* [OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145
@ 2022-06-01 3:51 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Sakib Sajal @ 2022-06-01 3:51 UTC (permalink / raw)
To: openembedded-core
Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit:
d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts")
Hence, backport both the patches to resolve the CVE.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-4145_1.patch | 67 +++++++++++++++
.../qemu/qemu/CVE-2021-4145_2.patch | 85 +++++++++++++++++++
3 files changed, 154 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 568ef1be94..aa372810ce 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3930.patch \
file://CVE-2021-20196_1.patch \
file://CVE-2021-20196_2.patch \
+ file://CVE-2021-4145_1.patch \
+ file://CVE-2021-4145_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
new file mode 100644
index 0000000000..02eae727d5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
@@ -0,0 +1,67 @@
+From 59fe260a352156261ad0d89be446e5dd0ac96de3 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Date: Sat, 3 Jul 2021 00:16:36 +0300
+Subject: [PATCH 1/2] block/mirror: fix active mirror dead-lock in
+ mirror_wait_on_conflicts
+
+It's possible that requests start to wait each other in
+mirror_wait_on_conflicts(). To avoid it let's use same technique as in
+block/io.c in bdrv_wait_serialising_requests_locked() /
+bdrv_find_conflicting_request(): don't wait on intersecting request if
+it is already waiting for some other request.
+
+For details of the dead-lock look at testIntersectingActiveIO()
+test-case which we actually fixing now.
+
+Fixes: d06107ade0ce74dc39739bac80de84b51ec18546
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Message-Id: <20210702211636.228981-4-vsementsov@virtuozzo.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+CVE: CVE-2021-4145
+Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ block/mirror.c | 12 ++++++++++++
+ tests/qemu-iotests/151 | 0
+ 2 files changed, 12 insertions(+)
+ mode change 100755 => 100644 tests/qemu-iotests/151
+
+diff --git a/block/mirror.c b/block/mirror.c
+index 8e1ad6ece..fab008568 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -106,6 +106,7 @@ struct MirrorOp {
+ bool is_in_flight;
+ CoQueue waiting_requests;
+ Coroutine *co;
++ MirrorOp *waiting_for_op;
+
+ QTAILQ_ENTRY(MirrorOp) next;
+ };
+@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self,
+ if (ranges_overlap(self_start_chunk, self_nb_chunks,
+ op_start_chunk, op_nb_chunks))
+ {
++ /*
++ * If the operation is already (indirectly) waiting for us, or
++ * will wait for us as soon as it wakes up, then just go on
++ * (instead of producing a deadlock in the former case).
++ */
++ if (op->waiting_for_op) {
++ continue;
++ }
++
++ self->waiting_for_op = op;
+ qemu_co_queue_wait(&op->waiting_requests, NULL);
++ self->waiting_for_op = NULL;
+ break;
+ }
+ }
+diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151
+old mode 100755
+new mode 100644
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
new file mode 100644
index 0000000000..891664375c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
@@ -0,0 +1,85 @@
+From 09036c63a4a498d65de0d035211b01f0482e3533 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Sep 2021 14:45:33 +0200
+Subject: [PATCH 2/2] block/mirror: fix NULL pointer dereference in
+ mirror_wait_on_conflicts()
+
+In mirror_iteration() we call mirror_wait_on_conflicts() with
+`self` parameter set to NULL.
+
+Starting from commit d44dae1a7c we dereference `self` pointer in
+mirror_wait_on_conflicts() without checks if it is not NULL.
+
+Backtrace:
+ Program terminated with signal SIGSEGV, Segmentation fault.
+ #0 mirror_wait_on_conflicts (self=0x0, s=<optimized out>, offset=<optimized out>, bytes=<optimized out>)
+ at ../block/mirror.c:172
+ 172 self->waiting_for_op = op;
+ [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))]
+ (gdb) bt
+ #0 mirror_wait_on_conflicts (self=0x0, s=<optimized out>, offset=<optimized out>, bytes=<optimized out>)
+ at ../block/mirror.c:172
+ #1 0x00005610c5d9d631 in mirror_run (job=0x5610c76a2c00, errp=<optimized out>) at ../block/mirror.c:491
+ #2 0x00005610c5d58726 in job_co_entry (opaque=0x5610c76a2c00) at ../job.c:917
+ #3 0x00005610c5f046c6 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
+ at ../util/coroutine-ucontext.c:173
+ #4 0x00007f0909975820 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91
+ from /usr/lib64/libc.so.6
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2001404
+Fixes: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20210910124533.288318-1-sgarzare@redhat.com>
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+
+CVE: CVE-2021-4145
+Upstream-Status: Backport [66fed30c9cd11854fc878a4eceb507e915d7c9cd]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ block/mirror.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index fab008568..ca0be146f 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -159,18 +159,25 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self,
+ if (ranges_overlap(self_start_chunk, self_nb_chunks,
+ op_start_chunk, op_nb_chunks))
+ {
+- /*
+- * If the operation is already (indirectly) waiting for us, or
+- * will wait for us as soon as it wakes up, then just go on
+- * (instead of producing a deadlock in the former case).
+- */
+- if (op->waiting_for_op) {
+- continue;
++ if (self) {
++ /*
++ * If the operation is already (indirectly) waiting for us,
++ * or will wait for us as soon as it wakes up, then just go
++ * on (instead of producing a deadlock in the former case).
++ */
++ if (op->waiting_for_op) {
++ continue;
++ }
++
++ self->waiting_for_op = op;
+ }
+
+- self->waiting_for_op = op;
+ qemu_co_queue_wait(&op->waiting_requests, NULL);
+- self->waiting_for_op = NULL;
++
++ if (self) {
++ self->waiting_for_op = NULL;
++ }
++
+ break;
+ }
+ }
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750
2022-06-01 3:51 [OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
@ 2022-06-01 3:51 ` Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal
2 siblings, 0 replies; 4+ messages in thread
From: Sakib Sajal @ 2022-06-01 3:51 UTC (permalink / raw)
To: openembedded-core
Backport appropriate patches to resolve CVE-2021-3750.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3750_1.patch | 60 +++++++
.../qemu/qemu/CVE-2021-3750_2.patch | 65 ++++++++
.../qemu/qemu/CVE-2021-3750_3.patch | 156 ++++++++++++++++++
4 files changed, 284 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index aa372810ce..5605ece5bb 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-20196_2.patch \
file://CVE-2021-4145_1.patch \
file://CVE-2021-4145_2.patch \
+ file://CVE-2021-3750_1.patch \
+ file://CVE-2021-3750_2.patch \
+ file://CVE-2021-3750_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
new file mode 100644
index 0000000000..8381661886
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
@@ -0,0 +1,60 @@
+From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:19 +0100
+Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
+ MEMTX_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Quoting Peter Maydell:
+
+ "These MEMTX_* aren't from the memory transaction
+ API functions; they're just being used by gicd_readl() and
+ friends as a way to indicate a success/failure so that the
+ actual MemoryRegionOps read/write fns like gicv3_dist_read()
+ can log a guest error."
+
+We are going to introduce more MemTxResult bits, so it is
+safer to check for !MEMTX_OK rather than MEMTX_ERROR.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/intc/arm_gicv3_redist.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index 8645220d6..44368e285 100644
+--- a/hw/intc/arm_gicv3_redist.c
++++ b/hw/intc/arm_gicv3_redist.c
+@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
new file mode 100644
index 0000000000..82d2675ab2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
@@ -0,0 +1,65 @@
+From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:20 +0100
+Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
+ address_space_access_valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove unuseful local 'result' variables.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211215182421.418374-3-philmd@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ softmmu/physmem.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 2cd1de4a2..68612afbd 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+ hwaddr l;
+ hwaddr addr1;
+ MemoryRegion *mr;
+- MemTxResult result = MEMTX_OK;
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+- result = flatview_write_continue(fv, addr, attrs, buf, len,
+- addr1, l, mr);
+-
+- return result;
++ return flatview_write_continue(fv, addr, attrs, buf, len,
++ addr1, l, mr);
+ }
+
+ /* Called within RCU critical section. */
+@@ -3096,12 +3093,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
+ MemTxAttrs attrs)
+ {
+ FlatView *fv;
+- bool result;
+
+ RCU_READ_LOCK_GUARD();
+ fv = address_space_to_flatview(as);
+- result = flatview_access_valid(fv, addr, len, is_write, attrs);
+- return result;
++ return flatview_access_valid(fv, addr, len, is_write, attrs);
+ }
+
+ static hwaddr
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
new file mode 100644
index 0000000000..e5748b50ce
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
@@ -0,0 +1,156 @@
+From 9df520db8c1bf24f1ff1c9739b7870056f2bc991 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:21 +0100
+Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and
+ MEMTX_ACCESS_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add the 'memory' bit to the memory attributes to restrict bus
+controller accesses to memories.
+
+Introduce flatview_access_allowed() to check bus permission
+before running any bus transaction.
+
+Have read/write accessors return MEMTX_ACCESS_ERROR if an access is
+restricted.
+
+There is no change for the default case where 'memory' is not set.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211215182421.418374-4-philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [3ab6fdc91b72e156da22848f0003ff4225690ced]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/exec/memattrs.h | 9 +++++++++
+ softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 51 insertions(+), 2 deletions(-)
+
+diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
+index 95f2d20d5..9fb98bc1e 100644
+--- a/include/exec/memattrs.h
++++ b/include/exec/memattrs.h
+@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
+ unsigned int secure:1;
+ /* Memory access is usermode (unprivileged) */
+ unsigned int user:1;
++ /*
++ * Bus interconnect and peripherals can access anything (memories,
++ * devices) by default. By setting the 'memory' bit, bus transaction
++ * are restricted to "normal" memories (per the AMBA documentation)
++ * versus devices. Access to devices will be logged and rejected
++ * (see MEMTX_ACCESS_ERROR).
++ */
++ unsigned int memory:1;
+ /* Requester ID (for MSI for example) */
+ unsigned int requester_id:16;
+ /* Invert endianness for this page */
+@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
+ #define MEMTX_OK 0
+ #define MEMTX_ERROR (1U << 0) /* device returned an error */
+ #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
+ typedef uint32_t MemTxResult;
+
+ #endif
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 68612afbd..f15216da0 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -38,6 +38,7 @@
+ #include "qemu/config-file.h"
+ #include "qemu/error-report.h"
+ #include "qemu/qemu-print.h"
++#include "qemu/log.h"
+ #include "exec/memory.h"
+ #include "exec/ioport.h"
+ #include "sysemu/dma.h"
+@@ -2736,6 +2737,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
+ return release_lock;
+ }
+
++/**
++ * flatview_access_allowed
++ * @mr: #MemoryRegion to be accessed
++ * @attrs: memory transaction attributes
++ * @addr: address within that memory region
++ * @len: the number of bytes to access
++ *
++ * Check if a memory transaction is allowed.
++ *
++ * Returns: true if transaction is allowed, false if denied.
++ */
++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
++ hwaddr addr, hwaddr len)
++{
++ if (likely(!attrs.memory)) {
++ return true;
++ }
++ if (memory_region_is_ram(mr)) {
++ return true;
++ }
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "Invalid access to non-RAM device at "
++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
++ "region '%s'\n", addr, len, memory_region_name(mr));
++ return false;
++}
++
+ /* Called within RCU critical section. */
+ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ MemTxAttrs attrs,
+@@ -2750,7 +2778,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ const uint8_t *buf = ptr;
+
+ for (;;) {
+- if (!memory_access_is_direct(mr, true)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, true)) {
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+ /* XXX: could force current_cpu to NULL to avoid
+@@ -2795,6 +2826,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_write_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+@@ -2812,7 +2846,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
+ uint8_t *buf = ptr;
+
+ for (;;) {
+- if (!memory_access_is_direct(mr, false)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, false)) {
+ /* I/O case */
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+@@ -2856,6 +2893,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_read_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][hardknott][PATCH 3/4] qemu: fix CVE-2022-26353
2022-06-01 3:51 [OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
@ 2022-06-01 3:51 ` Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal
2 siblings, 0 replies; 4+ messages in thread
From: Sakib Sajal @ 2022-06-01 3:51 UTC (permalink / raw)
To: openembedded-core
Backport fix to resolve CVE-2022-26353:
abe300d9d8 virtio-net: fix map leaking on error during receive
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-26353.patch | 44 +++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5605ece5bb..898377d11b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -80,6 +80,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3750_1.patch \
file://CVE-2021-3750_2.patch \
file://CVE-2021-3750_3.patch \
+ file://CVE-2022-26353.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch
new file mode 100644
index 0000000000..e76444b9fe
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch
@@ -0,0 +1,44 @@
+From 2263354a272db3e520687af31675684c9c705456 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 8 Mar 2022 10:42:51 +0800
+Subject: [PATCH] virtio-net: fix map leaking on error during receive
+
+Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+tries to fix the use after free of the sg by caching the virtqueue
+elements in an array and unmap them at once after receiving the
+packets, But it forgot to unmap the cached elements on error which
+will lead to leaking of mapping and other unexpected results.
+
+Fixing this by detaching the cached elements on error. This addresses
+CVE-2022-26353.
+
+Reported-by: Victor Tom <vv474172261@gmail.com>
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2022-26353
+Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+CVE: CVE-2022-26353
+Upstream-Status: Backport [abe300d9d894f7138e1af7c8e9c88c04bfe98b37]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index df1d30e2c..a351d16b5 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1795,6 +1795,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ err:
+ for (j = 0; j < i; j++) {
++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
+ g_free(elems[j]);
+ }
+
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][hardknott][PATCH 4/4] qemu: fix CVE-2021-4206
2022-06-01 3:51 [OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
@ 2022-06-01 3:51 ` Sakib Sajal
2 siblings, 0 replies; 4+ messages in thread
From: Sakib Sajal @ 2022-06-01 3:51 UTC (permalink / raw)
To: openembedded-core
Backport fix to resolve CVE-2021-4206:
fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++++++++
2 files changed, 90 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 898377d11b..b6595a7731 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3750_2.patch \
file://CVE-2021-3750_3.patch \
file://CVE-2022-26353.patch \
+ file://CVE-2021-4206.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
new file mode 100644
index 0000000000..bc76d3a206
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
@@ -0,0 +1,89 @@
+From 1ed7525cc9d9a98ef126e9803b09f50aa9f2e3bf Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:17:12 +0200
+Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
+ (CVE-2021-4206)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Prevent potential integer overflow by limiting 'width' and 'height' to
+512x512. Also change 'datasize' type to size_t. Refer to security
+advisory https://starlabs.sg/advisories/22-4206/ for more information.
+
+Fixes: CVE-2021-4206
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-4206
+Upstream-Status: Backport [fa892e9abb728e76afcf27323ab29c57fb0fe7aa]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/display/qxl-render.c | 7 +++++++
+ hw/display/vmware_vga.c | 2 ++
+ ui/cursor.c | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 3ce2e57b8..c2ecef706 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -246,6 +246,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+ size_t size;
+
+ c = cursor_alloc(cursor->header.width, cursor->header.height);
++
++ if (!c) {
++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
++ cursor->header.width, cursor->header.height);
++ goto fail;
++ }
++
+ c->hot_x = cursor->header.hot_spot_x;
+ c->hot_y = cursor->header.hot_spot_y;
+ switch (cursor->header.type) {
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index bef0d7d69..e30dbdcb3 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -510,6 +510,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+ int i, pixels;
+
+ qc = cursor_alloc(c->width, c->height);
++ assert(qc != NULL);
++
+ qc->hot_x = c->hot_x;
+ qc->hot_y = c->hot_y;
+ switch (c->bpp) {
+diff --git a/ui/cursor.c b/ui/cursor.c
+index 1d62ddd4d..835f0802f 100644
+--- a/ui/cursor.c
++++ b/ui/cursor.c
+@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
+
+ /* parse pixel data */
+ c = cursor_alloc(width, height);
++ assert(c != NULL);
++
+ for (pixel = 0, y = 0; y < height; y++, line++) {
+ for (x = 0; x < height; x++, pixel++) {
+ idx = xpm[line][x];
+@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
+ QEMUCursor *cursor_alloc(int width, int height)
+ {
+ QEMUCursor *c;
+- int datasize = width * height * sizeof(uint32_t);
++ size_t datasize = width * height * sizeof(uint32_t);
++
++ if (width > 512 || height > 512) {
++ return NULL;
++ }
+
+ c = g_malloc0(sizeof(QEMUCursor) + datasize);
+ c->width = width;
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-01 3:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-01 3:51 [OE-core][hardknott][PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
2022-06-01 3:51 ` [OE-core][hardknott][PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.