qemu: fix CVE-2023-0330

A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. References: https://nvd.nist.gov/vuln/detail/CVE-2023-0330 Upstream patches: https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75 (From OE-Core rev: 3be283237a9e473112430bcb614b25b7ff7e64b2) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-07-18 15:35:14 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-07-26 05:12:21 -1000
commit: 2e660a5be9919314a6bdf845a61b9ba6e394bb68 (patch)
tree: a34992d6a55303af954e700f124dbcbd40044b61 /meta/recipes-devtools
parent: 9ac1631eb791975dd20902c72c35cbf98472804d (diff)
download: poky-2e660a5be9919314a6bdf845a61b9ba6e394bb68.tar.gz
2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4c9be91cb0..15eba6163f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,6 +36,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://qemu-guest-agent.init \
           file://qemu-guest-agent.udev \
           file://ppc.patch \
+           file://CVE-2023-0330.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 0000000000..f609ea29b4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ hw/scsi/lsi53c895a.c               | 23 +++++++++++++++------
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 048436352b7a..f7d45b0b20fb 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s)
+     uint32_t addr, addr_high;
+     int opcode;
+     int insn_processed = 0;
+    static int reentrancy_level;
+
+    reentrancy_level++;
+     s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-    if (++insn_processed > LSI_MAX_INSN) {
+-        /* Some windows drivers make the device spin waiting for a memory
+-           location to change.  If we have been executed a lot of code then
+-           assume this is the case and force an unexpected device disconnect.
+-           This is apparently sufficient to beat the drivers into submission.
+-         */
+    /*
+     * Some windows drivers make the device spin waiting for a memory location
+     * to change. If we have executed more than LSI_MAX_INSN instructions then
+     * assume this is the case and force an unexpected device disconnect. This
+     * is apparently sufficient to beat the drivers into submission.
+     *
+     * Another issue (CVE-2023-0330) can occur if the script is programmed to
+     * trigger itself again and again. Avoid this problem by stopping after
+     * being called multiple times in a reentrant way (8 is an arbitrary value
+     * which should be enough for all valid use cases).
+     */
+    if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+         if (!(s->sien0 & LSI_SIST0_UDC)) {
+             qemu_log_mask(LOG_GUEST_ERROR,
+                           "lsi_scsi: inf. loop with UDC masked");
+@@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s)
+         }
+     }
+     trace_lsi_execute_script_stop();
+
+    reentrancy_level--;
+ }
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-07-18 15:35:14 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-07-26 05:12:21 -1000
commit	2e660a5be9919314a6bdf845a61b9ba6e394bb68 (patch)
tree	a34992d6a55303af954e700f124dbcbd40044b61 /meta/recipes-devtools
parent	9ac1631eb791975dd20902c72c35cbf98472804d (diff)
download	poky-2e660a5be9919314a6bdf845a61b9ba6e394bb68.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4c9be91cb0..15eba6163f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,6 +36,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
36	file://qemu-guest-agent.init \	36	file://qemu-guest-agent.init \
37	file://qemu-guest-agent.udev \	37	file://qemu-guest-agent.udev \
38	file://ppc.patch \	38	file://ppc.patch \
		39	file://CVE-2023-0330.patch \
39	"	40	"
40	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	41	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
41		42


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..f609ea29b4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
		1	From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
		2	From: Thomas Huth <thuth@redhat.com>
		3	Date: Mon, 22 May 2023 11:10:11 +0200
		4	Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
		5	controller (CVE-2023-0330)
		6
		7	We cannot use the generic reentrancy guard in the LSI code, so
		8	we have to manually prevent endless reentrancy here. The problematic
		9	lsi_execute_script() function has already a way to detect whether
		10	too many instructions have been executed - we just have to slightly
		11	change the logic here that it also takes into account if the function
		12	has been called too often in a reentrant way.
		13
		14	The code in fuzz-lsi53c895a-test.c has been taken from an earlier
		15	patch by Mauro Matteo Cascella.
		16
		17	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
		18	Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
		19	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
		20	Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
		21	Signed-off-by: Thomas Huth <thuth@redhat.com>
		22
		23	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
		24	CVE: CVE-2023-0330
		25
		26	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		27	---
		28	hw/scsi/lsi53c895a.c \| 23 +++++++++++++++------
		29	tests/qtest/fuzz-lsi53c895a-test.c \| 33 ++++++++++++++++++++++++++++++
		30	2 files changed, 50 insertions(+), 6 deletions(-)
		31
		32	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
		33	index 048436352b7a..f7d45b0b20fb 100644
		34	--- a/hw/scsi/lsi53c895a.c
		35	+++ b/hw/scsi/lsi53c895a.c
		36	@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s)
		37	uint32_t addr, addr_high;
		38	int opcode;
		39	int insn_processed = 0;
		40	+ static int reentrancy_level;
		41	+
		42	+ reentrancy_level++;
		43
		44	s->istat1 \|= LSI_ISTAT1_SRUN;
		45	again:
		46	- if (++insn_processed > LSI_MAX_INSN) {
		47	- /* Some windows drivers make the device spin waiting for a memory
		48	- location to change. If we have been executed a lot of code then
		49	- assume this is the case and force an unexpected device disconnect.
		50	- This is apparently sufficient to beat the drivers into submission.
		51	- */
		52	+ /*
		53	+ * Some windows drivers make the device spin waiting for a memory location
		54	+ * to change. If we have executed more than LSI_MAX_INSN instructions then
		55	+ * assume this is the case and force an unexpected device disconnect. This
		56	+ * is apparently sufficient to beat the drivers into submission.
		57	+ *
		58	+ * Another issue (CVE-2023-0330) can occur if the script is programmed to
		59	+ * trigger itself again and again. Avoid this problem by stopping after
		60	+ * being called multiple times in a reentrant way (8 is an arbitrary value
		61	+ * which should be enough for all valid use cases).
		62	+ */
		63	+ if (++insn_processed > LSI_MAX_INSN \|\| reentrancy_level > 8) {
		64	if (!(s->sien0 & LSI_SIST0_UDC)) {
		65	qemu_log_mask(LOG_GUEST_ERROR,
		66	"lsi_scsi: inf. loop with UDC masked");
		67	@@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s)
		68	}
		69	}
		70	trace_lsi_execute_script_stop();
		71	+
		72	+ reentrancy_level--;
		73	}
		74
		75	static uint8_t lsi_reg_readb(LSIState *s, int offset)