* [hardknott][PATCH 3/8] qemu: CVE-2021-3595
[not found] <20220114000641.33969-1-sakib.sajal@windriver.com>
@ 2022-01-14 0:06 ` Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 4/8] qemu: CVE-2021-3594 Sakib Sajal
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-01-14 0:06 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-3595_1.patch | 41 +++
.../qemu/qemu/CVE-2021-3595_2.patch | 253 ++++++++++++++++++
3 files changed, 296 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6b544a4344..811bdff426 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -74,6 +74,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3592_2.patch \
file://CVE-2021-3592_3.patch \
file://CVE-2021-3593.patch \
+ file://CVE-2021-3595_1.patch \
+ file://CVE-2021-3595_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
new file mode 100644
index 0000000000..aefaff01cf
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
@@ -0,0 +1,41 @@
+From 6b62a09d6c264cb84f560a418beb027f47bc5069 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:34:30 +0400
+Subject: [PATCH 05/12] tftp: check tftp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3595
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3595
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/tftp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
+index c6950ee10..e06911d42 100644
+--- a/slirp/src/tftp.c
++++ b/slirp/src/tftp.c
+@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+
+ void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
+ {
+- struct tftp_t *tp = (struct tftp_t *)m->m_data;
++ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
++
++ if (tp == NULL) {
++ return;
++ }
+
+ switch (ntohs(tp->tp_op)) {
+ case TFTP_RRQ:
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
new file mode 100644
index 0000000000..1ffa6ca988
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
@@ -0,0 +1,253 @@
+From d71caef98e331268519578fc0437e2ac02586940 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 20:01:20 +0400
+Subject: [PATCH 06/12] tftp: introduce a header structure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of using a composed structure and potentially reading past the
+incoming buffer, use a different structure for the header.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3595
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/tftp.c | 60 +++++++++++++++++++++++++-----------------------
+ slirp/src/tftp.h | 6 ++++-
+ 2 files changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
+index e06911d42..a19c889d3 100644
+--- a/slirp/src/tftp.c
++++ b/slirp/src/tftp.c
+@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
+ }
+
+ static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
+- struct tftp_t *tp)
++ struct tftphdr *hdr)
+ {
+ struct tftp_session *spt;
+ int k;
+@@ -75,7 +75,7 @@ found:
+ memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
+ spt->fd = -1;
+ spt->block_size = 512;
+- spt->client_port = tp->udp.uh_sport;
++ spt->client_port = hdr->udp.uh_sport;
+ spt->slirp = slirp;
+
+ tftp_session_update(spt);
+@@ -84,7 +84,7 @@ found:
+ }
+
+ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
+- struct tftp_t *tp)
++ struct tftphdr *hdr)
+ {
+ struct tftp_session *spt;
+ int k;
+@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
+
+ if (tftp_session_in_use(spt)) {
+ if (sockaddr_equal(&spt->client_addr, srcsas)) {
+- if (spt->client_port == tp->udp.uh_sport) {
++ if (spt->client_port == hdr->udp.uh_sport) {
+ return k;
+ }
+ }
+@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
+ }
+
+ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
+- struct tftp_t *recv_tp)
++ struct tftphdr *hdr)
+ {
+ if (spt->client_addr.ss_family == AF_INET6) {
+ struct sockaddr_in6 sa6, da6;
+
+ sa6.sin6_addr = spt->slirp->vhost_addr6;
+- sa6.sin6_port = recv_tp->udp.uh_dport;
++ sa6.sin6_port = hdr->udp.uh_dport;
+ da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
+ da6.sin6_port = spt->client_port;
+
+@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
+ struct sockaddr_in sa4, da4;
+
+ sa4.sin_addr = spt->slirp->vhost_addr;
+- sa4.sin_port = recv_tp->udp.uh_dport;
++ sa4.sin_port = hdr->udp.uh_dport;
+ da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
+ da4.sin_port = spt->client_port;
+
+@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
+
+ tp = tftp_prep_mbuf_data(spt, m);
+
+- tp->tp_op = htons(TFTP_OACK);
++ tp->hdr.tp_op = htons(TFTP_OACK);
+ for (i = 0; i < nb; i++) {
+ n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
+ n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
+ }
+
+- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
+- tftp_udp_output(spt, m, recv_tp);
++ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
++ tftp_udp_output(spt, m, &recv_tp->hdr);
+
+ return 0;
+ }
+@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
+
+ tp = tftp_prep_mbuf_data(spt, m);
+
+- tp->tp_op = htons(TFTP_ERROR);
++ tp->hdr.tp_op = htons(TFTP_ERROR);
+ tp->x.tp_error.tp_error_code = htons(errorcode);
+ slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
+ msg);
+
+ m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
+ strlen(msg) - sizeof(struct udphdr);
+- tftp_udp_output(spt, m, recv_tp);
++ tftp_udp_output(spt, m, &recv_tp->hdr);
+
+ out:
+ tftp_session_terminate(spt);
+ }
+
+ static void tftp_send_next_block(struct tftp_session *spt,
+- struct tftp_t *recv_tp)
++ struct tftphdr *hdr)
+ {
+ struct mbuf *m;
+ struct tftp_t *tp;
+@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
+
+ tp = tftp_prep_mbuf_data(spt, m);
+
+- tp->tp_op = htons(TFTP_DATA);
++ tp->hdr.tp_op = htons(TFTP_DATA);
+ tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
+
+ nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
+@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
+
+ m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
+ sizeof(struct udphdr);
+- tftp_udp_output(spt, m, recv_tp);
++ tftp_udp_output(spt, m, hdr);
+
+ if (nobytes == spt->block_size) {
+ tftp_session_update(spt);
+@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+ int nb_options = 0;
+
+ /* check if a session already exists and if so terminate it */
+- s = tftp_session_find(slirp, srcsas, tp);
++ s = tftp_session_find(slirp, srcsas, &tp->hdr);
+ if (s >= 0) {
+ tftp_session_terminate(&slirp->tftp_sessions[s]);
+ }
+
+- s = tftp_session_allocate(slirp, srcsas, tp);
++ s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
+
+ if (s < 0) {
+ return;
+@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+ }
+
+ spt->block_nr = 0;
+- tftp_send_next_block(spt, tp);
++ tftp_send_next_block(spt, &tp->hdr);
+ }
+
+ static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
+- struct tftp_t *tp, int pktlen)
++ struct tftphdr *hdr)
+ {
+ int s;
+
+- s = tftp_session_find(slirp, srcsas, tp);
++ s = tftp_session_find(slirp, srcsas, hdr);
+
+ if (s < 0) {
+ return;
+ }
+
+- tftp_send_next_block(&slirp->tftp_sessions[s], tp);
++ tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
+ }
+
+ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+- struct tftp_t *tp, int pktlen)
++ struct tftphdr *hdr)
+ {
+ int s;
+
+- s = tftp_session_find(slirp, srcsas, tp);
++ s = tftp_session_find(slirp, srcsas, hdr);
+
+ if (s < 0) {
+ return;
+@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
+
+ void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
+ {
+- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
++ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
+
+- if (tp == NULL) {
++ if (hdr == NULL) {
+ return;
+ }
+
+- switch (ntohs(tp->tp_op)) {
++ switch (ntohs(hdr->tp_op)) {
+ case TFTP_RRQ:
+- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
++ tftp_handle_rrq(m->slirp, srcsas,
++ mtod(m, struct tftp_t *),
++ m->m_len);
+ break;
+
+ case TFTP_ACK:
+- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
++ tftp_handle_ack(m->slirp, srcsas, hdr);
+ break;
+
+ case TFTP_ERROR:
+- tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
++ tftp_handle_error(m->slirp, srcsas, hdr);
+ break;
+ }
+ }
+diff --git a/slirp/src/tftp.h b/slirp/src/tftp.h
+index 6d75478e8..cafab03f2 100644
+--- a/slirp/src/tftp.h
++++ b/slirp/src/tftp.h
+@@ -20,9 +20,13 @@
+ #define TFTP_FILENAME_MAX 512
+ #define TFTP_BLOCKSIZE_MAX 1428
+
+-struct tftp_t {
++struct tftphdr {
+ struct udphdr udp;
+ uint16_t tp_op;
++} SLIRP_PACKED;
++
++struct tftp_t {
++ struct tftphdr hdr;
+ union {
+ struct {
+ uint16_t tp_block_nr;
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 4/8] qemu: CVE-2021-3594
[not found] <20220114000641.33969-1-sakib.sajal@windriver.com>
2022-01-14 0:06 ` [hardknott][PATCH 3/8] qemu: CVE-2021-3595 Sakib Sajal
@ 2022-01-14 0:06 ` Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 6/8] qemu: CVE-2021-3748 Sakib Sajal
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-01-14 0:06 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3594.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 811bdff426..4198d3a52c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3593.patch \
file://CVE-2021-3595_1.patch \
file://CVE-2021-3595_2.patch \
+ file://CVE-2021-3594.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
new file mode 100644
index 0000000000..ec2a254c7d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
@@ -0,0 +1,40 @@
+From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:40:23 +0400
+Subject: [PATCH 07/12] udp: check upd_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3594
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3594
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/udp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/src/udp.c b/slirp/src/udp.c
+index 0ad44d7c0..18b4acdfa 100644
+--- a/slirp/src/udp.c
++++ b/slirp/src/udp.c
+@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen)
+ /*
+ * Get IP and UDP header together in first mbuf.
+ */
+- ip = mtod(m, struct ip *);
++ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
++ if (ip == NULL) {
++ goto bad;
++ }
+ uh = (struct udphdr *)((char *)ip + iphlen);
+
+ /*
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 6/8] qemu: CVE-2021-3748
[not found] <20220114000641.33969-1-sakib.sajal@windriver.com>
2022-01-14 0:06 ` [hardknott][PATCH 3/8] qemu: CVE-2021-3595 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 4/8] qemu: CVE-2021-3594 Sakib Sajal
@ 2022-01-14 0:06 ` Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 8/8] qemu: CVE-2021-20196 Sakib Sajal
[not found] ` <16C9FA5A611A7940.25962@lists.openembedded.org>
4 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-01-14 0:06 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3748.patch | 127 ++++++++++++++++++
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 970aa96608..7648ce9a38 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3595_2.patch \
file://CVE-2021-3594.patch \
file://CVE-2021-3713.patch \
+ file://CVE-2021-3748.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..a8f57c30b6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
+From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
+
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+
+This addresses CVE-2021-3748.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3748
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 9179013ac..df1d30e2c 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ VirtIONet *n = qemu_get_nic_opaque(nc);
+ VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+ VirtIODevice *vdev = VIRTIO_DEVICE(n);
++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++ size_t lens[VIRTQUEUE_MAX_SIZE];
+ struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+ struct virtio_net_hdr_mrg_rxbuf mhdr;
+ unsigned mhdr_cnt = 0;
+- size_t offset, i, guest_offset;
++ size_t offset, i, guest_offset, j;
++ ssize_t err;
+
+ if (!virtio_net_can_receive(nc)) {
+ return -1;
+@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ total = 0;
+
++ if (i == VIRTQUEUE_MAX_SIZE) {
++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
++ err = size;
++ goto err;
++ }
++
+ elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+ if (!elem) {
+ if (i) {
+@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ n->guest_hdr_len, n->host_hdr_len,
+ vdev->guest_features);
+ }
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ if (elem->in_num < 1) {
+@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ "virtio-net receive queue contains no in buffers");
+ virtqueue_detach_element(q->rx_vq, elem, 0);
+ g_free(elem);
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ sg = elem->in_sg;
+@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ if (!n->mergeable_rx_bufs && offset < size) {
+ virtqueue_unpop(q->rx_vq, elem, total);
+ g_free(elem);
+- return size;
++ err = size;
++ goto err;
+ }
+
+- /* signal other side */
+- virtqueue_fill(q->rx_vq, elem, total, i++);
+- g_free(elem);
++ elems[i] = elem;
++ lens[i] = total;
++ i++;
+ }
+
+ if (mhdr_cnt) {
+@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ &mhdr.num_buffers, sizeof mhdr.num_buffers);
+ }
+
++ for (j = 0; j < i; j++) {
++ /* signal other side */
++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++ g_free(elems[j]);
++ }
++
+ virtqueue_flush(q->rx_vq, i);
+ virtio_notify(vdev, q->rx_vq);
+
+ return size;
++
++err:
++ for (j = 0; j < i; j++) {
++ g_free(elems[j]);
++ }
++
++ return err;
+ }
+
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 8/8] qemu: CVE-2021-20196
[not found] <20220114000641.33969-1-sakib.sajal@windriver.com>
` (2 preceding siblings ...)
2022-01-14 0:06 ` [hardknott][PATCH 6/8] qemu: CVE-2021-3748 Sakib Sajal
@ 2022-01-14 0:06 ` Sakib Sajal
[not found] ` <16C9FA5A611A7940.25962@lists.openembedded.org>
4 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-01-14 0:06 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-20196_1.patch | 54 +++++++++++++++
.../qemu/qemu/CVE-2021-20196_2.patch | 67 +++++++++++++++++++
3 files changed, 123 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4a5379893c..3401fd7194 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -80,6 +80,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3713.patch \
file://CVE-2021-3748.patch \
file://CVE-2021-3930.patch \
+ file://CVE-2021-20196_1.patch \
+ file://CVE-2021-20196_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
new file mode 100644
index 0000000000..bc513277ac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
@@ -0,0 +1,54 @@
+From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-2-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-20196
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 4c2c35e22..854b4f172 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -61,6 +61,12 @@
+ } while (0)
+
+
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++}
++
+ /********************************************************/
+ /* qdev floppy bus */
+
+@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp)
+ }
+
+ if (!dev->conf.blk) {
+- /* Anonymous BlockBackend for an empty drive */
+- dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++ dev->conf.blk = blk_create_empty_drive();
+ ret = blk_attach_dev(dev->conf.blk, qdev);
+ assert(ret == 0);
+
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
new file mode 100644
index 0000000000..1e39ed81b1
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
+From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20196
+Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-3-philmd@redhat.com
+BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-20196
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 854b4f172..a736c4d14 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+- return get_drv(fdctrl, fdctrl->cur_drv);
++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++ if (!cur_drv->blk) {
++ /*
++ * Kludge: empty drive line selected. Create an anonymous
++ * BlockBackend to avoid NULL deref with various BlockBackend
++ * API calls within this model (CVE-2021-20196).
++ * Due to the controller QOM model limitations, we don't
++ * attach the created to the controller device.
++ */
++ cur_drv->blk = blk_create_empty_drive();
++ }
++ return cur_drv;
+ }
+
+ /* Status A register : 0x00 (read-only) */
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [hardknott][PATCH 3/8] qemu: CVE-2021-3595
[not found] ` <16C9FA5A611A7940.25962@lists.openembedded.org>
@ 2022-01-14 0:18 ` Sakib Sajal
0 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-01-14 0:18 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 12931 bytes --]
Please disregard this set of patches, somehow it failed to send the
first 2 and one in the middle. sending a V3.
Sorry for inconvenience
On 2022-01-13 7:06 p.m., Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 2 +
> .../qemu/qemu/CVE-2021-3595_1.patch | 41 +++
> .../qemu/qemu/CVE-2021-3595_2.patch | 253 ++++++++++++++++++
> 3 files changed, 296 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 6b544a4344..811bdff426 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -74,6 +74,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2021-3592_2.patch \
> file://CVE-2021-3592_3.patch \
> file://CVE-2021-3593.patch \
> + file://CVE-2021-3595_1.patch \
> + file://CVE-2021-3595_2.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
> new file mode 100644
> index 0000000000..aefaff01cf
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
> @@ -0,0 +1,41 @@
> +From 6b62a09d6c264cb84f560a418beb027f47bc5069 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 16:34:30 +0400
> +Subject: [PATCH 05/12] tftp: check tftp_input buffer size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fixes: CVE-2021-3595
> +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3595
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/tftp.c | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
> +index c6950ee10..e06911d42 100644
> +--- a/slirp/src/tftp.c
> ++++ b/slirp/src/tftp.c
> +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
> +
> + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
> + {
> +- struct tftp_t *tp = (struct tftp_t *)m->m_data;
> ++ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
> ++
> ++ if (tp == NULL) {
> ++ return;
> ++ }
> +
> + switch (ntohs(tp->tp_op)) {
> + case TFTP_RRQ:
> +--
> +2.31.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
> new file mode 100644
> index 0000000000..1ffa6ca988
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
> @@ -0,0 +1,253 @@
> +From d71caef98e331268519578fc0437e2ac02586940 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 20:01:20 +0400
> +Subject: [PATCH 06/12] tftp: introduce a header structure
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Instead of using a composed structure and potentially reading past the
> +incoming buffer, use a different structure for the header.
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3595
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/tftp.c | 60 +++++++++++++++++++++++++-----------------------
> + slirp/src/tftp.h | 6 ++++-
> + 2 files changed, 36 insertions(+), 30 deletions(-)
> +
> +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
> +index e06911d42..a19c889d3 100644
> +--- a/slirp/src/tftp.c
> ++++ b/slirp/src/tftp.c
> +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
> + }
> +
> + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp)
> ++ struct tftphdr *hdr)
> + {
> + struct tftp_session *spt;
> + int k;
> +@@ -75,7 +75,7 @@ found:
> + memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
> + spt->fd = -1;
> + spt->block_size = 512;
> +- spt->client_port = tp->udp.uh_sport;
> ++ spt->client_port = hdr->udp.uh_sport;
> + spt->slirp = slirp;
> +
> + tftp_session_update(spt);
> +@@ -84,7 +84,7 @@ found:
> + }
> +
> + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp)
> ++ struct tftphdr *hdr)
> + {
> + struct tftp_session *spt;
> + int k;
> +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
> +
> + if (tftp_session_in_use(spt)) {
> + if (sockaddr_equal(&spt->client_addr, srcsas)) {
> +- if (spt->client_port == tp->udp.uh_sport) {
> ++ if (spt->client_port == hdr->udp.uh_sport) {
> + return k;
> + }
> + }
> +@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
> + }
> +
> + static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
> +- struct tftp_t *recv_tp)
> ++ struct tftphdr *hdr)
> + {
> + if (spt->client_addr.ss_family == AF_INET6) {
> + struct sockaddr_in6 sa6, da6;
> +
> + sa6.sin6_addr = spt->slirp->vhost_addr6;
> +- sa6.sin6_port = recv_tp->udp.uh_dport;
> ++ sa6.sin6_port = hdr->udp.uh_dport;
> + da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
> + da6.sin6_port = spt->client_port;
> +
> +@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
> + struct sockaddr_in sa4, da4;
> +
> + sa4.sin_addr = spt->slirp->vhost_addr;
> +- sa4.sin_port = recv_tp->udp.uh_dport;
> ++ sa4.sin_port = hdr->udp.uh_dport;
> + da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
> + da4.sin_port = spt->client_port;
> +
> +@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
> +
> + tp = tftp_prep_mbuf_data(spt, m);
> +
> +- tp->tp_op = htons(TFTP_OACK);
> ++ tp->hdr.tp_op = htons(TFTP_OACK);
> + for (i = 0; i < nb; i++) {
> + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
> + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
> + }
> +
> +- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
> +- tftp_udp_output(spt, m, recv_tp);
> ++ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
> ++ tftp_udp_output(spt, m, &recv_tp->hdr);
> +
> + return 0;
> + }
> +@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
> +
> + tp = tftp_prep_mbuf_data(spt, m);
> +
> +- tp->tp_op = htons(TFTP_ERROR);
> ++ tp->hdr.tp_op = htons(TFTP_ERROR);
> + tp->x.tp_error.tp_error_code = htons(errorcode);
> + slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
> + msg);
> +
> + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
> + strlen(msg) - sizeof(struct udphdr);
> +- tftp_udp_output(spt, m, recv_tp);
> ++ tftp_udp_output(spt, m, &recv_tp->hdr);
> +
> + out:
> + tftp_session_terminate(spt);
> + }
> +
> + static void tftp_send_next_block(struct tftp_session *spt,
> +- struct tftp_t *recv_tp)
> ++ struct tftphdr *hdr)
> + {
> + struct mbuf *m;
> + struct tftp_t *tp;
> +@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
> +
> + tp = tftp_prep_mbuf_data(spt, m);
> +
> +- tp->tp_op = htons(TFTP_DATA);
> ++ tp->hdr.tp_op = htons(TFTP_DATA);
> + tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
> +
> + nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
> +@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
> +
> + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
> + sizeof(struct udphdr);
> +- tftp_udp_output(spt, m, recv_tp);
> ++ tftp_udp_output(spt, m, hdr);
> +
> + if (nobytes == spt->block_size) {
> + tftp_session_update(spt);
> +@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
> + int nb_options = 0;
> +
> + /* check if a session already exists and if so terminate it */
> +- s = tftp_session_find(slirp, srcsas, tp);
> ++ s = tftp_session_find(slirp, srcsas, &tp->hdr);
> + if (s >= 0) {
> + tftp_session_terminate(&slirp->tftp_sessions[s]);
> + }
> +
> +- s = tftp_session_allocate(slirp, srcsas, tp);
> ++ s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
> +
> + if (s < 0) {
> + return;
> +@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
> + }
> +
> + spt->block_nr = 0;
> +- tftp_send_next_block(spt, tp);
> ++ tftp_send_next_block(spt, &tp->hdr);
> + }
> +
> + static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp, int pktlen)
> ++ struct tftphdr *hdr)
> + {
> + int s;
> +
> +- s = tftp_session_find(slirp, srcsas, tp);
> ++ s = tftp_session_find(slirp, srcsas, hdr);
> +
> + if (s < 0) {
> + return;
> + }
> +
> +- tftp_send_next_block(&slirp->tftp_sessions[s], tp);
> ++ tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
> + }
> +
> + static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp, int pktlen)
> ++ struct tftphdr *hdr)
> + {
> + int s;
> +
> +- s = tftp_session_find(slirp, srcsas, tp);
> ++ s = tftp_session_find(slirp, srcsas, hdr);
> +
> + if (s < 0) {
> + return;
> +@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
> +
> + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
> + {
> +- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
> ++ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
> +
> +- if (tp == NULL) {
> ++ if (hdr == NULL) {
> + return;
> + }
> +
> +- switch (ntohs(tp->tp_op)) {
> ++ switch (ntohs(hdr->tp_op)) {
> + case TFTP_RRQ:
> +- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
> ++ tftp_handle_rrq(m->slirp, srcsas,
> ++ mtod(m, struct tftp_t *),
> ++ m->m_len);
> + break;
> +
> + case TFTP_ACK:
> +- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
> ++ tftp_handle_ack(m->slirp, srcsas, hdr);
> + break;
> +
> + case TFTP_ERROR:
> +- tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
> ++ tftp_handle_error(m->slirp, srcsas, hdr);
> + break;
> + }
> + }
> +diff --git a/slirp/src/tftp.h b/slirp/src/tftp.h
> +index 6d75478e8..cafab03f2 100644
> +--- a/slirp/src/tftp.h
> ++++ b/slirp/src/tftp.h
> +@@ -20,9 +20,13 @@
> + #define TFTP_FILENAME_MAX 512
> + #define TFTP_BLOCKSIZE_MAX 1428
> +
> +-struct tftp_t {
> ++struct tftphdr {
> + struct udphdr udp;
> + uint16_t tp_op;
> ++} SLIRP_PACKED;
> ++
> ++struct tftp_t {
> ++ struct tftphdr hdr;
> + union {
> + struct {
> + uint16_t tp_block_nr;
> +--
> +2.31.1
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160547): https://lists.openembedded.org/g/openembedded-core/message/160547
> Mute This Topic: https://lists.openembedded.org/mt/88410487/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #2: Type: text/html, Size: 14510 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [hardknott][PATCH 6/8] qemu: CVE-2021-3748
[not found] <20220113233551.36855-1-sakib.sajal@windriver.com>
@ 2022-01-13 23:35 ` Sakib Sajal
0 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-01-13 23:35 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3748.patch | 127 ++++++++++++++++++
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 970aa96608..7648ce9a38 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3595_2.patch \
file://CVE-2021-3594.patch \
file://CVE-2021-3713.patch \
+ file://CVE-2021-3748.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..a8f57c30b6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
+From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
+
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+
+This addresses CVE-2021-3748.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3748
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 9179013ac..df1d30e2c 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ VirtIONet *n = qemu_get_nic_opaque(nc);
+ VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+ VirtIODevice *vdev = VIRTIO_DEVICE(n);
++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++ size_t lens[VIRTQUEUE_MAX_SIZE];
+ struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+ struct virtio_net_hdr_mrg_rxbuf mhdr;
+ unsigned mhdr_cnt = 0;
+- size_t offset, i, guest_offset;
++ size_t offset, i, guest_offset, j;
++ ssize_t err;
+
+ if (!virtio_net_can_receive(nc)) {
+ return -1;
+@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ total = 0;
+
++ if (i == VIRTQUEUE_MAX_SIZE) {
++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
++ err = size;
++ goto err;
++ }
++
+ elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+ if (!elem) {
+ if (i) {
+@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ n->guest_hdr_len, n->host_hdr_len,
+ vdev->guest_features);
+ }
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ if (elem->in_num < 1) {
+@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ "virtio-net receive queue contains no in buffers");
+ virtqueue_detach_element(q->rx_vq, elem, 0);
+ g_free(elem);
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ sg = elem->in_sg;
+@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ if (!n->mergeable_rx_bufs && offset < size) {
+ virtqueue_unpop(q->rx_vq, elem, total);
+ g_free(elem);
+- return size;
++ err = size;
++ goto err;
+ }
+
+- /* signal other side */
+- virtqueue_fill(q->rx_vq, elem, total, i++);
+- g_free(elem);
++ elems[i] = elem;
++ lens[i] = total;
++ i++;
+ }
+
+ if (mhdr_cnt) {
+@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ &mhdr.num_buffers, sizeof mhdr.num_buffers);
+ }
+
++ for (j = 0; j < i; j++) {
++ /* signal other side */
++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++ g_free(elems[j]);
++ }
++
+ virtqueue_flush(q->rx_vq, i);
+ virtio_notify(vdev, q->rx_vq);
+
+ return size;
++
++err:
++ for (j = 0; j < i; j++) {
++ g_free(elems[j]);
++ }
++
++ return err;
+ }
+
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-14 0:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220114000641.33969-1-sakib.sajal@windriver.com>
2022-01-14 0:06 ` [hardknott][PATCH 3/8] qemu: CVE-2021-3595 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 4/8] qemu: CVE-2021-3594 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 6/8] qemu: CVE-2021-3748 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 8/8] qemu: CVE-2021-20196 Sakib Sajal
[not found] ` <16C9FA5A611A7940.25962@lists.openembedded.org>
2022-01-14 0:18 ` [OE-core] [hardknott][PATCH 3/8] qemu: CVE-2021-3595 Sakib Sajal
[not found] <20220113233551.36855-1-sakib.sajal@windriver.com>
2022-01-13 23:35 ` [hardknott][PATCH 6/8] qemu: CVE-2021-3748 Sakib Sajal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.