2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index fbfc9f7499..c8e1d28654 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2023-3301.patch \
           file://CVE-2023-3255.patch \
           file://CVE-2023-2861.patch \
+           file://CVE-2023-3354.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
new file mode 100644
index 0000000000..b3958ecbf5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
@@ -0,0 +1,88 @@
+From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrangé <berrange@redhat.com>
+Date: Tue, 12 Sep 2023 06:38:03 +0000
+Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The TLS handshake make take some time to complete, during which time an
+I/O watch might be registered with the main loop. If the owner of the
+I/O channel invokes qio_channel_close() while the handshake is waiting
+to continue the I/O watch must be removed. Failing to remove it will
+later trigger the completion callback which the owner is not expecting
+to receive. In the case of the VNC server, this results in a SEGV as
+vnc_disconnect_start() tries to shutdown a client connection that is
+already gone / NULL.
+CVE-2023-3354
+Reported-by: jiangyegen <jiangyegen@huawei.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+CVE: CVE-2023-3354
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ include/io/channel-tls.h |  1 +
+ io/channel-tls.c         | 18 ++++++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
+index 5672479e9..ccd510ade 100644
+--- a/include/io/channel-tls.h
+++ b/include/io/channel-tls.h
+@@ -48,6 +48,7 @@ struct QIOChannelTLS {
+     QIOChannel *master;
+     QCryptoTLSSession *session;
+     QIOChannelShutdown shutdown;
+    guint hs_ioc_tag;
+ };
+ /**
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index 4ce890a53..17d73f02e 100644
+--- a/io/channel-tls.c
+++ b/io/channel-tls.c
+@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+         }
+         trace_qio_channel_tls_handshake_pending(ioc, status);
+-        qio_channel_add_watch_full(ioc->master,
+-                                   condition,
+-                                   qio_channel_tls_handshake_io,
+-                                   data,
+-                                   NULL,
+-                                   context);
+        ioc->hs_ioc_tag =
+            qio_channel_add_watch_full(ioc->master,
+                                       condition,
+                                       qio_channel_tls_handshake_io,
+                                       data,
+                                       NULL,
+                                       context);
+     }
+ }
+@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
+         qio_task_get_source(task));
+    tioc->hs_ioc_tag = 0;
+     g_free(data);
+     qio_channel_tls_handshake_task(tioc, task, context);
+@@ -374,6 +376,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
+ {
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+    if (tioc->hs_ioc_tag) {
+        g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
+    }
+
+     return qio_channel_close(tioc->master, errp);
+ }
+--
+2.35.5

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index fbfc9f7499..c8e1d28654 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
40	file://CVE-2023-3301.patch \	40	file://CVE-2023-3301.patch \
41	file://CVE-2023-3255.patch \	41	file://CVE-2023-3255.patch \
42	file://CVE-2023-2861.patch \	42	file://CVE-2023-2861.patch \
		43	file://CVE-2023-3354.patch \
43	"	44	"
44	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	45	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
45		46


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..b3958ecbf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
@@ -0,0 +1,88 @@
		1	From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
		2	From: Daniel P. Berrangé <berrange@redhat.com>
		3	Date: Tue, 12 Sep 2023 06:38:03 +0000
		4	Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	The TLS handshake make take some time to complete, during which time an
		10	I/O watch might be registered with the main loop. If the owner of the
		11	I/O channel invokes qio_channel_close() while the handshake is waiting
		12	to continue the I/O watch must be removed. Failing to remove it will
		13	later trigger the completion callback which the owner is not expecting
		14	to receive. In the case of the VNC server, this results in a SEGV as
		15	vnc_disconnect_start() tries to shutdown a client connection that is
		16	already gone / NULL.
		17
		18	CVE-2023-3354
		19	Reported-by: jiangyegen <jiangyegen@huawei.com>
		20	Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
		21
		22	CVE: CVE-2023-3354
		23
		24	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4]
		25
		26	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		27	---
		28	include/io/channel-tls.h \| 1 +
		29	io/channel-tls.c \| 18 ++++++++++++------
		30	2 files changed, 13 insertions(+), 6 deletions(-)
		31
		32	diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
		33	index 5672479e9..ccd510ade 100644
		34	--- a/include/io/channel-tls.h
		35	+++ b/include/io/channel-tls.h
		36	@@ -48,6 +48,7 @@ struct QIOChannelTLS {
		37	QIOChannel *master;
		38	QCryptoTLSSession *session;
		39	QIOChannelShutdown shutdown;
		40	+ guint hs_ioc_tag;
		41	};
		42
		43	/**
		44	diff --git a/io/channel-tls.c b/io/channel-tls.c
		45	index 4ce890a53..17d73f02e 100644
		46	--- a/io/channel-tls.c
		47	+++ b/io/channel-tls.c
		48	@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
		49	}
		50
		51	trace_qio_channel_tls_handshake_pending(ioc, status);
		52	- qio_channel_add_watch_full(ioc->master,
		53	- condition,
		54	- qio_channel_tls_handshake_io,
		55	- data,
		56	- NULL,
		57	- context);
		58	+ ioc->hs_ioc_tag =
		59	+ qio_channel_add_watch_full(ioc->master,
		60	+ condition,
		61	+ qio_channel_tls_handshake_io,
		62	+ data,
		63	+ NULL,
		64	+ context);
		65	}
		66	}
		67
		68	@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
		69	QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
		70	qio_task_get_source(task));
		71
		72	+ tioc->hs_ioc_tag = 0;
		73	g_free(data);
		74	qio_channel_tls_handshake_task(tioc, task, context);
		75
		76	@@ -374,6 +376,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
		77	{
		78	QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
		79
		80	+ if (tioc->hs_ioc_tag) {
		81	+ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
		82	+ }
		83	+
		84	return qio_channel_close(tioc->master, errp);
		85	}
		86
		87	--
		88	2.35.5