qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write

Upstream-Status: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html (From OE-Core rev: 8b5d38abdbfd3bdeb175c793b4d33f9054e89f77) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2022-11-11 12:55:04 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-20 08:19:10 +0000
commit: 93fa8783778db44a9c4418de806d83d062e5129c (patch)
tree: 0258bba93b3c3444b94e91a07497d86568123d96 /meta
parent: 213cf8004c19d34bba9f7840911d545588671462 (diff)
download: poky-93fa8783778db44a9c4418de806d83d062e5129c.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 28caefef07..764f948a28 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -112,6 +112,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2022-0216-1.patch \
           file://CVE-2022-0216-2.patch \
           file://CVE-2021-3750.patch \
+           file://CVE-2021-3638.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
new file mode 100644
index 0000000000..6e7af8540a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
@@ -0,0 +1,80 @@
+From b68d13531d8882ba66994b9f767b6a8f822464f3 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Fri, 11 Nov 2022 12:43:26 +0530
+Subject: [PATCH] CVE-2021-3638
+Upstream-Status: Backport [https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html]
+CVE: CVE-2021-3638
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+When building QEMU with DEBUG_ATI defined then running with
+'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
+we get:
+  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
+  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
+  ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
+  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
+  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
+  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
+  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
+  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
+  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
+  ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32
+rop:0xff
+  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
+  ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383,
+y:16383, w:16383, h:16383, xor:0xff000000)
+  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
+  (gdb) bt
+  #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
+  #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
+  #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at
+hw/display/ati_2d.c:196
+  #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512,
+data=1073692671, size=4) at hw/display/ati.c:843
+  #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0,
+addr=5512, ..., size=4, ...) at softmmu/memory.c:492
+Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
+the local dst_x and dst_y which adjust the (x, y) coordinates
+depending on the direction in the SRCCOPY ROP3 operation, but
+forgot to address the same issue for the PATCOPY, BLACKNESS and
+WHITENESS operations, which also call pixman_fill().
+Fix that now by using the adjusted coordinates in the pixman_fill
+call, and update the related debug printf().
+---
+ hw/display/ati_2d.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 4dc10ea7..692bec91 100644
+--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
+@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
+     DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
+             s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
+             s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
+-            s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
+            s->regs.src_x, s->regs.src_y, dst_x, dst_y,
+             s->regs.dst_width, s->regs.dst_height,
+             (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
+             (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
+@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride /= sizeof(uint32_t);
+         DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
+                 dst_bits, dst_stride, bpp,
+-                s->regs.dst_x, s->regs.dst_y,
+                dst_x, dst_y,
+                 s->regs.dst_width, s->regs.dst_height,
+                 filler);
+         pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
+-                    s->regs.dst_x, s->regs.dst_y,
+                    dst_x, dst_y,
+                     s->regs.dst_width, s->regs.dst_height,
+                     filler);
+         if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
+-- 
+2.25.1
author	Vivek Kumbhar <vkumbhar@mvista.com>	2022-11-11 12:55:04 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-20 08:19:10 +0000
commit	93fa8783778db44a9c4418de806d83d062e5129c (patch)
tree	0258bba93b3c3444b94e91a07497d86568123d96 /meta
parent	213cf8004c19d34bba9f7840911d545588671462 (diff)
download	poky-93fa8783778db44a9c4418de806d83d062e5129c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 28caefef07..764f948a28 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -112,6 +112,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
112	file://CVE-2022-0216-1.patch \	112	file://CVE-2022-0216-1.patch \
113	file://CVE-2022-0216-2.patch \	113	file://CVE-2022-0216-2.patch \
114	file://CVE-2021-3750.patch \	114	file://CVE-2021-3750.patch \
		115	file://CVE-2021-3638.patch \
115	"	116	"
116	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	117	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
117		118


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..6e7af8540a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
@@ -0,0 +1,80 @@
		1	From b68d13531d8882ba66994b9f767b6a8f822464f3 Mon Sep 17 00:00:00 2001
		2	From: Vivek Kumbhar <vkumbhar@mvista.com>
		3	Date: Fri, 11 Nov 2022 12:43:26 +0530
		4	Subject: [PATCH] CVE-2021-3638
		5
		6	Upstream-Status: Backport [https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html]
		7	CVE: CVE-2021-3638
		8	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		9
		10	When building QEMU with DEBUG_ATI defined then running with
		11	'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
		12	we get:
		13
		14	ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
		15	ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
		16	ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
		17	ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
		18	ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
		19	ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
		20	ati_mm_write 4 0x1420 DST_Y <- 0x3fff
		21	ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
		22	ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
		23	ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32
		24	rop:0xff
		25	ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
		26	ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383,
		27	y:16383, w:16383, h:16383, xor:0xff000000)
		28	Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
		29	(gdb) bt
		30	#0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
		31	#1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
		32	#2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at
		33	hw/display/ati_2d.c:196
		34	#3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512,
		35	data=1073692671, size=4) at hw/display/ati.c:843
		36	#4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0,
		37	addr=5512, ..., size=4, ...) at softmmu/memory.c:492
		38
		39	Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
		40	the local dst_x and dst_y which adjust the (x, y) coordinates
		41	depending on the direction in the SRCCOPY ROP3 operation, but
		42	forgot to address the same issue for the PATCOPY, BLACKNESS and
		43	WHITENESS operations, which also call pixman_fill().
		44
		45	Fix that now by using the adjusted coordinates in the pixman_fill
		46	call, and update the related debug printf().
		47	---
		48	hw/display/ati_2d.c \| 6 +++---
		49	1 file changed, 3 insertions(+), 3 deletions(-)
		50
		51	diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
		52	index 4dc10ea7..692bec91 100644
		53	--- a/hw/display/ati_2d.c
		54	+++ b/hw/display/ati_2d.c
		55	@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
		56	DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
		57	s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
		58	s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
		59	- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
		60	+ s->regs.src_x, s->regs.src_y, dst_x, dst_y,
		61	s->regs.dst_width, s->regs.dst_height,
		62	(s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
		63	(s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
		64	@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
		65	dst_stride /= sizeof(uint32_t);
		66	DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
		67	dst_bits, dst_stride, bpp,
		68	- s->regs.dst_x, s->regs.dst_y,
		69	+ dst_x, dst_y,
		70	s->regs.dst_width, s->regs.dst_height,
		71	filler);
		72	pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
		73	- s->regs.dst_x, s->regs.dst_y,
		74	+ dst_x, dst_y,
		75	s->regs.dst_width, s->regs.dst_height,
		76	filler);
		77	if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
		78	--
		79	2.25.1
		80