diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-03-14 20:59:11 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-25 23:00:59 +0000 |
| commit | e88f47da0e6c444afc641e0051ecaddcb0efe5b4 (patch) | |
| tree | c0183fa859b42f0b4dd4aec9c5f21cdad8ffc146 /meta/recipes-devtools/qemu | |
| parent | 51a742eab1a8b2f84aee82b8ad77cd5a237c6283 (diff) | |
| download | poky-e88f47da0e6c444afc641e0051ecaddcb0efe5b4.tar.gz | |
QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read
Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622
(From OE-Core rev: 754cce68614c7985d5848134635a6b318f4505ab)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Replace the tabs with spaces to correct the indent.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 9 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch | 103 |
2 files changed, 108 insertions, 4 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 36d0b9320f..0649727338 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -112,10 +112,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 112 | file://CVE-2022-0216-1.patch \ | 112 | file://CVE-2022-0216-1.patch \ |
| 113 | file://CVE-2022-0216-2.patch \ | 113 | file://CVE-2022-0216-2.patch \ |
| 114 | file://CVE-2021-3750.patch \ | 114 | file://CVE-2021-3750.patch \ |
| 115 | file://CVE-2021-3638.patch \ | 115 | file://CVE-2021-3638.patch \ |
| 116 | file://CVE-2021-20196.patch \ | 116 | file://CVE-2021-20196.patch \ |
| 117 | file://CVE-2021-3507.patch \ | 117 | file://CVE-2021-3507.patch \ |
| 118 | file://CVE-2021-3929.patch \ | 118 | file://CVE-2021-3929.patch \ |
| 119 | file://CVE-2022-4144.patch \ | ||
| 119 | " | 120 | " |
| 120 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 121 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 121 | 122 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..3f0d5fbd5c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch | |||
| @@ -0,0 +1,103 @@ | |||
| 1 | From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> | ||
| 3 | Date: Mon, 28 Nov 2022 21:27:40 +0100 | ||
| 4 | Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt | ||
| 5 | (CVE-2022-4144) | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | Have qxl_get_check_slot_offset() return false if the requested | ||
| 11 | buffer size does not fit within the slot memory region. | ||
| 12 | |||
| 13 | Similarly qxl_phys2virt() now returns NULL in such case, and | ||
| 14 | qxl_dirty_one_surface() aborts. | ||
| 15 | |||
| 16 | This avoids buffer overrun in the host pointer returned by | ||
| 17 | memory_region_get_ram_ptr(). | ||
| 18 | |||
| 19 | Fixes: CVE-2022-4144 (out-of-bounds read) | ||
| 20 | Reported-by: Wenxu Yin (@awxylitol) | ||
| 21 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 | ||
| 22 | |||
| 23 | Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
| 24 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 25 | Message-Id: <20221128202741.4945-5-philmd@linaro.org> | ||
| 26 | |||
| 27 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] | ||
| 28 | CVE: CVE-2022-4144 | ||
| 29 | Comments: Deleted patch hunk in qxl.h,as it contains change | ||
| 30 | in comments which is not present in current version of qemu. | ||
| 31 | |||
| 32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 33 | --- | ||
| 34 | hw/display/qxl.c | 27 +++++++++++++++++++++++---- | ||
| 35 | 1 file changed, 23 insertions(+), 4 deletions(-) | ||
| 36 | |||
| 37 | diff --git a/hw/display/qxl.c b/hw/display/qxl.c | ||
| 38 | index cd7eb39d..6bc8385b 100644 | ||
| 39 | --- a/hw/display/qxl.c | ||
| 40 | +++ b/hw/display/qxl.c | ||
| 41 | @@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) | ||
| 42 | |||
| 43 | /* can be also called from spice server thread context */ | ||
| 44 | static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
| 45 | - uint32_t *s, uint64_t *o) | ||
| 46 | + uint32_t *s, uint64_t *o, | ||
| 47 | + size_t size_requested) | ||
| 48 | { | ||
| 49 | uint64_t phys = le64_to_cpu(pqxl); | ||
| 50 | uint32_t slot = (phys >> (64 - 8)) & 0xff; | ||
| 51 | uint64_t offset = phys & 0xffffffffffff; | ||
| 52 | + uint64_t size_available; | ||
| 53 | |||
| 54 | if (slot >= NUM_MEMSLOTS) { | ||
| 55 | qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, | ||
| 56 | @@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
| 57 | slot, offset, qxl->guest_slots[slot].size); | ||
| 58 | return false; | ||
| 59 | } | ||
| 60 | + size_available = memory_region_size(qxl->guest_slots[slot].mr); | ||
| 61 | + if (qxl->guest_slots[slot].offset + offset >= size_available) { | ||
| 62 | + qxl_set_guest_bug(qxl, | ||
| 63 | + "slot %d offset %"PRIu64" > region size %"PRIu64"\n", | ||
| 64 | + slot, qxl->guest_slots[slot].offset + offset, | ||
| 65 | + size_available); | ||
| 66 | + return false; | ||
| 67 | + } | ||
| 68 | + size_available -= qxl->guest_slots[slot].offset + offset; | ||
| 69 | + if (size_requested > size_available) { | ||
| 70 | + qxl_set_guest_bug(qxl, | ||
| 71 | + "slot %d offset %"PRIu64" size %zu: " | ||
| 72 | + "overrun by %"PRIu64" bytes\n", | ||
| 73 | + slot, offset, size_requested, | ||
| 74 | + size_requested - size_available); | ||
| 75 | + return false; | ||
| 76 | + } | ||
| 77 | |||
| 78 | *s = slot; | ||
| 79 | *o = offset; | ||
| 80 | @@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) | ||
| 81 | offset = le64_to_cpu(pqxl) & 0xffffffffffff; | ||
| 82 | return (void *)(intptr_t)offset; | ||
| 83 | case MEMSLOT_GROUP_GUEST: | ||
| 84 | - if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { | ||
| 85 | + if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { | ||
| 86 | return NULL; | ||
| 87 | } | ||
| 88 | ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); | ||
| 89 | @@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
| 90 | uint32_t slot; | ||
| 91 | bool rc; | ||
| 92 | |||
| 93 | - rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); | ||
| 94 | - assert(rc == true); | ||
| 95 | size = (uint64_t)height * abs(stride); | ||
| 96 | + rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); | ||
| 97 | + assert(rc == true); | ||
| 98 | trace_qxl_surfaces_dirty(qxl->id, offset, size); | ||
| 99 | qxl_set_dirty(qxl->guest_slots[slot].mr, | ||
| 100 | qxl->guest_slots[slot].offset + offset, | ||
| 101 | -- | ||
| 102 | 2.25.1 | ||
| 103 | |||
