu-6.2+dfsg/hw/scsi/lsi53c895a.c
+@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
+     uint32_t addr, addr_high;
+     int opcode;
+     int insn_processed = 0;
+    static int reentrancy_level;
+
+    reentrancy_level++;
+ 
+     s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-    if (++insn_processed > LSI_MAX_INSN) {
+-        /* Some windows drivers make the device spin waiting for a memory
+-           location to change.  If we have been executed a lot of code then
+-           assume this is the case and force an unexpected device disconnect.
+-           This is apparently sufficient to beat the drivers into submission.
+-         */
+    /*
+     * Some windows drivers make the device spin waiting for a memory location
+     * to change. If we have executed more than LSI_MAX_INSN instructions then
+     * assume this is the case and force an unexpected device disconnect. This
+     * is apparently sufficient to beat the drivers into submission.
+     *
+     * Another issue (CVE-2023-0330) can occur if the script is programmed to
+     * trigger itself again and again. Avoid this problem by stopping after
+     * being called multiple times in a reentrant way (8 is an arbitrary value
+     * which should be enough for all valid use cases).
+     */
+    if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+         if (!(s->sien0 & LSI_SIST0_UDC)) {
+             qemu_log_mask(LOG_GUEST_ERROR,
+                           "lsi_scsi: inf. loop with UDC masked");
+@@ -1597,6 +1606,8 @@ again:
+         }
+     }
+     trace_lsi_execute_script_stop();
+
+    reentrancy_level--;
+ }
+ 
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
author	Vijay Anusuri <vanusuri@mvista.com>	2023-07-18 11:31:04 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-07-26 05:20:36 -1000
commit	81874924a71fb6061ae1eb27186bab8f74dea60c (patch)
tree	59e37adfcfa61f67c601ae0226df87cc0d2c29ad
parent	cc3287637c30080333d89a368e40473dfffb2fb7 (diff)
download	poky-81874924a71fb6061ae1eb27186bab8f74dea60c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7f2b52fa88..c6c6e49ebf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -93,6 +93,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
93	file://CVE-2022-4144.patch \	93	file://CVE-2022-4144.patch \
94	file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \	94	file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \
95	file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \	95	file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
		96	file://CVE-2023-0330.patch \
96	"	97	"
97	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	98	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
98		99


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..025075fd6d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
		1	[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
		2	exist for this release]
		3	From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
		4	From: Thomas Huth <thuth@redhat.com>
		5	Date: Mon, 22 May 2023 11:10:11 +0200
		6	Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
		7	controller (CVE-2023-0330)
		8
		9	We cannot use the generic reentrancy guard in the LSI code, so
		10	we have to manually prevent endless reentrancy here. The problematic
		11	lsi_execute_script() function has already a way to detect whether
		12	too many instructions have been executed - we just have to slightly
		13	change the logic here that it also takes into account if the function
		14	has been called too often in a reentrant way.
		15
		16	The code in fuzz-lsi53c895a-test.c has been taken from an earlier
		17	patch by Mauro Matteo Cascella.
		18
		19	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
		20	Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
		21	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
		22	Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
		23	Signed-off-by: Thomas Huth <thuth@redhat.com>
		24
		25	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/jammy-security
		26	Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
		27	CVE: CVE-2023-0330
		28	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		29	---
		30	hw/scsi/lsi53c895a.c \| 23 +++++++++++++++------
		31	tests/qtest/fuzz-lsi53c895a-test.c \| 33 ++++++++++++++++++++++++++++++
		32	2 files changed, 50 insertions(+), 6 deletions(-)
		33
		34	--- qemu-6.2+dfsg.orig/hw/scsi/lsi53c895a.c
		35	+++ qemu-6.2+dfsg/hw/scsi/lsi53c895a.c
		36	@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
		37	uint32_t addr, addr_high;
		38	int opcode;
		39	int insn_processed = 0;
		40	+ static int reentrancy_level;
		41	+
		42	+ reentrancy_level++;
		43
		44	s->istat1 \|= LSI_ISTAT1_SRUN;
		45	again:
		46	- if (++insn_processed > LSI_MAX_INSN) {
		47	- /* Some windows drivers make the device spin waiting for a memory
		48	- location to change. If we have been executed a lot of code then
		49	- assume this is the case and force an unexpected device disconnect.
		50	- This is apparently sufficient to beat the drivers into submission.
		51	- */
		52	+ /*
		53	+ * Some windows drivers make the device spin waiting for a memory location
		54	+ * to change. If we have executed more than LSI_MAX_INSN instructions then
		55	+ * assume this is the case and force an unexpected device disconnect. This
		56	+ * is apparently sufficient to beat the drivers into submission.
		57	+ *
		58	+ * Another issue (CVE-2023-0330) can occur if the script is programmed to
		59	+ * trigger itself again and again. Avoid this problem by stopping after
		60	+ * being called multiple times in a reentrant way (8 is an arbitrary value
		61	+ * which should be enough for all valid use cases).
		62	+ */
		63	+ if (++insn_processed > LSI_MAX_INSN \|\| reentrancy_level > 8) {
		64	if (!(s->sien0 & LSI_SIST0_UDC)) {
		65	qemu_log_mask(LOG_GUEST_ERROR,
		66	"lsi_scsi: inf. loop with UDC masked");
		67	@@ -1597,6 +1606,8 @@ again:
		68	}
		69	}
		70	trace_lsi_execute_script_stop();
		71	+
		72	+ reentrancy_level--;
		73	}
		74
		75	static uint8_t lsi_reg_readb(LSIState *s, int offset)