diff options
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 5 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | 52 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch | 150 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | 52 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch | 55 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | 60 |
6 files changed, 374 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3e5006937b..24b0379de4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -39,6 +39,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 39 | file://CVE-2020-11102.patch \ | 39 | file://CVE-2020-11102.patch \ |
| 40 | file://CVE-2020-11869.patch \ | 40 | file://CVE-2020-11869.patch \ |
| 41 | file://CVE-2020-13361.patch \ | 41 | file://CVE-2020-13361.patch \ |
| 42 | file://CVE-2020-10761.patch \ | ||
| 43 | file://CVE-2020-10702.patch \ | ||
| 44 | file://CVE-2020-13659.patch \ | ||
| 45 | file://CVE-2020-13800.patch \ | ||
| 46 | file://CVE-2020-13362.patch \ | ||
| 42 | " | 47 | " |
| 43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 48 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 44 | 49 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch new file mode 100644 index 0000000000..0931489af4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Vincent Dehors <vincent.dehors@smile.fr> | ||
| 3 | Date: Thu, 23 Jan 2020 15:22:38 +0000 | ||
| 4 | Subject: [PATCH] target/arm: Fix PAuth sbox functions | ||
| 5 | |||
| 6 | In the PAC computation, sbox was applied over wrong bits. | ||
| 7 | As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. | ||
| 8 | |||
| 9 | Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was | ||
| 10 | used to verify one computation of the pauth_computepac() function which | ||
| 11 | uses sbox2. | ||
| 12 | |||
| 13 | Launchpad: https://bugs.launchpad.net/bugs/1859713 | ||
| 14 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
| 15 | Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr> | ||
| 16 | Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr> | ||
| 17 | Message-id: 20200116230809.19078-2-richard.henderson@linaro.org | ||
| 18 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 20 | |||
| 21 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9] | ||
| 22 | CVE: CVE-2020-10702 | ||
| 23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 24 | --- | ||
| 25 | target/arm/pauth_helper.c | 4 ++-- | ||
| 26 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c | ||
| 29 | index d3194f2..0a5f41e 100644 | ||
| 30 | --- a/target/arm/pauth_helper.c | ||
| 31 | +++ b/target/arm/pauth_helper.c | ||
| 32 | @@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) | ||
| 33 | uint64_t o = 0; | ||
| 34 | int b; | ||
| 35 | |||
| 36 | - for (b = 0; b < 64; b += 16) { | ||
| 37 | + for (b = 0; b < 64; b += 4) { | ||
| 38 | o |= (uint64_t)sub[(i >> b) & 0xf] << b; | ||
| 39 | } | ||
| 40 | return o; | ||
| 41 | @@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) | ||
| 42 | uint64_t o = 0; | ||
| 43 | int b; | ||
| 44 | |||
| 45 | - for (b = 0; b < 64; b += 16) { | ||
| 46 | + for (b = 0; b < 64; b += 4) { | ||
| 47 | o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; | ||
| 48 | } | ||
| 49 | return o; | ||
| 50 | -- | ||
| 51 | 1.8.3.1 | ||
| 52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch new file mode 100644 index 0000000000..e5e336a2ee --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch | |||
| @@ -0,0 +1,150 @@ | |||
| 1 | From 5c4fe018c025740fef4a0a4421e8162db0c3eefd Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eric Blake <eblake@redhat.com> | ||
| 3 | Date: Mon, 8 Jun 2020 13:26:37 -0500 | ||
| 4 | Subject: [PATCH] nbd/server: Avoid long error message assertions | ||
| 5 | CVE-2020-10761 | ||
| 6 | |||
| 7 | Ever since commit 36683283 (v2.8), the server code asserts that error | ||
| 8 | strings sent to the client are well-formed per the protocol by not | ||
| 9 | exceeding the maximum string length of 4096. At the time the server | ||
| 10 | first started sending error messages, the assertion could not be | ||
| 11 | triggered, because messages were completely under our control. | ||
| 12 | However, over the years, we have added latent scenarios where a client | ||
| 13 | could trigger the server to attempt an error message that would | ||
| 14 | include the client's information if it passed other checks first: | ||
| 15 | |||
| 16 | - requesting NBD_OPT_INFO/GO on an export name that is not present | ||
| 17 | (commit 0cfae925 in v2.12 echoes the name) | ||
| 18 | |||
| 19 | - requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is | ||
| 20 | not present (commit e7b1948d in v2.12 echoes the name) | ||
| 21 | |||
| 22 | At the time, those were still safe because we flagged names larger | ||
| 23 | than 256 bytes with a different message; but that changed in commit | ||
| 24 | 93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD | ||
| 25 | string limit. (That commit also failed to change the magic number | ||
| 26 | 4096 in nbd_negotiate_send_rep_err to the just-introduced named | ||
| 27 | constant.) So with that commit, long client names appended to server | ||
| 28 | text can now trigger the assertion, and thus be used as a denial of | ||
| 29 | service attack against a server. As a mitigating factor, if the | ||
| 30 | server requires TLS, the client cannot trigger the problematic paths | ||
| 31 | unless it first supplies TLS credentials, and such trusted clients are | ||
| 32 | less likely to try to intentionally crash the server. | ||
| 33 | |||
| 34 | We may later want to further sanitize the user-supplied strings we | ||
| 35 | place into our error messages, such as scrubbing out control | ||
| 36 | characters, but that is less important to the CVE fix, so it can be a | ||
| 37 | later patch to the new nbd_sanitize_name. | ||
| 38 | |||
| 39 | Consideration was given to changing the assertion in | ||
| 40 | nbd_negotiate_send_rep_verr to instead merely log a server error and | ||
| 41 | truncate the message, to avoid leaving a latent path that could | ||
| 42 | trigger a future CVE DoS on any new error message. However, this | ||
| 43 | merely complicates the code for something that is already (correctly) | ||
| 44 | flagging coding errors, and now that we are aware of the long message | ||
| 45 | pitfall, we are less likely to introduce such errors in the future, | ||
| 46 | which would make such error handling dead code. | ||
| 47 | |||
| 48 | Reported-by: Xueqiang Wei <xuwei@redhat.com> | ||
| 49 | CC: qemu-stable@nongnu.org | ||
| 50 | Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761 | ||
| 51 | Fixes: 93676c88d7 | ||
| 52 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
| 53 | Message-Id: <20200610163741.3745251-2-eblake@redhat.com> | ||
| 54 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
| 55 | |||
| 56 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/5c4fe018c025740fef4a0a4421e8162db0c3eefd] | ||
| 57 | CVE: CVE-2020-10761 | ||
| 58 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 59 | --- | ||
| 60 | nbd/server.c | 23 ++++++++++++++++++++--- | ||
| 61 | tests/qemu-iotests/143 | 4 ++++ | ||
| 62 | tests/qemu-iotests/143.out | 2 ++ | ||
| 63 | 3 files changed, 26 insertions(+), 3 deletions(-) | ||
| 64 | |||
| 65 | diff --git a/nbd/server.c b/nbd/server.c | ||
| 66 | index 02b1ed08014..20754e9ebc3 100644 | ||
| 67 | --- a/nbd/server.c | ||
| 68 | +++ b/nbd/server.c | ||
| 69 | @@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
| 70 | |||
| 71 | msg = g_strdup_vprintf(fmt, va); | ||
| 72 | len = strlen(msg); | ||
| 73 | - assert(len < 4096); | ||
| 74 | + assert(len < NBD_MAX_STRING_SIZE); | ||
| 75 | trace_nbd_negotiate_send_rep_err(msg); | ||
| 76 | ret = nbd_negotiate_send_rep_len(client, type, len, errp); | ||
| 77 | if (ret < 0) { | ||
| 78 | @@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
| 79 | return 0; | ||
| 80 | } | ||
| 81 | |||
| 82 | +/* | ||
| 83 | + * Return a malloc'd copy of @name suitable for use in an error reply. | ||
| 84 | + */ | ||
| 85 | +static char * | ||
| 86 | +nbd_sanitize_name(const char *name) | ||
| 87 | +{ | ||
| 88 | + if (strnlen(name, 80) < 80) { | ||
| 89 | + return g_strdup(name); | ||
| 90 | + } | ||
| 91 | + /* XXX Should we also try to sanitize any control characters? */ | ||
| 92 | + return g_strdup_printf("%.80s...", name); | ||
| 93 | +} | ||
| 94 | + | ||
| 95 | /* Send an error reply. | ||
| 96 | * Return -errno on error, 0 on success. */ | ||
| 97 | static int GCC_FMT_ATTR(4, 5) | ||
| 98 | @@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) | ||
| 99 | |||
| 100 | exp = nbd_export_find(name); | ||
| 101 | if (!exp) { | ||
| 102 | + g_autofree char *sane_name = nbd_sanitize_name(name); | ||
| 103 | + | ||
| 104 | return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, | ||
| 105 | errp, "export '%s' not present", | ||
| 106 | - name); | ||
| 107 | + sane_name); | ||
| 108 | } | ||
| 109 | |||
| 110 | /* Don't bother sending NBD_INFO_NAME unless client requested it */ | ||
| 111 | @@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client, | ||
| 112 | |||
| 113 | meta->exp = nbd_export_find(export_name); | ||
| 114 | if (meta->exp == NULL) { | ||
| 115 | + g_autofree char *sane_name = nbd_sanitize_name(export_name); | ||
| 116 | + | ||
| 117 | return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, | ||
| 118 | - "export '%s' not present", export_name); | ||
| 119 | + "export '%s' not present", sane_name); | ||
| 120 | } | ||
| 121 | |||
| 122 | ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); | ||
| 123 | diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143 | ||
| 124 | index f649b361950..d2349903b1b 100755 | ||
| 125 | --- a/tests/qemu-iotests/143 | ||
| 126 | +++ b/tests/qemu-iotests/143 | ||
| 127 | @@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \ | ||
| 128 | $QEMU_IO_PROG -f raw -c quit \ | ||
| 129 | "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
| 130 | | _filter_qemu_io | _filter_nbd | ||
| 131 | +# Likewise, with longest possible name permitted in NBD protocol | ||
| 132 | +$QEMU_IO_PROG -f raw -c quit \ | ||
| 133 | + "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
| 134 | + | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/' | ||
| 135 | |||
| 136 | _send_qemu_cmd $QEMU_HANDLE \ | ||
| 137 | "{ 'execute': 'quit' }" \ | ||
| 138 | diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out | ||
| 139 | index 1f4001c6013..fc9c0a761fa 100644 | ||
| 140 | --- a/tests/qemu-iotests/143.out | ||
| 141 | +++ b/tests/qemu-iotests/143.out | ||
| 142 | @@ -5,6 +5,8 @@ QA output created by 143 | ||
| 143 | {"return": {}} | ||
| 144 | qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available | ||
| 145 | server reported: export 'no_such_export' not present | ||
| 146 | +qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available | ||
| 147 | +server reported: export 'aa--aa...' not present | ||
| 148 | { 'execute': 'quit' } | ||
| 149 | {"return": {}} | ||
| 150 | {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch new file mode 100644 index 0000000000..7c92d762f2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Thu, 14 May 2020 00:55:38 +0530 | ||
| 4 | Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check | ||
| 5 | index | ||
| 6 | |||
| 7 | A guest user may set 'reply_queue_head' field of MegasasState to | ||
| 8 | a negative value. Later in 'megasas_lookup_frame' it is used to | ||
| 9 | index into s->frames[] array. Use unsigned type to avoid OOB | ||
| 10 | access issue. | ||
| 11 | |||
| 12 | Also check that 'index' value stays within s->frames[] bounds | ||
| 13 | through the while() loop in 'megasas_lookup_frame' to avoid OOB | ||
| 14 | access. | ||
| 15 | |||
| 16 | Reported-by: Ren Ding <rding@gatech.edu> | ||
| 17 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
| 18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
| 19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 20 | Acked-by: Alexander Bulekov <alxndr@bu.edu> | ||
| 21 | Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> | ||
| 22 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
| 23 | |||
| 24 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f50ab86a2620bd7e8507af865b164655ee921661] | ||
| 25 | CVE: CVE-2020-13362 | ||
| 26 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 27 | --- | ||
| 28 | hw/scsi/megasas.c | 4 ++-- | ||
| 29 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | ||
| 32 | index af18c88b656..6ce598cd690 100644 | ||
| 33 | --- a/hw/scsi/megasas.c | ||
| 34 | +++ b/hw/scsi/megasas.c | ||
| 35 | @@ -112,7 +112,7 @@ typedef struct MegasasState { | ||
| 36 | uint64_t reply_queue_pa; | ||
| 37 | void *reply_queue; | ||
| 38 | int reply_queue_len; | ||
| 39 | - int reply_queue_head; | ||
| 40 | + uint16_t reply_queue_head; | ||
| 41 | int reply_queue_tail; | ||
| 42 | uint64_t consumer_pa; | ||
| 43 | uint64_t producer_pa; | ||
| 44 | @@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, | ||
| 45 | |||
| 46 | index = s->reply_queue_head; | ||
| 47 | |||
| 48 | - while (num < s->fw_cmds) { | ||
| 49 | + while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { | ||
| 50 | if (s->frames[index].pa && s->frames[index].pa == frame) { | ||
| 51 | cmd = &s->frames[index]; | ||
| 52 | break; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch new file mode 100644 index 0000000000..f1e9345eca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Tue, 26 May 2020 16:47:43 +0530 | ||
| 4 | Subject: [PATCH] exec: set map length to zero when returning NULL | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | When mapping physical memory into host's virtual address space, | ||
| 10 | 'address_space_map' may return NULL if BounceBuffer is in_use. | ||
| 11 | Set and return '*plen = 0' to avoid later NULL pointer dereference. | ||
| 12 | |||
| 13 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
| 14 | Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 | ||
| 15 | Suggested-by: Paolo Bonzini <pbonzini@redhat.com> | ||
| 16 | Suggested-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 18 | Message-Id: <20200526111743.428367-1-ppandit@redhat.com> | ||
| 19 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
| 20 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
| 21 | |||
| 22 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77f55eac6c433e23e82a1b88b2d74f385c4c7d82] | ||
| 23 | CVE: CVE-2020-13659 | ||
| 24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 25 | --- | ||
| 26 | exec.c | 1 + | ||
| 27 | include/exec/memory.h | 3 ++- | ||
| 28 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
| 29 | |||
| 30 | diff --git a/exec.c b/exec.c | ||
| 31 | index 9cbde85d8c1..778263f1c6a 100644 | ||
| 32 | --- a/exec.c | ||
| 33 | +++ b/exec.c | ||
| 34 | @@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, | ||
| 35 | |||
| 36 | if (!memory_access_is_direct(mr, is_write)) { | ||
| 37 | if (atomic_xchg(&bounce.in_use, true)) { | ||
| 38 | + *plen = 0; | ||
| 39 | return NULL; | ||
| 40 | } | ||
| 41 | /* Avoid unbounded allocations */ | ||
| 42 | diff --git a/include/exec/memory.h b/include/exec/memory.h | ||
| 43 | index bd7fdd60810..af8ca7824e0 100644 | ||
| 44 | --- a/include/exec/memory.h | ||
| 45 | +++ b/include/exec/memory.h | ||
| 46 | @@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, | ||
| 47 | /* address_space_map: map a physical memory region into a host virtual address | ||
| 48 | * | ||
| 49 | * May map a subset of the requested range, given by and returned in @plen. | ||
| 50 | - * May return %NULL if resources needed to perform the mapping are exhausted. | ||
| 51 | + * May return %NULL and set *@plen to zero(0), if resources needed to perform | ||
| 52 | + * the mapping are exhausted. | ||
| 53 | * Use only for reads OR writes - not for read-modify-write operations. | ||
| 54 | * Use cpu_register_map_client() to know when retrying the map operation is | ||
| 55 | * likely to succeed. | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch new file mode 100644 index 0000000000..84b2f06894 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | |||
| @@ -0,0 +1,60 @@ | |||
| 1 | From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Thu, 4 Jun 2020 14:38:30 +0530 | ||
| 4 | Subject: [PATCH] ati-vga: check mm_index before recursive call | ||
| 5 | (CVE-2020-13800) | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | While accessing VGA registers via ati_mm_read/write routines, | ||
| 11 | a guest may set 's->regs.mm_index' such that it leads to infinite | ||
| 12 | recursion. Check mm_index value to avoid such recursion. Log an | ||
| 13 | error message for wrong values. | ||
| 14 | |||
| 15 | Reported-by: Ren Ding <rding@gatech.edu> | ||
| 16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
| 17 | Reported-by: Yi Ren <c4tren@gmail.com> | ||
| 18 | Message-id: 20200604090830.33885-1-ppandit@redhat.com | ||
| 19 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
| 20 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
| 21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 23 | |||
| 24 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a98610c429d52db0937c1e48659428929835c455] | ||
| 25 | CVE: CVE-2020-13800 | ||
| 26 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 27 | --- | ||
| 28 | hw/display/ati.c | 10 ++++++++-- | ||
| 29 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/hw/display/ati.c b/hw/display/ati.c | ||
| 32 | index 065f197678e..67604e68deb 100644 | ||
| 33 | --- a/hw/display/ati.c | ||
| 34 | +++ b/hw/display/ati.c | ||
| 35 | @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) | ||
| 36 | if (idx <= s->vga.vram_size - size) { | ||
| 37 | val = ldn_le_p(s->vga.vram_ptr + idx, size); | ||
| 38 | } | ||
| 39 | - } else { | ||
| 40 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
| 41 | val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); | ||
| 42 | + } else { | ||
| 43 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
| 44 | + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); | ||
| 45 | } | ||
| 46 | break; | ||
| 47 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
| 48 | @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, | ||
| 49 | if (idx <= s->vga.vram_size - size) { | ||
| 50 | stn_le_p(s->vga.vram_ptr + idx, size, data); | ||
| 51 | } | ||
| 52 | - } else { | ||
| 53 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
| 54 | ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); | ||
| 55 | + } else { | ||
| 56 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
| 57 | + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); | ||
| 58 | } | ||
| 59 | break; | ||
| 60 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
