* [PATCH][dunfell 1/2] gst-plugins-good: fix several CVE
@ 2022-09-14 6:04 chee.yang.lee
2022-09-14 6:04 ` [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs Lee Chee Yang
0 siblings, 1 reply; 5+ messages in thread
From: chee.yang.lee @ 2022-09-14 6:04 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
backport fix for:
CVE-2022-1920
CVE-2022-1921
CVE-2022-1922
CVE-2022-1923
CVE-2022-1924
CVE-2022-1925
CVE-2022-2122
also set ignore at gstreamer1.0_1.16.3.bb
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
.../CVE-2022-1920.patch | 59 +++++
.../CVE-2022-1921.patch | 69 ++++++
.../CVE-2022-1922-1923-1924-1925.patch | 214 ++++++++++++++++++
.../CVE-2022-2122.patch | 60 +++++
.../gstreamer1.0-plugins-good_1.16.3.bb | 4 +
.../gstreamer/gstreamer1.0_1.16.3.bb | 7 +
6 files changed, 413 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
new file mode 100644
index 0000000000..ee33c5564d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
+From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 10:23:15 +0300
+Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
+ corruption in WavPack header handling code
+
+blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
+results in allocating a very small buffer. Into that buffer blocksize
+data is memcpy'd later which then causes out of bound writes and can
+potentially lead to anything from crashes to remote code execution.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: CVE-2022-1920
+
+https://gstreamer.freedesktop.org/security/sa-2022-0004.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
+
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-demux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 64cc6be60be..01d754c3eb9 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ } else {
+ guint8 *outdata = NULL;
+ gsize buf_size, size;
+- guint32 block_samples, flags, crc, blocksize;
++ guint32 block_samples, flags, crc;
++ gsize blocksize;
+ GstAdapter *adapter;
+
+ adapter = gst_adapter_new ();
+@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ return GST_FLOW_ERROR;
+ }
+
++ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
++ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
++ gst_buffer_unmap (*buf, &map);
++ g_object_unref (adapter);
++ return GST_FLOW_ERROR;
++ }
++
+ g_assert (newbuf == NULL);
+
+ newbuf =
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
new file mode 100644
index 0000000000..99dbb2b1b0
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
+From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 12:00:48 +0300
+Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
+ in DIB buffer inversion code
+
+Check that width*bpp/8 doesn't overflow a guint and also that
+height*stride fits into the provided buffer without overflowing.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: CVE-2022-1921
+
+See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
+
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/avi/gstavidemux.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
+index eafe865494c..0d18a6495c7 100644
+--- a/gst/avi/gstavidemux.c
++++ b/gst/avi/gstavidemux.c
+@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
+ static GstBuffer *
+ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+ {
+- gint y, w, h;
+- gint bpp, stride;
++ guint y, w, h;
++ guint bpp, stride;
+ guint8 *tmp = NULL;
+ GstMapInfo map;
+ guint32 fourcc;
+@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+ h = stream->strf.vids->height;
+ w = stream->strf.vids->width;
+ bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
++
++ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
++ GST_WARNING ("Width x stride overflows");
++ return buf;
++ }
++
++ if (w == 0 || h == 0) {
++ GST_WARNING ("Zero width or height");
++ return buf;
++ }
++
+ stride = GST_ROUND_UP_4 (w * (bpp / 8));
+
+ buf = gst_buffer_make_writable (buf);
+
+ gst_buffer_map (buf, &map, GST_MAP_READWRITE);
+- if (map.size < (stride * h)) {
++ if (map.size < ((guint64) stride * (guint64) h)) {
+ GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
+ gst_buffer_unmap (buf, &map);
+ return buf;
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
new file mode 100644
index 0000000000..ebffbc473d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
+From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 11:24:37 +0300
+Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
+ decompression code
+
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+
+In addition the size of the decompressed data is limited to 120MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+
+Also fix a bug where the available output size on the next iteration in
+the zlib/bz2 decompression code was provided too large and could
+potentially lead to out of bound writes.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
+
+https://gstreamer.freedesktop.org/security/sa-2022-0002.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+
+CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++----
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
+index eb317644cc5..6fadbba9567 100644
+--- a/gst/matroska/matroska-read-common.c
++++ b/gst/matroska/matroska-read-common.c
+@@ -70,6 +70,10 @@ typedef struct
+ gboolean audio_only;
+ } TargetTypeContext;
+
++/* 120MB as maximum decompressed data size. Anything bigger is likely
++ * pathological, and like this we avoid out of memory situations in many cases
++ */
++#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
+
+ static gboolean
+ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ GstMatroskaTrackCompressionAlgorithm algo)
+ {
+ guint8 *new_data = NULL;
+- guint new_size = 0;
++ gsize new_size = 0;
+ guint8 *data = *data_out;
+- guint size = *size_out;
++ const gsize size = *size_out;
+ gboolean ret = TRUE;
+
++ if (size > G_MAXUINT32) {
++ GST_WARNING ("too large compressed data buffer.");
++ ret = FALSE;
++ goto out;
++ }
++
+ if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
+ #ifdef HAVE_ZLIB
+ /* zlib encoded data */
+ z_stream zstream;
+- guint orig_size;
+ int result;
+
+- orig_size = size;
+ zstream.zalloc = (alloc_func) 0;
+ zstream.zfree = (free_func) 0;
+ zstream.opaque = (voidpf) 0;
+@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ goto out;
+ }
+ zstream.next_in = (Bytef *) data;
+- zstream.avail_in = orig_size;
+- new_size = orig_size;
++ zstream.avail_in = size;
++ new_size = size;
+ new_data = g_malloc (new_size);
+ zstream.avail_out = new_size;
+ zstream.next_out = (Bytef *) new_data;
+@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ break;
+ }
+
++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
++ GST_WARNING ("too big decompressed data");
++ result = Z_MEM_ERROR;
++ break;
++ }
++
+ new_size += 4096;
+ new_data = g_realloc (new_data, new_size);
+ zstream.next_out = (Bytef *) (new_data + zstream.total_out);
+- zstream.avail_out += 4096;
++ /* avail_out is an unsigned int */
++ g_assert (new_size - zstream.total_out <= G_MAXUINT);
++ zstream.avail_out = new_size - zstream.total_out;
+ } while (zstream.avail_in > 0);
+
+ if (result != Z_STREAM_END) {
+@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ #ifdef HAVE_BZ2
+ /* bzip2 encoded data */
+ bz_stream bzstream;
+- guint orig_size;
+ int result;
+
+ bzstream.bzalloc = NULL;
+ bzstream.bzfree = NULL;
+ bzstream.opaque = NULL;
+- orig_size = size;
+
+ if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
+ GST_WARNING ("bzip2 initialization failed.");
+@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ }
+
+ bzstream.next_in = (char *) data;
+- bzstream.avail_in = orig_size;
+- new_size = orig_size;
++ bzstream.avail_in = size;
++ new_size = size;
+ new_data = g_malloc (new_size);
+ bzstream.avail_out = new_size;
+ bzstream.next_out = (char *) new_data;
+@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ break;
+ }
+
++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
++ GST_WARNING ("too big decompressed data");
++ result = BZ_MEM_ERROR;
++ break;
++ }
++
+ new_size += 4096;
+ new_data = g_realloc (new_data, new_size);
+- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
+- bzstream.avail_out += 4096;
++ bzstream.next_out =
++ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
++ bzstream.total_out_lo32);
++ /* avail_out is an unsigned int */
++ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
++ bzstream.total_out_lo32 <= G_MAXUINT);
++ bzstream.avail_out =
++ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
++ bzstream.total_out_lo32;
+ } while (bzstream.avail_in > 0);
+
+ if (result != BZ_STREAM_END) {
+ ret = FALSE;
+ g_free (new_data);
+ } else {
+- new_size = bzstream.total_out_lo32;
++ new_size =
++ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
+ }
+ BZ2_bzDecompressEnd (&bzstream);
+
+@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
+ /* lzo encoded data */
+ int result;
+- int orig_size, out_size;
++ gint orig_size, out_size;
++
++ if (size > G_MAXINT) {
++ GST_WARNING ("too large compressed data buffer.");
++ ret = FALSE;
++ goto out;
++ }
+
+ orig_size = size;
+ out_size = size;
+@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ result = lzo1x_decode (new_data, &out_size, data, &orig_size);
+
+ if (orig_size > 0) {
++ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
++ GST_WARNING ("too big decompressed data");
++ result = LZO_ERROR;
++ break;
++ }
+ new_size += 4096;
+ new_data = g_realloc (new_data, new_size);
+ }
+@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
+ /* header stripped encoded data */
+ if (enc->comp_settings_length > 0) {
++ if (size > G_MAXSIZE - enc->comp_settings_length
++ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
++ GST_WARNING ("too big decompressed data");
++ ret = FALSE;
++ goto out;
++ }
++
+ new_data = g_malloc (size + enc->comp_settings_length);
+ new_size = size + enc->comp_settings_length;
+
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
new file mode 100644
index 0000000000..f4d38c270e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
+From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 May 2022 10:15:37 +0300
+Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
+
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+
+In addition the size of the decompressed data is limited to 200MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+
+Also fix a bug where the available output size on the next iteration in
+the zlib decompression code was provided too large and could
+potentially lead to out of bound writes.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: tbd
+
+https://gstreamer.freedesktop.org/security/sa-2022-0003.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
+CVE: CVE-2022-2122
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ gst/isomp4/qtdemux.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 7cc346b1e63..97ba0799a8d 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
+ break;
+ }
+
++ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
++ GST_WARNING ("too big decompressed data");
++ ret = Z_MEM_ERROR;
++ break;
++ }
++
+ *length += 4096;
+ buffer = (guint8 *) g_realloc (buffer, *length);
+ z.next_out = (Bytef *) (buffer + z.total_out);
+- z.avail_out += 4096;
++ z.avail_out += *length - z.total_out;
+ } while (z.avail_in > 0);
+
+ if (ret != Z_STREAM_END) {
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
index 1038cbf224..831a317a82 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -10,6 +10,10 @@ SRC_URI = " \
file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
file://CVE-2021-3497.patch \
file://CVE-2021-3498.patch \
+ file://CVE-2022-1920.patch \
+ file://CVE-2022-1921.patch \
+ file://CVE-2022-1922-1923-1924-1925.patch \
+ file://CVE-2022-2122.patch \
"
SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 966a904eef..14793b7fdf 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522"
# so we need to ignore the false hits
CVE_CHECK_WHITELIST += "CVE-2021-3497"
CVE_CHECK_WHITELIST += "CVE-2021-3498"
+CVE_CHECK_WHITELIST += "CVE-2022-1920"
+CVE_CHECK_WHITELIST += "CVE-2022-1921"
+CVE_CHECK_WHITELIST += "CVE-2022-1922"
+CVE_CHECK_WHITELIST += "CVE-2022-1923"
+CVE_CHECK_WHITELIST += "CVE-2022-1924"
+CVE_CHECK_WHITELIST += "CVE-2022-1925"
+CVE_CHECK_WHITELIST += "CVE-2022-2122"
require gstreamer1.0-ptest.inc
--
2.36.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs
2022-09-14 6:04 [PATCH][dunfell 1/2] gst-plugins-good: fix several CVE chee.yang.lee
@ 2022-09-14 6:04 ` Lee Chee Yang
2022-09-15 14:13 ` [OE-core] " Steve Sakoman
0 siblings, 1 reply; 5+ messages in thread
From: Lee Chee Yang @ 2022-09-14 6:04 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
backport fixes:
CVE-2020-13754, backport patches as debian security tracker notes
https://security-tracker.debian.org/tracker/CVE-2020-13754
CVE-2021-3713
CVE-2021-3748
CVE-2021-3930
CVE-2021-4206
CVE-2021-4207
CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2.
Ignore:
CVE-2020-27661, issue introduced in v5.1.0-rc0
https://security-tracker.debian.org/tracker/CVE-2020-27661
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 14 ++
.../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++
.../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++
.../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++
.../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++
.../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++
.../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++
.../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++
.../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++
.../qemu/qemu/CVE-2021-4207.patch | 43 ++++++
.../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++
.../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++
12 files changed, 748 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a773068499..c1db723e90 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-13791.patch \
file://CVE-2022-35414.patch \
file://CVE-2020-27821.patch \
+ file://CVE-2020-13754-1.patch \
+ file://CVE-2020-13754-2.patch \
+ file://CVE-2020-13754-3.patch \
+ file://CVE-2020-13754-4.patch \
+ file://CVE-2021-3713.patch \
+ file://CVE-2021-3748.patch \
+ file://CVE-2021-3930.patch \
+ file://CVE-2021-4206.patch \
+ file://CVE-2021-4207.patch \
+ file://CVE-2022-0216-1.patch \
+ file://CVE-2022-0216-2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
@@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998"
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
CVE_CHECK_WHITELIST += "CVE-2018-18438"
+# the issue introduced in v5.1.0-rc0
+CVE_CHECK_WHITELIST += "CVE-2020-27661"
+
COMPATIBLE_HOST_mipsarchn32 = "null"
COMPATIBLE_HOST_mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
new file mode 100644
index 0000000000..fdfff9d81d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
@@ -0,0 +1,91 @@
+From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 10 Jun 2020 09:47:49 -0400
+Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
+ memory_region_access_valid"
+
+Memory API documentation documents valid .min_access_size and .max_access_size
+fields and explains that any access outside these boundaries is blocked.
+
+This is what devices seem to assume.
+
+However this is not what the implementation does: it simply
+ignores the boundaries unless there's an "accepts" callback.
+
+Naturally, this breaks a bunch of devices.
+
+Revert to the documented behaviour.
+
+Devices that want to allow any access can just drop the valid field,
+or add the impl field to have accesses converted to appropriate
+length.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Fixes: CVE-2020-13754
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
+Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20200610134731.1514409-1-mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ memory.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 2f15a4b..9200b20 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
+ bool is_write,
+ MemTxAttrs attrs)
+ {
+- int access_size_min, access_size_max;
+- int access_size, i;
+-
+- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ if (mr->ops->valid.accepts
++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ return false;
+ }
+
+- if (!mr->ops->valid.accepts) {
+- return true;
+- }
+-
+- access_size_min = mr->ops->valid.min_access_size;
+- if (!mr->ops->valid.min_access_size) {
+- access_size_min = 1;
++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ return false;
+ }
+
+- access_size_max = mr->ops->valid.max_access_size;
++ /* Treat zero as compatibility all valid */
+ if (!mr->ops->valid.max_access_size) {
+- access_size_max = 4;
++ return true;
+ }
+
+- access_size = MAX(MIN(size, access_size_max), access_size_min);
+- for (i = 0; i < size; i += access_size) {
+- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
+- is_write, attrs)) {
+- return false;
+- }
++ if (size > mr->ops->valid.max_access_size
++ || size < mr->ops->valid.min_access_size) {
++ return false;
+ }
+-
+ return true;
+ }
+
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
new file mode 100644
index 0000000000..7354edc54d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
@@ -0,0 +1,69 @@
+From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Mon, 20 Jul 2020 19:06:27 +0300
+Subject: [PATCH] acpi: accept byte and word access to core ACPI registers
+
+All ISA registers should be accessible as bytes, words or dwords
+(if wide enough). Fix the access constraints for acpi-pm-evt,
+acpi-pm-tmr & acpi-cnt registers.
+
+Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
+Fixes: afafe4bbe0 (apci: switch cnt to memory api)
+Fixes: 77d58b1e47 (apci: switch timer to memory api)
+Fixes: b5a7c024d2 (apci: switch evt to memory api)
+Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
+Buglink: https://bugs.debian.org/964793
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
+BugLink: https://bugs.launchpad.net/bugs/1886318
+Reported-By: Simon John <git@the-jedi.co.uk>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/acpi/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index f6d9ec4..ac06db3 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_evt_ops = {
+ .read = acpi_pm_evt_read,
+ .write = acpi_pm_evt_write,
+- .valid.min_access_size = 2,
++ .impl.min_access_size = 2,
++ .valid.min_access_size = 1,
+ .valid.max_access_size = 2,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_tmr_ops = {
+ .read = acpi_pm_tmr_read,
+ .write = acpi_pm_tmr_write,
+- .valid.min_access_size = 4,
++ .impl.min_access_size = 4,
++ .valid.min_access_size = 1,
+ .valid.max_access_size = 4,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_cnt_ops = {
+ .read = acpi_pm_cnt_read,
+ .write = acpi_pm_cnt_write,
+- .valid.min_access_size = 2,
++ .impl.min_access_size = 2,
++ .valid.min_access_size = 1,
+ .valid.max_access_size = 2,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
new file mode 100644
index 0000000000..2a8781050f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
@@ -0,0 +1,65 @@
+From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Tue, 21 Jul 2020 10:33:22 +0200
+Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
+64-bit mode access in "runtime" and "operational" MemoryRegionOps.
+
+Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
+
+XHCI specs:
+"If the xHC supports 64-bit addressing (AC64 = â1â), then software
+should write 64-bit registers using only Qword accesses. If a
+system is incapable of issuing Qword accesses, then writes to the
+64-bit address fields shall be performed using 2 Dword accesses;
+low Dword-first, high-Dword second. If the xHC supports 32-bit
+addressing (AC64 = â0â), then the high Dword of registers containing
+64-bit address fields are unused and software should write addresses
+using only Dword accesses"
+
+The problem has been detected with SLOF, as linux kernel always accesses
+registers using 32-bit access even if AC64 is set and revealed by
+5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
+
+Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-id: 20200721083322.90651-1-lvivier@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/hcd-xhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index b330e36..67a18fe 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
+ .read = xhci_oper_read,
+ .write = xhci_oper_write,
+ .valid.min_access_size = 4,
+- .valid.max_access_size = 4,
++ .valid.max_access_size = sizeof(dma_addr_t),
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+
+@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
+ .read = xhci_runtime_read,
+ .write = xhci_runtime_write,
+ .valid.min_access_size = 4,
+- .valid.max_access_size = 4,
++ .valid.max_access_size = sizeof(dma_addr_t),
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
new file mode 100644
index 0000000000..6bad07d03f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
@@ -0,0 +1,39 @@
+From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Tue, 30 Jun 2020 13:12:11 -0700
+Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT
+
+Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
+"memory: Revert "memory: accept mismatching sizes in
+memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
+accesses to the CLINT and QEMU would trigger a fault. Fix this failure
+by allowing 8 byte accesses.
+
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
+Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/riscv/sifive_clint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c
+index b11ffa0..669c21a 100644
+--- a/hw/riscv/sifive_clint.c
++++ b/hw/riscv/sifive_clint.c
+@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = {
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .valid = {
+ .min_access_size = 4,
+- .max_access_size = 4
++ .max_access_size = 8
+ }
+ };
+
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..cdd9c38db9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,67 @@
+From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields. Add the missing checks.
+
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
+CVE: CVE-2021-3713
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index 6d6d1073..0b8cd4dd 100644
+--- a/hw/usb/dev-uas.c
++++ b/hw/usb/dev-uas.c
+@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+ }
+ break;
+ case UAS_PIPE_ID_STATUS:
++ if (p->stream > UAS_MAX_STREAMS) {
++ goto err_stream;
++ }
+ if (p->stream) {
+ QTAILQ_FOREACH(st, &uas->results, next) {
+ if (st->stream == p->stream) {
+@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+ break;
+ case UAS_PIPE_ID_DATA_IN:
+ case UAS_PIPE_ID_DATA_OUT:
++ if (p->stream > UAS_MAX_STREAMS) {
++ goto err_stream;
++ }
+ if (p->stream) {
+ req = usb_uas_find_request(uas, p->stream);
+ } else {
+@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+ p->status = USB_RET_STALL;
+ break;
+ }
++
++err_stream:
++ error_report("%s: invalid stream %d", __func__, p->stream);
++ p->status = USB_RET_STALL;
++ return;
+ }
+
+ static void usb_uas_unrealize(USBDevice *dev, Error **errp)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..b291ade4e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,124 @@
+From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH] virtio-net: fix use after unmap/free for sg
+
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+
+This addresses CVE-2021-3748.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
+CVE: CVE-2021-3748
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 16d20cdee52a..f205331dcf8c 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ VirtIONet *n = qemu_get_nic_opaque(nc);
+ VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+ VirtIODevice *vdev = VIRTIO_DEVICE(n);
++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++ size_t lens[VIRTQUEUE_MAX_SIZE];
+ struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+ struct virtio_net_hdr_mrg_rxbuf mhdr;
+ unsigned mhdr_cnt = 0;
+- size_t offset, i, guest_offset;
++ size_t offset, i, guest_offset, j;
++ ssize_t err;
+
+ if (!virtio_net_can_receive(nc)) {
+ return -1;
+@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ total = 0;
+
++ if (i == VIRTQUEUE_MAX_SIZE) {
++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
++ err = size;
++ goto err;
++ }
++
+ elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+ if (!elem) {
+ if (i) {
+@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ n->guest_hdr_len, n->host_hdr_len,
+ vdev->guest_features);
+ }
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ if (elem->in_num < 1) {
+@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ "virtio-net receive queue contains no in buffers");
+ virtqueue_detach_element(q->rx_vq, elem, 0);
+ g_free(elem);
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ sg = elem->in_sg;
+@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ if (!n->mergeable_rx_bufs && offset < size) {
+ virtqueue_unpop(q->rx_vq, elem, total);
+ g_free(elem);
+- return size;
++ err = size;
++ goto err;
+ }
+
+- /* signal other side */
+- virtqueue_fill(q->rx_vq, elem, total, i++);
+- g_free(elem);
++ elems[i] = elem;
++ lens[i] = total;
++ i++;
+ }
+
+ if (mhdr_cnt) {
+@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ &mhdr.num_buffers, sizeof mhdr.num_buffers);
+ }
+
++ for (j = 0; j < i; j++) {
++ /* signal other side */
++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++ g_free(elems[j]);
++ }
++
+ virtqueue_flush(q->rx_vq, i);
+ virtio_notify(vdev, q->rx_vq);
+
+ return size;
++
++err:
++ for (j = 0; j < i; j++) {
++ g_free(elems[j]);
++ }
++
++ return err;
+ }
+
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
new file mode 100644
index 0000000000..b1b5558647
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
@@ -0,0 +1,53 @@
+From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT
+ commands
+
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
+CVE: CVE-2021-3930
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e8a547dbb7..d4914178ea 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+ uint8_t *p = *p_outbuf + 2;
+ int length;
+
++ assert(page < ARRAY_SIZE(mode_sense_valid));
+ if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+ return -1;
+ }
+@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+ return -1;
+ }
+
++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
++ if (page == MODE_PAGE_ALLS) {
++ return -1;
++ }
++
+ p = mode_current;
+ memset(mode_current, 0, inlen + 2);
+ len = mode_sense_page(s, page, &p, 0);
+--
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
new file mode 100644
index 0000000000..80ad49e4ed
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
@@ -0,0 +1,89 @@
+From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:17:12 +0200
+Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
+ (CVE-2021-4206)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Prevent potential integer overflow by limiting 'width' and 'height' to
+512x512. Also change 'datasize' type to size_t. Refer to security
+advisory https://starlabs.sg/advisories/22-4206/ for more information.
+
+Fixes: CVE-2021-4206
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a
+CVE: CVE-2021-4206
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/qxl-render.c | 7 +++++++
+ hw/display/vmware_vga.c | 2 ++
+ ui/cursor.c | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 237ed293ba..ca217004bf 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+ size_t size;
+
+ c = cursor_alloc(cursor->header.width, cursor->header.height);
++
++ if (!c) {
++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
++ cursor->header.width, cursor->header.height);
++ goto fail;
++ }
++
+ c->hot_x = cursor->header.hot_spot_x;
+ c->hot_y = cursor->header.hot_spot_y;
+ switch (cursor->header.type) {
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 98c83474ad..45d06cbe25 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+ int i, pixels;
+
+ qc = cursor_alloc(c->width, c->height);
++ assert(qc != NULL);
++
+ qc->hot_x = c->hot_x;
+ qc->hot_y = c->hot_y;
+ switch (c->bpp) {
+diff --git a/ui/cursor.c b/ui/cursor.c
+index 1d62ddd4d0..835f0802f9 100644
+--- a/ui/cursor.c
++++ b/ui/cursor.c
+@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
+
+ /* parse pixel data */
+ c = cursor_alloc(width, height);
++ assert(c != NULL);
++
+ for (pixel = 0, y = 0; y < height; y++, line++) {
+ for (x = 0; x < height; x++, pixel++) {
+ idx = xpm[line][x];
+@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
+ QEMUCursor *cursor_alloc(int width, int height)
+ {
+ QEMUCursor *c;
+- int datasize = width * height * sizeof(uint32_t);
++ size_t datasize = width * height * sizeof(uint32_t);
++
++ if (width > 512 || height > 512) {
++ return NULL;
++ }
+
+ c = g_malloc0(sizeof(QEMUCursor) + datasize);
+ c->width = width;
+--
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
new file mode 100644
index 0000000000..8418246247
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
@@ -0,0 +1,43 @@
+From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:11:06 +0200
+Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
+ (CVE-2021-4207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid fetching 'width' and 'height' a second time to prevent possible
+race condition. Refer to security advisory
+https://starlabs.sg/advisories/22-4207/ for more information.
+
+Fixes: CVE-2021-4207
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb
+CVE: CVE-2021-4207
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/qxl-render.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index d28849b121..237ed293ba 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+ }
+ break;
+ case SPICE_CURSOR_TYPE_ALPHA:
+- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
++ size = sizeof(uint32_t) * c->width * c->height;
+ qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
+ if (qxl->debug > 2) {
+ cursor_print_ascii_art(c, "qxl/alpha");
+--
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
new file mode 100644
index 0000000000..6a7ce0e26c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
@@ -0,0 +1,42 @@
+From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+
+Set current_req->req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
+CVE: CVE-2022-0216
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index c8773f73f7..99ea42d49b 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
+ case 0x0d:
+ /* The ABORT TAG message clears the current I/O process only. */
+ trace_lsi_do_msgout_abort(current_tag);
+- if (current_req) {
++ if (current_req && current_req->req) {
+ scsi_req_cancel(current_req->req);
++ current_req->req = NULL;
+ }
+ lsi_disconnect(s);
+ break;
+--
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
new file mode 100644
index 0000000000..137906cd30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
@@ -0,0 +1,52 @@
+From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Mon, 11 Jul 2022 14:33:16 +0200
+Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+
+Set current_req to NULL, not current_req->req, to prevent reusing a free'd
+buffer in case of repeated SCSI cancel requests. Also apply the fix to
+CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
+the request.
+
+Thanks to Alexander Bulekov for providing a reproducer.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
+CVE: CVE-2022-0216
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/lsi53c895a.c | 3 +-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 99ea42d49b..ad5f5e5f39 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
+ trace_lsi_do_msgout_abort(current_tag);
+ if (current_req && current_req->req) {
+ scsi_req_cancel(current_req->req);
+- current_req->req = NULL;
++ current_req = NULL;
+ }
+ lsi_disconnect(s);
+ break;
+@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
+ /* clear the current I/O process */
+ if (s->current) {
+ scsi_req_cancel(s->current->req);
++ current_req = NULL;
+ }
+
+ /* As the current implemented devices scsi_disk and scsi_generic
+--
+GitLab
+
--
2.36.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs
2022-09-14 6:04 ` [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs Lee Chee Yang
@ 2022-09-15 14:13 ` Steve Sakoman
2022-09-19 0:44 ` Mittal, Anuj
0 siblings, 1 reply; 5+ messages in thread
From: Steve Sakoman @ 2022-09-15 14:13 UTC (permalink / raw)
To: Lee Chee Yang; +Cc: openembedded-core
On Tue, Sep 13, 2022 at 8:04 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
>
> From: Chee Yang Lee <chee.yang.lee@intel.com>
>
> backport fixes:
> CVE-2020-13754, backport patches as debian security tracker notes
> https://security-tracker.debian.org/tracker/CVE-2020-13754
>
> CVE-2021-3713
> CVE-2021-3748
> CVE-2021-3930
> CVE-2021-4206
> CVE-2021-4207
> CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2.
>
> Ignore:
> CVE-2020-27661, issue introduced in v5.1.0-rc0
> https://security-tracker.debian.org/tracker/CVE-2020-27661
While this patch applies and builds without error, it results in quite
a few runtime errors during
oe-selftest:
https://errors.yoctoproject.org/Errors/Details/671970/
Not sure which of the CVE fixes cause this :-(
Steve
> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 14 ++
> .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++
> .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++
> .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++
> .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++
> .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++
> .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++
> .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++
> .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++
> .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++
> .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++
> .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++
> 12 files changed, 748 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index a773068499..c1db723e90 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2020-13791.patch \
> file://CVE-2022-35414.patch \
> file://CVE-2020-27821.patch \
> + file://CVE-2020-13754-1.patch \
> + file://CVE-2020-13754-2.patch \
> + file://CVE-2020-13754-3.patch \
> + file://CVE-2020-13754-4.patch \
> + file://CVE-2021-3713.patch \
> + file://CVE-2021-3748.patch \
> + file://CVE-2021-3930.patch \
> + file://CVE-2021-4206.patch \
> + file://CVE-2021-4207.patch \
> + file://CVE-2022-0216-1.patch \
> + file://CVE-2022-0216-2.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998"
> # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
> CVE_CHECK_WHITELIST += "CVE-2018-18438"
>
> +# the issue introduced in v5.1.0-rc0
> +CVE_CHECK_WHITELIST += "CVE-2020-27661"
> +
> COMPATIBLE_HOST_mipsarchn32 = "null"
> COMPATIBLE_HOST_mipsarchn64 = "null"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> new file mode 100644
> index 0000000000..fdfff9d81d
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> @@ -0,0 +1,91 @@
> +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001
> +From: "Michael S. Tsirkin" <mst@redhat.com>
> +Date: Wed, 10 Jun 2020 09:47:49 -0400
> +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
> + memory_region_access_valid"
> +
> +Memory API documentation documents valid .min_access_size and .max_access_size
> +fields and explains that any access outside these boundaries is blocked.
> +
> +This is what devices seem to assume.
> +
> +However this is not what the implementation does: it simply
> +ignores the boundaries unless there's an "accepts" callback.
> +
> +Naturally, this breaks a bunch of devices.
> +
> +Revert to the documented behaviour.
> +
> +Devices that want to allow any access can just drop the valid field,
> +or add the impl field to have accesses converted to appropriate
> +length.
> +
> +Cc: qemu-stable@nongnu.org
> +Reviewed-by: Richard Henderson <rth@twiddle.net>
> +Fixes: CVE-2020-13754
> +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
> +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> +Message-Id: <20200610134731.1514409-1-mst@redhat.com>
> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> +
> +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9
> +CVE: CVE-2020-13754
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + memory.c | 29 +++++++++--------------------
> + 1 file changed, 9 insertions(+), 20 deletions(-)
> +
> +diff --git a/memory.c b/memory.c
> +index 2f15a4b..9200b20 100644
> +--- a/memory.c
> ++++ b/memory.c
> +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
> + bool is_write,
> + MemTxAttrs attrs)
> + {
> +- int access_size_min, access_size_max;
> +- int access_size, i;
> +-
> +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
> ++ if (mr->ops->valid.accepts
> ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
> + return false;
> + }
> +
> +- if (!mr->ops->valid.accepts) {
> +- return true;
> +- }
> +-
> +- access_size_min = mr->ops->valid.min_access_size;
> +- if (!mr->ops->valid.min_access_size) {
> +- access_size_min = 1;
> ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
> ++ return false;
> + }
> +
> +- access_size_max = mr->ops->valid.max_access_size;
> ++ /* Treat zero as compatibility all valid */
> + if (!mr->ops->valid.max_access_size) {
> +- access_size_max = 4;
> ++ return true;
> + }
> +
> +- access_size = MAX(MIN(size, access_size_max), access_size_min);
> +- for (i = 0; i < size; i += access_size) {
> +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
> +- is_write, attrs)) {
> +- return false;
> +- }
> ++ if (size > mr->ops->valid.max_access_size
> ++ || size < mr->ops->valid.min_access_size) {
> ++ return false;
> + }
> +-
> + return true;
> + }
> +
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> new file mode 100644
> index 0000000000..7354edc54d
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> @@ -0,0 +1,69 @@
> +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001
> +From: Michael Tokarev <mjt@tls.msk.ru>
> +Date: Mon, 20 Jul 2020 19:06:27 +0300
> +Subject: [PATCH] acpi: accept byte and word access to core ACPI registers
> +
> +All ISA registers should be accessible as bytes, words or dwords
> +(if wide enough). Fix the access constraints for acpi-pm-evt,
> +acpi-pm-tmr & acpi-cnt registers.
> +
> +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
> +Fixes: afafe4bbe0 (apci: switch cnt to memory api)
> +Fixes: 77d58b1e47 (apci: switch timer to memory api)
> +Fixes: b5a7c024d2 (apci: switch evt to memory api)
> +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
> +Buglink: https://bugs.debian.org/964793
> +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
> +BugLink: https://bugs.launchpad.net/bugs/1886318
> +Reported-By: Simon John <git@the-jedi.co.uk>
> +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
> +Cc: qemu-stable@nongnu.org
> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> +
> +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb
> +CVE: CVE-2020-13754
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/acpi/core.c | 9 ++++++---
> + 1 file changed, 6 insertions(+), 3 deletions(-)
> +
> +diff --git a/hw/acpi/core.c b/hw/acpi/core.c
> +index f6d9ec4..ac06db3 100644
> +--- a/hw/acpi/core.c
> ++++ b/hw/acpi/core.c
> +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
> + static const MemoryRegionOps acpi_pm_evt_ops = {
> + .read = acpi_pm_evt_read,
> + .write = acpi_pm_evt_write,
> +- .valid.min_access_size = 2,
> ++ .impl.min_access_size = 2,
> ++ .valid.min_access_size = 1,
> + .valid.max_access_size = 2,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + };
> +@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
> + static const MemoryRegionOps acpi_pm_tmr_ops = {
> + .read = acpi_pm_tmr_read,
> + .write = acpi_pm_tmr_write,
> +- .valid.min_access_size = 4,
> ++ .impl.min_access_size = 4,
> ++ .valid.min_access_size = 1,
> + .valid.max_access_size = 4,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + };
> +@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
> + static const MemoryRegionOps acpi_pm_cnt_ops = {
> + .read = acpi_pm_cnt_read,
> + .write = acpi_pm_cnt_write,
> +- .valid.min_access_size = 2,
> ++ .impl.min_access_size = 2,
> ++ .valid.min_access_size = 1,
> + .valid.max_access_size = 2,
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + };
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> new file mode 100644
> index 0000000000..2a8781050f
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> @@ -0,0 +1,65 @@
> +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
> +From: Laurent Vivier <lvivier@redhat.com>
> +Date: Tue, 21 Jul 2020 10:33:22 +0200
> +Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=utf8
> +Content-Transfer-Encoding: 8bit
> +
> +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
> +64-bit mode access in "runtime" and "operational" MemoryRegionOps.
> +
> +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
> +
> +XHCI specs:
> +"If the xHC supports 64-bit addressing (AC64 = â1â), then software
> +should write 64-bit registers using only Qword accesses. If a
> +system is incapable of issuing Qword accesses, then writes to the
> +64-bit address fields shall be performed using 2 Dword accesses;
> +low Dword-first, high-Dword second. If the xHC supports 32-bit
> +addressing (AC64 = â0â), then the high Dword of registers containing
> +64-bit address fields are unused and software should write addresses
> +using only Dword accesses"
> +
> +The problem has been detected with SLOF, as linux kernel always accesses
> +registers using 32-bit access even if AC64 is set and revealed by
> +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
> +
> +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
> +Signed-off-by: Laurent Vivier <lvivier@redhat.com>
> +Message-id: 20200721083322.90651-1-lvivier@redhat.com
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17
> +CVE: CVE-2020-13754
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/usb/hcd-xhci.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
> +index b330e36..67a18fe 100644
> +--- a/hw/usb/hcd-xhci.c
> ++++ b/hw/usb/hcd-xhci.c
> +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
> + .read = xhci_oper_read,
> + .write = xhci_oper_write,
> + .valid.min_access_size = 4,
> +- .valid.max_access_size = 4,
> ++ .valid.max_access_size = sizeof(dma_addr_t),
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + };
> +
> +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
> + .read = xhci_runtime_read,
> + .write = xhci_runtime_write,
> + .valid.min_access_size = 4,
> +- .valid.max_access_size = 4,
> ++ .valid.max_access_size = sizeof(dma_addr_t),
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + };
> +
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> new file mode 100644
> index 0000000000..6bad07d03f
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> @@ -0,0 +1,39 @@
> +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001
> +From: Alistair Francis <alistair.francis@wdc.com>
> +Date: Tue, 30 Jun 2020 13:12:11 -0700
> +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT
> +
> +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
> +"memory: Revert "memory: accept mismatching sizes in
> +memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
> +accesses to the CLINT and QEMU would trigger a fault. Fix this failure
> +by allowing 8 byte accesses.
> +
> +Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
> +Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com>
> +
> +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79
> +CVE: CVE-2020-13754
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/riscv/sifive_clint.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c
> +index b11ffa0..669c21a 100644
> +--- a/hw/riscv/sifive_clint.c
> ++++ b/hw/riscv/sifive_clint.c
> +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = {
> + .endianness = DEVICE_LITTLE_ENDIAN,
> + .valid = {
> + .min_access_size = 4,
> +- .max_access_size = 4
> ++ .max_access_size = 8
> + }
> + };
> +
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> new file mode 100644
> index 0000000000..cdd9c38db9
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> @@ -0,0 +1,67 @@
> +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001
> +From: Gerd Hoffmann <kraxel@redhat.com>
> +Date: Wed, 18 Aug 2021 14:05:05 +0200
> +Subject: [PATCH] uas: add stream number sanity checks.
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The device uses the guest-supplied stream number unchecked, which can
> +lead to guest-triggered out-of-band access to the UASDevice->data3 and
> +UASDevice->status3 fields. Add the missing checks.
> +
> +Fixes: CVE-2021-3713
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +Reported-by: Chen Zhe <chenzhe@huawei.com>
> +Reported-by: Tan Jingguo <tanjingguo@huawei.com>
> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
> +
> +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
> +CVE: CVE-2021-3713
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/usb/dev-uas.c | 11 +++++++++++
> + 1 file changed, 11 insertions(+)
> +
> +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
> +index 6d6d1073..0b8cd4dd 100644
> +--- a/hw/usb/dev-uas.c
> ++++ b/hw/usb/dev-uas.c
> +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
> + }
> + break;
> + case UAS_PIPE_ID_STATUS:
> ++ if (p->stream > UAS_MAX_STREAMS) {
> ++ goto err_stream;
> ++ }
> + if (p->stream) {
> + QTAILQ_FOREACH(st, &uas->results, next) {
> + if (st->stream == p->stream) {
> +@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
> + break;
> + case UAS_PIPE_ID_DATA_IN:
> + case UAS_PIPE_ID_DATA_OUT:
> ++ if (p->stream > UAS_MAX_STREAMS) {
> ++ goto err_stream;
> ++ }
> + if (p->stream) {
> + req = usb_uas_find_request(uas, p->stream);
> + } else {
> +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
> + p->status = USB_RET_STALL;
> + break;
> + }
> ++
> ++err_stream:
> ++ error_report("%s: invalid stream %d", __func__, p->stream);
> ++ p->status = USB_RET_STALL;
> ++ return;
> + }
> +
> + static void usb_uas_unrealize(USBDevice *dev, Error **errp)
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> new file mode 100644
> index 0000000000..b291ade4e3
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> @@ -0,0 +1,124 @@
> +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001
> +From: Jason Wang <jasowang@redhat.com>
> +Date: Thu, 2 Sep 2021 13:44:12 +0800
> +Subject: [PATCH] virtio-net: fix use after unmap/free for sg
> +
> +When mergeable buffer is enabled, we try to set the num_buffers after
> +the virtqueue elem has been unmapped. This will lead several issues,
> +E.g a use after free when the descriptor has an address which belongs
> +to the non direct access region. In this case we use bounce buffer
> +that is allocated during address_space_map() and freed during
> +address_space_unmap().
> +
> +Fixing this by storing the elems temporarily in an array and delay the
> +unmap after we set the the num_buffers.
> +
> +This addresses CVE-2021-3748.
> +
> +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> +Fixes: fbe78f4f55c6 ("virtio-net support")
> +Cc: qemu-stable@nongnu.org
> +Signed-off-by: Jason Wang <jasowang@redhat.com>
> +
> +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
> +CVE: CVE-2021-3748
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
> + 1 file changed, 32 insertions(+), 7 deletions(-)
> +
> +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> +index 16d20cdee52a..f205331dcf8c 100644
> +--- a/hw/net/virtio-net.c
> ++++ b/hw/net/virtio-net.c
> +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> + VirtIONet *n = qemu_get_nic_opaque(nc);
> + VirtIONetQueue *q = virtio_net_get_subqueue(nc);
> + VirtIODevice *vdev = VIRTIO_DEVICE(n);
> ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
> ++ size_t lens[VIRTQUEUE_MAX_SIZE];
> + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
> + struct virtio_net_hdr_mrg_rxbuf mhdr;
> + unsigned mhdr_cnt = 0;
> +- size_t offset, i, guest_offset;
> ++ size_t offset, i, guest_offset, j;
> ++ ssize_t err;
> +
> + if (!virtio_net_can_receive(nc)) {
> + return -1;
> +@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> +
> + total = 0;
> +
> ++ if (i == VIRTQUEUE_MAX_SIZE) {
> ++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
> ++ err = size;
> ++ goto err;
> ++ }
> ++
> + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
> + if (!elem) {
> + if (i) {
> +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> + n->guest_hdr_len, n->host_hdr_len,
> + vdev->guest_features);
> + }
> +- return -1;
> ++ err = -1;
> ++ goto err;
> + }
> +
> + if (elem->in_num < 1) {
> +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> + "virtio-net receive queue contains no in buffers");
> + virtqueue_detach_element(q->rx_vq, elem, 0);
> + g_free(elem);
> +- return -1;
> ++ err = -1;
> ++ goto err;
> + }
> +
> + sg = elem->in_sg;
> +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> + if (!n->mergeable_rx_bufs && offset < size) {
> + virtqueue_unpop(q->rx_vq, elem, total);
> + g_free(elem);
> +- return size;
> ++ err = size;
> ++ goto err;
> + }
> +
> +- /* signal other side */
> +- virtqueue_fill(q->rx_vq, elem, total, i++);
> +- g_free(elem);
> ++ elems[i] = elem;
> ++ lens[i] = total;
> ++ i++;
> + }
> +
> + if (mhdr_cnt) {
> +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> + &mhdr.num_buffers, sizeof mhdr.num_buffers);
> + }
> +
> ++ for (j = 0; j < i; j++) {
> ++ /* signal other side */
> ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
> ++ g_free(elems[j]);
> ++ }
> ++
> + virtqueue_flush(q->rx_vq, i);
> + virtio_notify(vdev, q->rx_vq);
> +
> + return size;
> ++
> ++err:
> ++ for (j = 0; j < i; j++) {
> ++ g_free(elems[j]);
> ++ }
> ++
> ++ return err;
> + }
> +
> + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> new file mode 100644
> index 0000000000..b1b5558647
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> @@ -0,0 +1,53 @@
> +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell@redhat.com>
> +Date: Thu, 4 Nov 2021 17:31:38 +0100
> +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT
> + commands
> +
> +This avoids an off-by-one read of 'mode_sense_valid' buffer in
> +hw/scsi/scsi-disk.c:mode_sense_page().
> +
> +Fixes: CVE-2021-3930
> +Cc: qemu-stable@nongnu.org
> +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
> +Fixes: #546
> +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> +
> +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
> +CVE: CVE-2021-3930
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/scsi/scsi-disk.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
> +index e8a547dbb7..d4914178ea 100644
> +--- a/hw/scsi/scsi-disk.c
> ++++ b/hw/scsi/scsi-disk.c
> +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
> + uint8_t *p = *p_outbuf + 2;
> + int length;
> +
> ++ assert(page < ARRAY_SIZE(mode_sense_valid));
> + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
> + return -1;
> + }
> +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
> + return -1;
> + }
> +
> ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
> ++ if (page == MODE_PAGE_ALLS) {
> ++ return -1;
> ++ }
> ++
> + p = mode_current;
> + memset(mode_current, 0, inlen + 2);
> + len = mode_sense_page(s, page, &p, 0);
> +--
> +GitLab
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> new file mode 100644
> index 0000000000..80ad49e4ed
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> @@ -0,0 +1,89 @@
> +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell@redhat.com>
> +Date: Thu, 7 Apr 2022 10:17:12 +0200
> +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
> + (CVE-2021-4206)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Prevent potential integer overflow by limiting 'width' and 'height' to
> +512x512. Also change 'datasize' type to size_t. Refer to security
> +advisory https://starlabs.sg/advisories/22-4206/ for more information.
> +
> +Fixes: CVE-2021-4206
> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a
> +CVE: CVE-2021-4206
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/display/qxl-render.c | 7 +++++++
> + hw/display/vmware_vga.c | 2 ++
> + ui/cursor.c | 8 +++++++-
> + 3 files changed, 16 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
> +index 237ed293ba..ca217004bf 100644
> +--- a/hw/display/qxl-render.c
> ++++ b/hw/display/qxl-render.c
> +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
> + size_t size;
> +
> + c = cursor_alloc(cursor->header.width, cursor->header.height);
> ++
> ++ if (!c) {
> ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
> ++ cursor->header.width, cursor->header.height);
> ++ goto fail;
> ++ }
> ++
> + c->hot_x = cursor->header.hot_spot_x;
> + c->hot_y = cursor->header.hot_spot_y;
> + switch (cursor->header.type) {
> +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> +index 98c83474ad..45d06cbe25 100644
> +--- a/hw/display/vmware_vga.c
> ++++ b/hw/display/vmware_vga.c
> +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
> + int i, pixels;
> +
> + qc = cursor_alloc(c->width, c->height);
> ++ assert(qc != NULL);
> ++
> + qc->hot_x = c->hot_x;
> + qc->hot_y = c->hot_y;
> + switch (c->bpp) {
> +diff --git a/ui/cursor.c b/ui/cursor.c
> +index 1d62ddd4d0..835f0802f9 100644
> +--- a/ui/cursor.c
> ++++ b/ui/cursor.c
> +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
> +
> + /* parse pixel data */
> + c = cursor_alloc(width, height);
> ++ assert(c != NULL);
> ++
> + for (pixel = 0, y = 0; y < height; y++, line++) {
> + for (x = 0; x < height; x++, pixel++) {
> + idx = xpm[line][x];
> +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
> + QEMUCursor *cursor_alloc(int width, int height)
> + {
> + QEMUCursor *c;
> +- int datasize = width * height * sizeof(uint32_t);
> ++ size_t datasize = width * height * sizeof(uint32_t);
> ++
> ++ if (width > 512 || height > 512) {
> ++ return NULL;
> ++ }
> +
> + c = g_malloc0(sizeof(QEMUCursor) + datasize);
> + c->width = width;
> +--
> +GitLab
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> new file mode 100644
> index 0000000000..8418246247
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> @@ -0,0 +1,43 @@
> +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell@redhat.com>
> +Date: Thu, 7 Apr 2022 10:11:06 +0200
> +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
> + (CVE-2021-4207)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Avoid fetching 'width' and 'height' a second time to prevent possible
> +race condition. Refer to security advisory
> +https://starlabs.sg/advisories/22-4207/ for more information.
> +
> +Fixes: CVE-2021-4207
> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb
> +CVE: CVE-2021-4207
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/display/qxl-render.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
> +index d28849b121..237ed293ba 100644
> +--- a/hw/display/qxl-render.c
> ++++ b/hw/display/qxl-render.c
> +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
> + }
> + break;
> + case SPICE_CURSOR_TYPE_ALPHA:
> +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
> ++ size = sizeof(uint32_t) * c->width * c->height;
> + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
> + if (qxl->debug > 2) {
> + cursor_print_ascii_art(c, "qxl/alpha");
> +--
> +GitLab
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> new file mode 100644
> index 0000000000..6a7ce0e26c
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> @@ -0,0 +1,42 @@
> +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell@redhat.com>
> +Date: Tue, 5 Jul 2022 22:05:43 +0200
> +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
> + (CVE-2022-0216)
> +
> +Set current_req->req to NULL to prevent reusing a free'd buffer in case of
> +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
> +
> +Fixes: CVE-2022-0216
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> +Reviewed-by: Thomas Huth <thuth@redhat.com>
> +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> +
> +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
> +CVE: CVE-2022-0216
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/scsi/lsi53c895a.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> +index c8773f73f7..99ea42d49b 100644
> +--- a/hw/scsi/lsi53c895a.c
> ++++ b/hw/scsi/lsi53c895a.c
> +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
> + case 0x0d:
> + /* The ABORT TAG message clears the current I/O process only. */
> + trace_lsi_do_msgout_abort(current_tag);
> +- if (current_req) {
> ++ if (current_req && current_req->req) {
> + scsi_req_cancel(current_req->req);
> ++ current_req->req = NULL;
> + }
> + lsi_disconnect(s);
> + break;
> +--
> +GitLab
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> new file mode 100644
> index 0000000000..137906cd30
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> @@ -0,0 +1,52 @@
> +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001
> +From: Mauro Matteo Cascella <mcascell@redhat.com>
> +Date: Mon, 11 Jul 2022 14:33:16 +0200
> +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
> + (CVE-2022-0216)
> +
> +Set current_req to NULL, not current_req->req, to prevent reusing a free'd
> +buffer in case of repeated SCSI cancel requests. Also apply the fix to
> +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
> +the request.
> +
> +Thanks to Alexander Bulekov for providing a reproducer.
> +
> +Fixes: CVE-2022-0216
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> +Tested-by: Alexander Bulekov <alxndr@bu.edu>
> +Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> +
> +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
> +CVE: CVE-2022-0216
> +Upstream-Status: Backport
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +---
> + hw/scsi/lsi53c895a.c | 3 +-
> + 1 files changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> +index 99ea42d49b..ad5f5e5f39 100644
> +--- a/hw/scsi/lsi53c895a.c
> ++++ b/hw/scsi/lsi53c895a.c
> +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
> + trace_lsi_do_msgout_abort(current_tag);
> + if (current_req && current_req->req) {
> + scsi_req_cancel(current_req->req);
> +- current_req->req = NULL;
> ++ current_req = NULL;
> + }
> + lsi_disconnect(s);
> + break;
> +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
> + /* clear the current I/O process */
> + if (s->current) {
> + scsi_req_cancel(s->current->req);
> ++ current_req = NULL;
> + }
> +
> + /* As the current implemented devices scsi_disk and scsi_generic
> +--
> +GitLab
> +
> --
> 2.36.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170635): https://lists.openembedded.org/g/openembedded-core/message/170635
> Mute This Topic: https://lists.openembedded.org/mt/93672603/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs
2022-09-15 14:13 ` [OE-core] " Steve Sakoman
@ 2022-09-19 0:44 ` Mittal, Anuj
2022-09-21 2:41 ` Steve Sakoman
0 siblings, 1 reply; 5+ messages in thread
From: Mittal, Anuj @ 2022-09-19 0:44 UTC (permalink / raw)
To: Steve Sakoman, Lee, Chee Yang; +Cc: openembedded-core
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Steve Sakoman
> Sent: Thursday, September 15, 2022 10:14 PM
> To: Lee, Chee Yang <chee.yang.lee@intel.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs
>
> On Tue, Sep 13, 2022 at 8:04 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
> >
> > From: Chee Yang Lee <chee.yang.lee@intel.com>
> >
> > backport fixes:
> > CVE-2020-13754, backport patches as debian security tracker notes
> > https://security-tracker.debian.org/tracker/CVE-2020-13754
> >
> > CVE-2021-3713
> > CVE-2021-3748
> > CVE-2021-3930
> > CVE-2021-4206
> > CVE-2021-4207
> > CVE-2022-0216, does not include qtest in patches, the qtest code were not available
> in v4.2.
> >
> > Ignore:
> > CVE-2020-27661, issue introduced in v5.1.0-rc0
> > https://security-tracker.debian.org/tracker/CVE-2020-27661
>
> While this patch applies and builds without error, it results in quite a few runtime
> errors during
> oe-selftest:
>
> https://errors.yoctoproject.org/Errors/Details/671970/
>
> Not sure which of the CVE fixes cause this :-(
It might be because of:
https://lists.openembedded.org/g/openembedded-core/message/156694
Thanks,
Anuj
>
> Steve
>
> > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > ---
> > meta/recipes-devtools/qemu/qemu.inc | 14 ++
> > .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++
> > .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++
> > .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++
> > .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++
> > .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++
> > .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++
> > .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++
> > .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++
> > .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++
> > .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++
> > .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++
> > 12 files changed, 748 insertions(+)
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > create mode 100644
> > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> >
> > diff --git a/meta/recipes-devtools/qemu/qemu.inc
> > b/meta/recipes-devtools/qemu/qemu.inc
> > index a773068499..c1db723e90 100644
> > --- a/meta/recipes-devtools/qemu/qemu.inc
> > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-
> ${PV}.tar.xz \
> > file://CVE-2020-13791.patch \
> > file://CVE-2022-35414.patch \
> > file://CVE-2020-27821.patch \
> > + file://CVE-2020-13754-1.patch \
> > + file://CVE-2020-13754-2.patch \
> > + file://CVE-2020-13754-3.patch \
> > + file://CVE-2020-13754-4.patch \
> > + file://CVE-2021-3713.patch \
> > + file://CVE-2021-3748.patch \
> > + file://CVE-2021-3930.patch \
> > + file://CVE-2021-4206.patch \
> > + file://CVE-2021-4207.patch \
> > + file://CVE-2022-0216-1.patch \
> > + file://CVE-2022-0216-2.patch \
> > "
> > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
> >
> > @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998"
> > # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
> > CVE_CHECK_WHITELIST += "CVE-2018-18438"
> >
> > +# the issue introduced in v5.1.0-rc0
> > +CVE_CHECK_WHITELIST += "CVE-2020-27661"
> > +
> > COMPATIBLE_HOST_mipsarchn32 = "null"
> > COMPATIBLE_HOST_mipsarchn64 = "null"
> >
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > new file mode 100644
> > index 0000000000..fdfff9d81d
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > @@ -0,0 +1,91 @@
> > +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00
> > +2001
> > +From: "Michael S. Tsirkin" <mst@redhat.com>
> > +Date: Wed, 10 Jun 2020 09:47:49 -0400
> > +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
> > +memory_region_access_valid"
> > +
> > +Memory API documentation documents valid .min_access_size and
> > +.max_access_size fields and explains that any access outside these boundaries is
> blocked.
> > +
> > +This is what devices seem to assume.
> > +
> > +However this is not what the implementation does: it simply ignores
> > +the boundaries unless there's an "accepts" callback.
> > +
> > +Naturally, this breaks a bunch of devices.
> > +
> > +Revert to the documented behaviour.
> > +
> > +Devices that want to allow any access can just drop the valid field,
> > +or add the impl field to have accesses converted to appropriate
> > +length.
> > +
> > +Cc: qemu-stable@nongnu.org
> > +Reviewed-by: Richard Henderson <rth@twiddle.net>
> > +Fixes: CVE-2020-13754
> > +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
> > +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in
> > +memory_region_access_valid")
> > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > +Message-Id: <20200610134731.1514409-1-mst@redhat.com>
> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > +
> > +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d8
> > +9e0e89165c8fc9
> > +CVE: CVE-2020-13754
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + memory.c | 29 +++++++++--------------------
> > + 1 file changed, 9 insertions(+), 20 deletions(-)
> > +
> > +diff --git a/memory.c b/memory.c
> > +index 2f15a4b..9200b20 100644
> > +--- a/memory.c
> > ++++ b/memory.c
> > +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion
> *mr,
> > + bool is_write,
> > + MemTxAttrs attrs) {
> > +- int access_size_min, access_size_max;
> > +- int access_size, i;
> > +-
> > +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
> > ++ if (mr->ops->valid.accepts
> > ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write,
> > ++ attrs)) {
> > + return false;
> > + }
> > +
> > +- if (!mr->ops->valid.accepts) {
> > +- return true;
> > +- }
> > +-
> > +- access_size_min = mr->ops->valid.min_access_size;
> > +- if (!mr->ops->valid.min_access_size) {
> > +- access_size_min = 1;
> > ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
> > ++ return false;
> > + }
> > +
> > +- access_size_max = mr->ops->valid.max_access_size;
> > ++ /* Treat zero as compatibility all valid */
> > + if (!mr->ops->valid.max_access_size) {
> > +- access_size_max = 4;
> > ++ return true;
> > + }
> > +
> > +- access_size = MAX(MIN(size, access_size_max), access_size_min);
> > +- for (i = 0; i < size; i += access_size) {
> > +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
> > +- is_write, attrs)) {
> > +- return false;
> > +- }
> > ++ if (size > mr->ops->valid.max_access_size
> > ++ || size < mr->ops->valid.min_access_size) {
> > ++ return false;
> > + }
> > +-
> > + return true;
> > + }
> > +
> > +--
> > +1.8.3.1
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > new file mode 100644
> > index 0000000000..7354edc54d
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > @@ -0,0 +1,69 @@
> > +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00
> > +2001
> > +From: Michael Tokarev <mjt@tls.msk.ru>
> > +Date: Mon, 20 Jul 2020 19:06:27 +0300
> > +Subject: [PATCH] acpi: accept byte and word access to core ACPI
> > +registers
> > +
> > +All ISA registers should be accessible as bytes, words or dwords (if
> > +wide enough). Fix the access constraints for acpi-pm-evt,
> > +acpi-pm-tmr & acpi-cnt registers.
> > +
> > +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes
> > +in memory_region_access_valid")
> > +Fixes: afafe4bbe0 (apci: switch cnt to memory api)
> > +Fixes: 77d58b1e47 (apci: switch timer to memory api)
> > +Fixes: b5a7c024d2 (apci: switch evt to memory api)
> > +Buglink:
> > +https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.per
> > +ard@citrix.com/T/
> > +Buglink: https://bugs.debian.org/964793
> > +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
> > +BugLink: https://bugs.launchpad.net/bugs/1886318
> > +Reported-By: Simon John <git@the-jedi.co.uk>
> > +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> > +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
> > +Cc: qemu-stable@nongnu.org
> > +Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > +
> > +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e
> > +448b1d447cf3fb
> > +CVE: CVE-2020-13754
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/acpi/core.c | 9 ++++++---
> > + 1 file changed, 6 insertions(+), 3 deletions(-)
> > +
> > +diff --git a/hw/acpi/core.c b/hw/acpi/core.c index f6d9ec4..ac06db3
> > +100644
> > +--- a/hw/acpi/core.c
> > ++++ b/hw/acpi/core.c
> > +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque,
> > +hwaddr addr, uint64_t val, static const MemoryRegionOps acpi_pm_evt_ops = {
> > + .read = acpi_pm_evt_read,
> > + .write = acpi_pm_evt_write,
> > +- .valid.min_access_size = 2,
> > ++ .impl.min_access_size = 2,
> > ++ .valid.min_access_size = 1,
> > + .valid.max_access_size = 2,
> > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -527,7 +528,8 @@
> > +static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t
> > +val, static const MemoryRegionOps acpi_pm_tmr_ops = {
> > + .read = acpi_pm_tmr_read,
> > + .write = acpi_pm_tmr_write,
> > +- .valid.min_access_size = 4,
> > ++ .impl.min_access_size = 4,
> > ++ .valid.min_access_size = 1,
> > + .valid.max_access_size = 4,
> > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -599,7 +601,8 @@
> > +static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t
> > +val, static const MemoryRegionOps acpi_pm_cnt_ops = {
> > + .read = acpi_pm_cnt_read,
> > + .write = acpi_pm_cnt_write,
> > +- .valid.min_access_size = 2,
> > ++ .impl.min_access_size = 2,
> > ++ .valid.min_access_size = 1,
> > + .valid.max_access_size = 2,
> > + .endianness = DEVICE_LITTLE_ENDIAN, };
> > +--
> > +1.8.3.1
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > new file mode 100644
> > index 0000000000..2a8781050f
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > @@ -0,0 +1,65 @@
> > +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00
> > +2001
> > +From: Laurent Vivier <lvivier@redhat.com>
> > +Date: Tue, 21 Jul 2020 10:33:22 +0200
> > +Subject: [PATCH] xhci: fix valid.max_access_size to access address
> > +registers
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=utf8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
> > +64-bit mode access in "runtime" and "operational" MemoryRegionOps.
> > +
> > +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
> > +
> > +XHCI specs:
> > +"If the xHC supports 64-bit addressing (AC64 = â1â), then software
> > +should write 64-bit registers using only Qword accesses. If a system
> > +is incapable of issuing Qword accesses, then writes to the 64-bit
> > +address fields shall be performed using 2 Dword accesses; low
> > +Dword-first, high-Dword second. If the xHC supports 32-bit
> > +addressing (AC64 = â0â), then the high Dword of registers containing
> > +64-bit address fields are unused and software should write addresses
> > +using only Dword accesses"
> > +
> > +The problem has been detected with SLOF, as linux kernel always
> > +accesses registers using 32-bit access even if AC64 is set and
> > +revealed by
> > +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
> > +memory_region_access_valid"")
> > +
> > +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
> > +Signed-off-by: Laurent Vivier <lvivier@redhat.com>
> > +Message-id: 20200721083322.90651-1-lvivier@redhat.com
> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > +
> > +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda56
> > +1107ba14830a17
> > +CVE: CVE-2020-13754
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/usb/hcd-xhci.c | 4 ++--
> > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index
> > +b330e36..67a18fe 100644
> > +--- a/hw/usb/hcd-xhci.c
> > ++++ b/hw/usb/hcd-xhci.c
> > +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
> > + .read = xhci_oper_read,
> > + .write = xhci_oper_write,
> > + .valid.min_access_size = 4,
> > +- .valid.max_access_size = 4,
> > ++ .valid.max_access_size = sizeof(dma_addr_t),
> > + .endianness = DEVICE_LITTLE_ENDIAN, };
> > +
> > +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
> > + .read = xhci_runtime_read,
> > + .write = xhci_runtime_write,
> > + .valid.min_access_size = 4,
> > +- .valid.max_access_size = 4,
> > ++ .valid.max_access_size = sizeof(dma_addr_t),
> > + .endianness = DEVICE_LITTLE_ENDIAN, };
> > +
> > +--
> > +1.8.3.1
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > new file mode 100644
> > index 0000000000..6bad07d03f
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > @@ -0,0 +1,39 @@
> > +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00
> > +2001
> > +From: Alistair Francis <alistair.francis@wdc.com>
> > +Date: Tue, 30 Jun 2020 13:12:11 -0700
> > +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT
> > +
> > +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
> > +"memory: Revert "memory: accept mismatching sizes in
> > +memory_region_access_valid"" broke most RISC-V boards as they do 64
> > +bit accesses to the CLINT and QEMU would trigger a fault. Fix this
> > +failure by allowing 8 byte accesses.
> > +
> > +Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> > +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
> > +Message-Id:
> > +<122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.fra
> > +ncis@wdc.com>
> > +
> > +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381
> > +336bc9b9a22f79
> > +CVE: CVE-2020-13754
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/riscv/sifive_clint.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c index
> > +b11ffa0..669c21a 100644
> > +--- a/hw/riscv/sifive_clint.c
> > ++++ b/hw/riscv/sifive_clint.c
> > +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = {
> > + .endianness = DEVICE_LITTLE_ENDIAN,
> > + .valid = {
> > + .min_access_size = 4,
> > +- .max_access_size = 4
> > ++ .max_access_size = 8
> > + }
> > + };
> > +
> > +--
> > +1.8.3.1
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > new file mode 100644
> > index 0000000000..cdd9c38db9
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > @@ -0,0 +1,67 @@
> > +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00
> > +2001
> > +From: Gerd Hoffmann <kraxel@redhat.com>
> > +Date: Wed, 18 Aug 2021 14:05:05 +0200
> > +Subject: [PATCH] uas: add stream number sanity checks.
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +The device uses the guest-supplied stream number unchecked, which can
> > +lead to guest-triggered out-of-band access to the UASDevice->data3
> > +and
> > +UASDevice->status3 fields. Add the missing checks.
> > +
> > +Fixes: CVE-2021-3713
> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > +Reported-by: Chen Zhe <chenzhe@huawei.com>
> > +Reported-by: Tan Jingguo <tanjingguo@huawei.com>
> > +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> > +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
> > +
> > +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17
> > +d59caf073ce45b33a
> > +CVE: CVE-2021-3713
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/usb/dev-uas.c | 11 +++++++++++
> > + 1 file changed, 11 insertions(+)
> > +
> > +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c index
> > +6d6d1073..0b8cd4dd 100644
> > +--- a/hw/usb/dev-uas.c
> > ++++ b/hw/usb/dev-uas.c
> > +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev,
> USBPacket *p)
> > + }
> > + break;
> > + case UAS_PIPE_ID_STATUS:
> > ++ if (p->stream > UAS_MAX_STREAMS) {
> > ++ goto err_stream;
> > ++ }
> > + if (p->stream) {
> > + QTAILQ_FOREACH(st, &uas->results, next) {
> > + if (st->stream == p->stream) { @@ -857,6 +860,9 @@
> > +static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
> > + break;
> > + case UAS_PIPE_ID_DATA_IN:
> > + case UAS_PIPE_ID_DATA_OUT:
> > ++ if (p->stream > UAS_MAX_STREAMS) {
> > ++ goto err_stream;
> > ++ }
> > + if (p->stream) {
> > + req = usb_uas_find_request(uas, p->stream);
> > + } else {
> > +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev,
> USBPacket *p)
> > + p->status = USB_RET_STALL;
> > + break;
> > + }
> > ++
> > ++err_stream:
> > ++ error_report("%s: invalid stream %d", __func__, p->stream);
> > ++ p->status = USB_RET_STALL;
> > ++ return;
> > + }
> > +
> > + static void usb_uas_unrealize(USBDevice *dev, Error **errp)
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > new file mode 100644
> > index 0000000000..b291ade4e3
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > @@ -0,0 +1,124 @@
> > +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00
> > +2001
> > +From: Jason Wang <jasowang@redhat.com>
> > +Date: Thu, 2 Sep 2021 13:44:12 +0800
> > +Subject: [PATCH] virtio-net: fix use after unmap/free for sg
> > +
> > +When mergeable buffer is enabled, we try to set the num_buffers after
> > +the virtqueue elem has been unmapped. This will lead several issues,
> > +E.g a use after free when the descriptor has an address which belongs
> > +to the non direct access region. In this case we use bounce buffer
> > +that is allocated during address_space_map() and freed during
> > +address_space_unmap().
> > +
> > +Fixing this by storing the elems temporarily in an array and delay
> > +the unmap after we set the the num_buffers.
> > +
> > +This addresses CVE-2021-3748.
> > +
> > +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> > +Fixes: fbe78f4f55c6 ("virtio-net support")
> > +Cc: qemu-stable@nongnu.org
> > +Signed-off-by: Jason Wang <jasowang@redhat.com>
> > +
> > +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf3
> > +57e11f6
> > +CVE: CVE-2021-3748
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
> > + 1 file changed, 32 insertions(+), 7 deletions(-)
> > +
> > +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index
> > +16d20cdee52a..f205331dcf8c 100644
> > +--- a/hw/net/virtio-net.c
> > ++++ b/hw/net/virtio-net.c
> > +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> *nc, const uint8_t *buf,
> > + VirtIONet *n = qemu_get_nic_opaque(nc);
> > + VirtIONetQueue *q = virtio_net_get_subqueue(nc);
> > + VirtIODevice *vdev = VIRTIO_DEVICE(n);
> > ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
> > ++ size_t lens[VIRTQUEUE_MAX_SIZE];
> > + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
> > + struct virtio_net_hdr_mrg_rxbuf mhdr;
> > + unsigned mhdr_cnt = 0;
> > +- size_t offset, i, guest_offset;
> > ++ size_t offset, i, guest_offset, j;
> > ++ ssize_t err;
> > +
> > + if (!virtio_net_can_receive(nc)) {
> > + return -1;
> > +@@ -1780,6 +1783,12 @@ static ssize_t
> > +virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> > +
> > + total = 0;
> > +
> > ++ if (i == VIRTQUEUE_MAX_SIZE) {
> > ++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
> > ++ err = size;
> > ++ goto err;
> > ++ }
> > ++
> > + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
> > + if (!elem) {
> > + if (i) {
> > +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc,
> const uint8_t *buf,
> > + n->guest_hdr_len, n->host_hdr_len,
> > + vdev->guest_features);
> > + }
> > +- return -1;
> > ++ err = -1;
> > ++ goto err;
> > + }
> > +
> > + if (elem->in_num < 1) {
> > +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc,
> const uint8_t *buf,
> > + "virtio-net receive queue contains no in buffers");
> > + virtqueue_detach_element(q->rx_vq, elem, 0);
> > + g_free(elem);
> > +- return -1;
> > ++ err = -1;
> > ++ goto err;
> > + }
> > +
> > + sg = elem->in_sg;
> > +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> *nc, const uint8_t *buf,
> > + if (!n->mergeable_rx_bufs && offset < size) {
> > + virtqueue_unpop(q->rx_vq, elem, total);
> > + g_free(elem);
> > +- return size;
> > ++ err = size;
> > ++ goto err;
> > + }
> > +
> > +- /* signal other side */
> > +- virtqueue_fill(q->rx_vq, elem, total, i++);
> > +- g_free(elem);
> > ++ elems[i] = elem;
> > ++ lens[i] = total;
> > ++ i++;
> > + }
> > +
> > + if (mhdr_cnt) {
> > +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> *nc, const uint8_t *buf,
> > + &mhdr.num_buffers, sizeof mhdr.num_buffers);
> > + }
> > +
> > ++ for (j = 0; j < i; j++) {
> > ++ /* signal other side */
> > ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
> > ++ g_free(elems[j]);
> > ++ }
> > ++
> > + virtqueue_flush(q->rx_vq, i);
> > + virtio_notify(vdev, q->rx_vq);
> > +
> > + return size;
> > ++
> > ++err:
> > ++ for (j = 0; j < i; j++) {
> > ++ g_free(elems[j]);
> > ++ }
> > ++
> > ++ return err;
> > + }
> > +
> > + static ssize_t virtio_net_do_receive(NetClientState *nc, const
> > + uint8_t *buf,
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > new file mode 100644
> > index 0000000000..b1b5558647
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > @@ -0,0 +1,53 @@
> > +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00
> > +2001
> > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Date: Thu, 4 Nov 2021 17:31:38 +0100
> > +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in
> > +MODE SELECT commands
> > +
> > +This avoids an off-by-one read of 'mode_sense_valid' buffer in
> > +hw/scsi/scsi-disk.c:mode_sense_page().
> > +
> > +Fixes: CVE-2021-3930
> > +Cc: qemu-stable@nongnu.org
> > +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> > +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
> > +Fixes: #546
> > +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
> > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > +
> > +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2
> > +423d83f5c99a457e8
> > +CVE: CVE-2021-3930
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/scsi/scsi-disk.c | 6 ++++++
> > + 1 file changed, 6 insertions(+)
> > +
> > +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index
> > +e8a547dbb7..d4914178ea 100644
> > +--- a/hw/scsi/scsi-disk.c
> > ++++ b/hw/scsi/scsi-disk.c
> > +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page,
> uint8_t **p_outbuf,
> > + uint8_t *p = *p_outbuf + 2;
> > + int length;
> > +
> > ++ assert(page < ARRAY_SIZE(mode_sense_valid));
> > + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
> > + return -1;
> > + }
> > +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState
> *s, int page,
> > + return -1;
> > + }
> > +
> > ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
> > ++ if (page == MODE_PAGE_ALLS) {
> > ++ return -1;
> > ++ }
> > ++
> > + p = mode_current;
> > + memset(mode_current, 0, inlen + 2);
> > + len = mode_sense_page(s, page, &p, 0);
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > new file mode 100644
> > index 0000000000..80ad49e4ed
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > @@ -0,0 +1,89 @@
> > +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00
> > +2001
> > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Date: Thu, 7 Apr 2022 10:17:12 +0200
> > +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
> > + (CVE-2021-4206)
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Prevent potential integer overflow by limiting 'width' and 'height'
> > +to 512x512. Also change 'datasize' type to size_t. Refer to security
> > +advisory https://starlabs.sg/advisories/22-4206/ for more information.
> > +
> > +Fixes: CVE-2021-4206
> > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > +Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > +
> > +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a
> > +CVE: CVE-2021-4206
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/display/qxl-render.c | 7 +++++++
> > + hw/display/vmware_vga.c | 2 ++
> > + ui/cursor.c | 8 +++++++-
> > + 3 files changed, 16 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index
> > +237ed293ba..ca217004bf 100644
> > +--- a/hw/display/qxl-render.c
> > ++++ b/hw/display/qxl-render.c
> > +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl,
> QXLCursor *cursor,
> > + size_t size;
> > +
> > + c = cursor_alloc(cursor->header.width, cursor->header.height);
> > ++
> > ++ if (!c) {
> > ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
> > ++ cursor->header.width, cursor->header.height);
> > ++ goto fail;
> > ++ }
> > ++
> > + c->hot_x = cursor->header.hot_spot_x;
> > + c->hot_y = cursor->header.hot_spot_y;
> > + switch (cursor->header.type) {
> > +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index
> > +98c83474ad..45d06cbe25 100644
> > +--- a/hw/display/vmware_vga.c
> > ++++ b/hw/display/vmware_vga.c
> > +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct
> vmsvga_state_s *s,
> > + int i, pixels;
> > +
> > + qc = cursor_alloc(c->width, c->height);
> > ++ assert(qc != NULL);
> > ++
> > + qc->hot_x = c->hot_x;
> > + qc->hot_y = c->hot_y;
> > + switch (c->bpp) {
> > +diff --git a/ui/cursor.c b/ui/cursor.c index 1d62ddd4d0..835f0802f9
> > +100644
> > +--- a/ui/cursor.c
> > ++++ b/ui/cursor.c
> > +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char
> > +*xpm[])
> > +
> > + /* parse pixel data */
> > + c = cursor_alloc(width, height);
> > ++ assert(c != NULL);
> > ++
> > + for (pixel = 0, y = 0; y < height; y++, line++) {
> > + for (x = 0; x < height; x++, pixel++) {
> > + idx = xpm[line][x];
> > +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
> > +QEMUCursor *cursor_alloc(int width, int height) {
> > + QEMUCursor *c;
> > +- int datasize = width * height * sizeof(uint32_t);
> > ++ size_t datasize = width * height * sizeof(uint32_t);
> > ++
> > ++ if (width > 512 || height > 512) {
> > ++ return NULL;
> > ++ }
> > +
> > + c = g_malloc0(sizeof(QEMUCursor) + datasize);
> > + c->width = width;
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > new file mode 100644
> > index 0000000000..8418246247
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > @@ -0,0 +1,43 @@
> > +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00
> > +2001
> > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Date: Thu, 7 Apr 2022 10:11:06 +0200
> > +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
> > + (CVE-2021-4207)
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Avoid fetching 'width' and 'height' a second time to prevent possible
> > +race condition. Refer to security advisory
> > +https://starlabs.sg/advisories/22-4207/ for more information.
> > +
> > +Fixes: CVE-2021-4207
> > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > +Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > +
> > +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb
> > +CVE: CVE-2021-4207
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/display/qxl-render.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index
> > +d28849b121..237ed293ba 100644
> > +--- a/hw/display/qxl-render.c
> > ++++ b/hw/display/qxl-render.c
> > +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl,
> QXLCursor *cursor,
> > + }
> > + break;
> > + case SPICE_CURSOR_TYPE_ALPHA:
> > +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
> > ++ size = sizeof(uint32_t) * c->width * c->height;
> > + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
> > + if (qxl->debug > 2) {
> > + cursor_print_ascii_art(c, "qxl/alpha");
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > new file mode 100644
> > index 0000000000..6a7ce0e26c
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > @@ -0,0 +1,42 @@
> > +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00
> > +2001
> > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Date: Tue, 5 Jul 2022 22:05:43 +0200
> > +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
> > + (CVE-2022-0216)
> > +
> > +Set current_req->req to NULL to prevent reusing a free'd buffer in
> > +case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the
> patch.
> > +
> > +Fixes: CVE-2022-0216
> > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
> > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Reviewed-by: Thomas Huth <thuth@redhat.com>
> > +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > +
> > +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52f
> > +d3ad44b1e9e8ad4b8
> > +CVE: CVE-2022-0216
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/scsi/lsi53c895a.c | 3 ++-
> > + 1 file changed, 2 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index
> > +c8773f73f7..99ea42d49b 100644
> > +--- a/hw/scsi/lsi53c895a.c
> > ++++ b/hw/scsi/lsi53c895a.c
> > +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
> > + case 0x0d:
> > + /* The ABORT TAG message clears the current I/O process only. */
> > + trace_lsi_do_msgout_abort(current_tag);
> > +- if (current_req) {
> > ++ if (current_req && current_req->req) {
> > + scsi_req_cancel(current_req->req);
> > ++ current_req->req = NULL;
> > + }
> > + lsi_disconnect(s);
> > + break;
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > new file mode 100644
> > index 0000000000..137906cd30
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > @@ -0,0 +1,52 @@
> > +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00
> > +2001
> > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Date: Mon, 11 Jul 2022 14:33:16 +0200
> > +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in
> > +lsi_do_msgout
> > + (CVE-2022-0216)
> > +
> > +Set current_req to NULL, not current_req->req, to prevent reusing a
> > +free'd buffer in case of repeated SCSI cancel requests. Also apply
> > +the fix to CLEAR QUEUE and BUS DEVICE RESET messages as well, since
> > +they also cancel the request.
> > +
> > +Thanks to Alexander Bulekov for providing a reproducer.
> > +
> > +Fixes: CVE-2022-0216
> > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
> > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > +Tested-by: Alexander Bulekov <alxndr@bu.edu>
> > +Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > +
> > +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
> > +CVE: CVE-2022-0216
> > +Upstream-Status: Backport
> > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > +---
> > + hw/scsi/lsi53c895a.c | 3 +-
> > + 1 files changed, 2 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index
> > +99ea42d49b..ad5f5e5f39 100644
> > +--- a/hw/scsi/lsi53c895a.c
> > ++++ b/hw/scsi/lsi53c895a.c
> > +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
> > + trace_lsi_do_msgout_abort(current_tag);
> > + if (current_req && current_req->req) {
> > + scsi_req_cancel(current_req->req);
> > +- current_req->req = NULL;
> > ++ current_req = NULL;
> > + }
> > + lsi_disconnect(s);
> > + break;
> > +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
> > + /* clear the current I/O process */
> > + if (s->current) {
> > + scsi_req_cancel(s->current->req);
> > ++ current_req = NULL;
> > + }
> > +
> > + /* As the current implemented devices scsi_disk and
> > +scsi_generic
> > +--
> > +GitLab
> > +
> > --
> > 2.36.1
> >
> >
> >
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs
2022-09-19 0:44 ` Mittal, Anuj
@ 2022-09-21 2:41 ` Steve Sakoman
0 siblings, 0 replies; 5+ messages in thread
From: Steve Sakoman @ 2022-09-21 2:41 UTC (permalink / raw)
To: Mittal, Anuj; +Cc: openembedded-core
On Sun, Sep 18, 2022 at 2:44 PM Mittal, Anuj <anuj.mittal@intel.com> wrote:
>
>
>
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Steve Sakoman
> > Sent: Thursday, September 15, 2022 10:14 PM
> > To: Lee, Chee Yang <chee.yang.lee@intel.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs
> >
> > On Tue, Sep 13, 2022 at 8:04 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
> > >
> > > From: Chee Yang Lee <chee.yang.lee@intel.com>
> > >
> > > backport fixes:
> > > CVE-2020-13754, backport patches as debian security tracker notes
> > > https://security-tracker.debian.org/tracker/CVE-2020-13754
> > >
> > > CVE-2021-3713
> > > CVE-2021-3748
> > > CVE-2021-3930
> > > CVE-2021-4206
> > > CVE-2021-4207
> > > CVE-2022-0216, does not include qtest in patches, the qtest code were not available
> > in v4.2.
> > >
> > > Ignore:
> > > CVE-2020-27661, issue introduced in v5.1.0-rc0
> > > https://security-tracker.debian.org/tracker/CVE-2020-27661
> >
> > While this patch applies and builds without error, it results in quite a few runtime
> > errors during
> > oe-selftest:
> >
> > https://errors.yoctoproject.org/Errors/Details/671970/
> >
> > Not sure which of the CVE fixes cause this :-(
>
> It might be because of:
>
> https://lists.openembedded.org/g/openembedded-core/message/156694
Yes, on further investigation there are no issues with this patch.
The issues were with a couple of missing PACKAGECONFIGS in the qemu
recipe. After adding those all is well again.
Thanks for the hint Anuj!
Steve
> > > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > ---
> > > meta/recipes-devtools/qemu/qemu.inc | 14 ++
> > > .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++
> > > .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++
> > > .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++
> > > .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++
> > > .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++
> > > .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++
> > > .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++
> > > .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++
> > > .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++
> > > .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++
> > > .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++
> > > 12 files changed, 748 insertions(+)
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > > create mode 100644
> > > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > >
> > > diff --git a/meta/recipes-devtools/qemu/qemu.inc
> > > b/meta/recipes-devtools/qemu/qemu.inc
> > > index a773068499..c1db723e90 100644
> > > --- a/meta/recipes-devtools/qemu/qemu.inc
> > > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > > @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-
> > ${PV}.tar.xz \
> > > file://CVE-2020-13791.patch \
> > > file://CVE-2022-35414.patch \
> > > file://CVE-2020-27821.patch \
> > > + file://CVE-2020-13754-1.patch \
> > > + file://CVE-2020-13754-2.patch \
> > > + file://CVE-2020-13754-3.patch \
> > > + file://CVE-2020-13754-4.patch \
> > > + file://CVE-2021-3713.patch \
> > > + file://CVE-2021-3748.patch \
> > > + file://CVE-2021-3930.patch \
> > > + file://CVE-2021-4206.patch \
> > > + file://CVE-2021-4207.patch \
> > > + file://CVE-2022-0216-1.patch \
> > > + file://CVE-2022-0216-2.patch \
> > > "
> > > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
> > >
> > > @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998"
> > > # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
> > > CVE_CHECK_WHITELIST += "CVE-2018-18438"
> > >
> > > +# the issue introduced in v5.1.0-rc0
> > > +CVE_CHECK_WHITELIST += "CVE-2020-27661"
> > > +
> > > COMPATIBLE_HOST_mipsarchn32 = "null"
> > > COMPATIBLE_HOST_mipsarchn64 = "null"
> > >
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > > new file mode 100644
> > > index 0000000000..fdfff9d81d
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
> > > @@ -0,0 +1,91 @@
> > > +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00
> > > +2001
> > > +From: "Michael S. Tsirkin" <mst@redhat.com>
> > > +Date: Wed, 10 Jun 2020 09:47:49 -0400
> > > +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
> > > +memory_region_access_valid"
> > > +
> > > +Memory API documentation documents valid .min_access_size and
> > > +.max_access_size fields and explains that any access outside these boundaries is
> > blocked.
> > > +
> > > +This is what devices seem to assume.
> > > +
> > > +However this is not what the implementation does: it simply ignores
> > > +the boundaries unless there's an "accepts" callback.
> > > +
> > > +Naturally, this breaks a bunch of devices.
> > > +
> > > +Revert to the documented behaviour.
> > > +
> > > +Devices that want to allow any access can just drop the valid field,
> > > +or add the impl field to have accesses converted to appropriate
> > > +length.
> > > +
> > > +Cc: qemu-stable@nongnu.org
> > > +Reviewed-by: Richard Henderson <rth@twiddle.net>
> > > +Fixes: CVE-2020-13754
> > > +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
> > > +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in
> > > +memory_region_access_valid")
> > > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > > +Message-Id: <20200610134731.1514409-1-mst@redhat.com>
> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > +
> > > +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d8
> > > +9e0e89165c8fc9
> > > +CVE: CVE-2020-13754
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + memory.c | 29 +++++++++--------------------
> > > + 1 file changed, 9 insertions(+), 20 deletions(-)
> > > +
> > > +diff --git a/memory.c b/memory.c
> > > +index 2f15a4b..9200b20 100644
> > > +--- a/memory.c
> > > ++++ b/memory.c
> > > +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion
> > *mr,
> > > + bool is_write,
> > > + MemTxAttrs attrs) {
> > > +- int access_size_min, access_size_max;
> > > +- int access_size, i;
> > > +-
> > > +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
> > > ++ if (mr->ops->valid.accepts
> > > ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write,
> > > ++ attrs)) {
> > > + return false;
> > > + }
> > > +
> > > +- if (!mr->ops->valid.accepts) {
> > > +- return true;
> > > +- }
> > > +-
> > > +- access_size_min = mr->ops->valid.min_access_size;
> > > +- if (!mr->ops->valid.min_access_size) {
> > > +- access_size_min = 1;
> > > ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
> > > ++ return false;
> > > + }
> > > +
> > > +- access_size_max = mr->ops->valid.max_access_size;
> > > ++ /* Treat zero as compatibility all valid */
> > > + if (!mr->ops->valid.max_access_size) {
> > > +- access_size_max = 4;
> > > ++ return true;
> > > + }
> > > +
> > > +- access_size = MAX(MIN(size, access_size_max), access_size_min);
> > > +- for (i = 0; i < size; i += access_size) {
> > > +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
> > > +- is_write, attrs)) {
> > > +- return false;
> > > +- }
> > > ++ if (size > mr->ops->valid.max_access_size
> > > ++ || size < mr->ops->valid.min_access_size) {
> > > ++ return false;
> > > + }
> > > +-
> > > + return true;
> > > + }
> > > +
> > > +--
> > > +1.8.3.1
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > > new file mode 100644
> > > index 0000000000..7354edc54d
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
> > > @@ -0,0 +1,69 @@
> > > +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00
> > > +2001
> > > +From: Michael Tokarev <mjt@tls.msk.ru>
> > > +Date: Mon, 20 Jul 2020 19:06:27 +0300
> > > +Subject: [PATCH] acpi: accept byte and word access to core ACPI
> > > +registers
> > > +
> > > +All ISA registers should be accessible as bytes, words or dwords (if
> > > +wide enough). Fix the access constraints for acpi-pm-evt,
> > > +acpi-pm-tmr & acpi-cnt registers.
> > > +
> > > +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes
> > > +in memory_region_access_valid")
> > > +Fixes: afafe4bbe0 (apci: switch cnt to memory api)
> > > +Fixes: 77d58b1e47 (apci: switch timer to memory api)
> > > +Fixes: b5a7c024d2 (apci: switch evt to memory api)
> > > +Buglink:
> > > +https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.per
> > > +ard@citrix.com/T/
> > > +Buglink: https://bugs.debian.org/964793
> > > +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
> > > +BugLink: https://bugs.launchpad.net/bugs/1886318
> > > +Reported-By: Simon John <git@the-jedi.co.uk>
> > > +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> > > +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
> > > +Cc: qemu-stable@nongnu.org
> > > +Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> > > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > > +
> > > +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e
> > > +448b1d447cf3fb
> > > +CVE: CVE-2020-13754
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/acpi/core.c | 9 ++++++---
> > > + 1 file changed, 6 insertions(+), 3 deletions(-)
> > > +
> > > +diff --git a/hw/acpi/core.c b/hw/acpi/core.c index f6d9ec4..ac06db3
> > > +100644
> > > +--- a/hw/acpi/core.c
> > > ++++ b/hw/acpi/core.c
> > > +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque,
> > > +hwaddr addr, uint64_t val, static const MemoryRegionOps acpi_pm_evt_ops = {
> > > + .read = acpi_pm_evt_read,
> > > + .write = acpi_pm_evt_write,
> > > +- .valid.min_access_size = 2,
> > > ++ .impl.min_access_size = 2,
> > > ++ .valid.min_access_size = 1,
> > > + .valid.max_access_size = 2,
> > > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -527,7 +528,8 @@
> > > +static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t
> > > +val, static const MemoryRegionOps acpi_pm_tmr_ops = {
> > > + .read = acpi_pm_tmr_read,
> > > + .write = acpi_pm_tmr_write,
> > > +- .valid.min_access_size = 4,
> > > ++ .impl.min_access_size = 4,
> > > ++ .valid.min_access_size = 1,
> > > + .valid.max_access_size = 4,
> > > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -599,7 +601,8 @@
> > > +static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t
> > > +val, static const MemoryRegionOps acpi_pm_cnt_ops = {
> > > + .read = acpi_pm_cnt_read,
> > > + .write = acpi_pm_cnt_write,
> > > +- .valid.min_access_size = 2,
> > > ++ .impl.min_access_size = 2,
> > > ++ .valid.min_access_size = 1,
> > > + .valid.max_access_size = 2,
> > > + .endianness = DEVICE_LITTLE_ENDIAN, };
> > > +--
> > > +1.8.3.1
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > > new file mode 100644
> > > index 0000000000..2a8781050f
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
> > > @@ -0,0 +1,65 @@
> > > +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Laurent Vivier <lvivier@redhat.com>
> > > +Date: Tue, 21 Jul 2020 10:33:22 +0200
> > > +Subject: [PATCH] xhci: fix valid.max_access_size to access address
> > > +registers
> > > +MIME-Version: 1.0
> > > +Content-Type: text/plain; charset=utf8
> > > +Content-Transfer-Encoding: 8bit
> > > +
> > > +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
> > > +64-bit mode access in "runtime" and "operational" MemoryRegionOps.
> > > +
> > > +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
> > > +
> > > +XHCI specs:
> > > +"If the xHC supports 64-bit addressing (AC64 = â1â), then software
> > > +should write 64-bit registers using only Qword accesses. If a system
> > > +is incapable of issuing Qword accesses, then writes to the 64-bit
> > > +address fields shall be performed using 2 Dword accesses; low
> > > +Dword-first, high-Dword second. If the xHC supports 32-bit
> > > +addressing (AC64 = â0â), then the high Dword of registers containing
> > > +64-bit address fields are unused and software should write addresses
> > > +using only Dword accesses"
> > > +
> > > +The problem has been detected with SLOF, as linux kernel always
> > > +accesses registers using 32-bit access even if AC64 is set and
> > > +revealed by
> > > +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
> > > +memory_region_access_valid"")
> > > +
> > > +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
> > > +Signed-off-by: Laurent Vivier <lvivier@redhat.com>
> > > +Message-id: 20200721083322.90651-1-lvivier@redhat.com
> > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > > +
> > > +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda56
> > > +1107ba14830a17
> > > +CVE: CVE-2020-13754
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/usb/hcd-xhci.c | 4 ++--
> > > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > > +
> > > +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index
> > > +b330e36..67a18fe 100644
> > > +--- a/hw/usb/hcd-xhci.c
> > > ++++ b/hw/usb/hcd-xhci.c
> > > +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
> > > + .read = xhci_oper_read,
> > > + .write = xhci_oper_write,
> > > + .valid.min_access_size = 4,
> > > +- .valid.max_access_size = 4,
> > > ++ .valid.max_access_size = sizeof(dma_addr_t),
> > > + .endianness = DEVICE_LITTLE_ENDIAN, };
> > > +
> > > +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
> > > + .read = xhci_runtime_read,
> > > + .write = xhci_runtime_write,
> > > + .valid.min_access_size = 4,
> > > +- .valid.max_access_size = 4,
> > > ++ .valid.max_access_size = sizeof(dma_addr_t),
> > > + .endianness = DEVICE_LITTLE_ENDIAN, };
> > > +
> > > +--
> > > +1.8.3.1
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > > new file mode 100644
> > > index 0000000000..6bad07d03f
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
> > > @@ -0,0 +1,39 @@
> > > +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Alistair Francis <alistair.francis@wdc.com>
> > > +Date: Tue, 30 Jun 2020 13:12:11 -0700
> > > +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT
> > > +
> > > +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
> > > +"memory: Revert "memory: accept mismatching sizes in
> > > +memory_region_access_valid"" broke most RISC-V boards as they do 64
> > > +bit accesses to the CLINT and QEMU would trigger a fault. Fix this
> > > +failure by allowing 8 byte accesses.
> > > +
> > > +Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> > > +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
> > > +Message-Id:
> > > +<122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.fra
> > > +ncis@wdc.com>
> > > +
> > > +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381
> > > +336bc9b9a22f79
> > > +CVE: CVE-2020-13754
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/riscv/sifive_clint.c | 2 +-
> > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > +
> > > +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c index
> > > +b11ffa0..669c21a 100644
> > > +--- a/hw/riscv/sifive_clint.c
> > > ++++ b/hw/riscv/sifive_clint.c
> > > +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = {
> > > + .endianness = DEVICE_LITTLE_ENDIAN,
> > > + .valid = {
> > > + .min_access_size = 4,
> > > +- .max_access_size = 4
> > > ++ .max_access_size = 8
> > > + }
> > > + };
> > > +
> > > +--
> > > +1.8.3.1
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > > new file mode 100644
> > > index 0000000000..cdd9c38db9
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
> > > @@ -0,0 +1,67 @@
> > > +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Gerd Hoffmann <kraxel@redhat.com>
> > > +Date: Wed, 18 Aug 2021 14:05:05 +0200
> > > +Subject: [PATCH] uas: add stream number sanity checks.
> > > +MIME-Version: 1.0
> > > +Content-Type: text/plain; charset=UTF-8
> > > +Content-Transfer-Encoding: 8bit
> > > +
> > > +MIME-Version: 1.0
> > > +Content-Type: text/plain; charset=UTF-8
> > > +Content-Transfer-Encoding: 8bit
> > > +
> > > +The device uses the guest-supplied stream number unchecked, which can
> > > +lead to guest-triggered out-of-band access to the UASDevice->data3
> > > +and
> > > +UASDevice->status3 fields. Add the missing checks.
> > > +
> > > +Fixes: CVE-2021-3713
> > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > > +Reported-by: Chen Zhe <chenzhe@huawei.com>
> > > +Reported-by: Tan Jingguo <tanjingguo@huawei.com>
> > > +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> > > +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
> > > +
> > > +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17
> > > +d59caf073ce45b33a
> > > +CVE: CVE-2021-3713
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/usb/dev-uas.c | 11 +++++++++++
> > > + 1 file changed, 11 insertions(+)
> > > +
> > > +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c index
> > > +6d6d1073..0b8cd4dd 100644
> > > +--- a/hw/usb/dev-uas.c
> > > ++++ b/hw/usb/dev-uas.c
> > > +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev,
> > USBPacket *p)
> > > + }
> > > + break;
> > > + case UAS_PIPE_ID_STATUS:
> > > ++ if (p->stream > UAS_MAX_STREAMS) {
> > > ++ goto err_stream;
> > > ++ }
> > > + if (p->stream) {
> > > + QTAILQ_FOREACH(st, &uas->results, next) {
> > > + if (st->stream == p->stream) { @@ -857,6 +860,9 @@
> > > +static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
> > > + break;
> > > + case UAS_PIPE_ID_DATA_IN:
> > > + case UAS_PIPE_ID_DATA_OUT:
> > > ++ if (p->stream > UAS_MAX_STREAMS) {
> > > ++ goto err_stream;
> > > ++ }
> > > + if (p->stream) {
> > > + req = usb_uas_find_request(uas, p->stream);
> > > + } else {
> > > +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev,
> > USBPacket *p)
> > > + p->status = USB_RET_STALL;
> > > + break;
> > > + }
> > > ++
> > > ++err_stream:
> > > ++ error_report("%s: invalid stream %d", __func__, p->stream);
> > > ++ p->status = USB_RET_STALL;
> > > ++ return;
> > > + }
> > > +
> > > + static void usb_uas_unrealize(USBDevice *dev, Error **errp)
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > > new file mode 100644
> > > index 0000000000..b291ade4e3
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
> > > @@ -0,0 +1,124 @@
> > > +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Jason Wang <jasowang@redhat.com>
> > > +Date: Thu, 2 Sep 2021 13:44:12 +0800
> > > +Subject: [PATCH] virtio-net: fix use after unmap/free for sg
> > > +
> > > +When mergeable buffer is enabled, we try to set the num_buffers after
> > > +the virtqueue elem has been unmapped. This will lead several issues,
> > > +E.g a use after free when the descriptor has an address which belongs
> > > +to the non direct access region. In this case we use bounce buffer
> > > +that is allocated during address_space_map() and freed during
> > > +address_space_unmap().
> > > +
> > > +Fixing this by storing the elems temporarily in an array and delay
> > > +the unmap after we set the the num_buffers.
> > > +
> > > +This addresses CVE-2021-3748.
> > > +
> > > +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> > > +Fixes: fbe78f4f55c6 ("virtio-net support")
> > > +Cc: qemu-stable@nongnu.org
> > > +Signed-off-by: Jason Wang <jasowang@redhat.com>
> > > +
> > > +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf3
> > > +57e11f6
> > > +CVE: CVE-2021-3748
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
> > > + 1 file changed, 32 insertions(+), 7 deletions(-)
> > > +
> > > +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index
> > > +16d20cdee52a..f205331dcf8c 100644
> > > +--- a/hw/net/virtio-net.c
> > > ++++ b/hw/net/virtio-net.c
> > > +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> > *nc, const uint8_t *buf,
> > > + VirtIONet *n = qemu_get_nic_opaque(nc);
> > > + VirtIONetQueue *q = virtio_net_get_subqueue(nc);
> > > + VirtIODevice *vdev = VIRTIO_DEVICE(n);
> > > ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
> > > ++ size_t lens[VIRTQUEUE_MAX_SIZE];
> > > + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
> > > + struct virtio_net_hdr_mrg_rxbuf mhdr;
> > > + unsigned mhdr_cnt = 0;
> > > +- size_t offset, i, guest_offset;
> > > ++ size_t offset, i, guest_offset, j;
> > > ++ ssize_t err;
> > > +
> > > + if (!virtio_net_can_receive(nc)) {
> > > + return -1;
> > > +@@ -1780,6 +1783,12 @@ static ssize_t
> > > +virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
> > > +
> > > + total = 0;
> > > +
> > > ++ if (i == VIRTQUEUE_MAX_SIZE) {
> > > ++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
> > > ++ err = size;
> > > ++ goto err;
> > > ++ }
> > > ++
> > > + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
> > > + if (!elem) {
> > > + if (i) {
> > > +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc,
> > const uint8_t *buf,
> > > + n->guest_hdr_len, n->host_hdr_len,
> > > + vdev->guest_features);
> > > + }
> > > +- return -1;
> > > ++ err = -1;
> > > ++ goto err;
> > > + }
> > > +
> > > + if (elem->in_num < 1) {
> > > +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc,
> > const uint8_t *buf,
> > > + "virtio-net receive queue contains no in buffers");
> > > + virtqueue_detach_element(q->rx_vq, elem, 0);
> > > + g_free(elem);
> > > +- return -1;
> > > ++ err = -1;
> > > ++ goto err;
> > > + }
> > > +
> > > + sg = elem->in_sg;
> > > +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> > *nc, const uint8_t *buf,
> > > + if (!n->mergeable_rx_bufs && offset < size) {
> > > + virtqueue_unpop(q->rx_vq, elem, total);
> > > + g_free(elem);
> > > +- return size;
> > > ++ err = size;
> > > ++ goto err;
> > > + }
> > > +
> > > +- /* signal other side */
> > > +- virtqueue_fill(q->rx_vq, elem, total, i++);
> > > +- g_free(elem);
> > > ++ elems[i] = elem;
> > > ++ lens[i] = total;
> > > ++ i++;
> > > + }
> > > +
> > > + if (mhdr_cnt) {
> > > +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState
> > *nc, const uint8_t *buf,
> > > + &mhdr.num_buffers, sizeof mhdr.num_buffers);
> > > + }
> > > +
> > > ++ for (j = 0; j < i; j++) {
> > > ++ /* signal other side */
> > > ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
> > > ++ g_free(elems[j]);
> > > ++ }
> > > ++
> > > + virtqueue_flush(q->rx_vq, i);
> > > + virtio_notify(vdev, q->rx_vq);
> > > +
> > > + return size;
> > > ++
> > > ++err:
> > > ++ for (j = 0; j < i; j++) {
> > > ++ g_free(elems[j]);
> > > ++ }
> > > ++
> > > ++ return err;
> > > + }
> > > +
> > > + static ssize_t virtio_net_do_receive(NetClientState *nc, const
> > > + uint8_t *buf,
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > > new file mode 100644
> > > index 0000000000..b1b5558647
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
> > > @@ -0,0 +1,53 @@
> > > +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Date: Thu, 4 Nov 2021 17:31:38 +0100
> > > +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in
> > > +MODE SELECT commands
> > > +
> > > +This avoids an off-by-one read of 'mode_sense_valid' buffer in
> > > +hw/scsi/scsi-disk.c:mode_sense_page().
> > > +
> > > +Fixes: CVE-2021-3930
> > > +Cc: qemu-stable@nongnu.org
> > > +Reported-by: Alexander Bulekov <alxndr@bu.edu>
> > > +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
> > > +Fixes: #546
> > > +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
> > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > +
> > > +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2
> > > +423d83f5c99a457e8
> > > +CVE: CVE-2021-3930
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/scsi/scsi-disk.c | 6 ++++++
> > > + 1 file changed, 6 insertions(+)
> > > +
> > > +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index
> > > +e8a547dbb7..d4914178ea 100644
> > > +--- a/hw/scsi/scsi-disk.c
> > > ++++ b/hw/scsi/scsi-disk.c
> > > +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page,
> > uint8_t **p_outbuf,
> > > + uint8_t *p = *p_outbuf + 2;
> > > + int length;
> > > +
> > > ++ assert(page < ARRAY_SIZE(mode_sense_valid));
> > > + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
> > > + return -1;
> > > + }
> > > +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState
> > *s, int page,
> > > + return -1;
> > > + }
> > > +
> > > ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
> > > ++ if (page == MODE_PAGE_ALLS) {
> > > ++ return -1;
> > > ++ }
> > > ++
> > > + p = mode_current;
> > > + memset(mode_current, 0, inlen + 2);
> > > + len = mode_sense_page(s, page, &p, 0);
> > > +--
> > > +GitLab
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > > new file mode 100644
> > > index 0000000000..80ad49e4ed
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
> > > @@ -0,0 +1,89 @@
> > > +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00
> > > +2001
> > > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Date: Thu, 7 Apr 2022 10:17:12 +0200
> > > +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
> > > + (CVE-2021-4206)
> > > +MIME-Version: 1.0
> > > +Content-Type: text/plain; charset=UTF-8
> > > +Content-Transfer-Encoding: 8bit
> > > +
> > > +Prevent potential integer overflow by limiting 'width' and 'height'
> > > +to 512x512. Also change 'datasize' type to size_t. Refer to security
> > > +advisory https://starlabs.sg/advisories/22-4206/ for more information.
> > > +
> > > +Fixes: CVE-2021-4206
> > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > > +Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
> > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > > +
> > > +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a
> > > +CVE: CVE-2021-4206
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/display/qxl-render.c | 7 +++++++
> > > + hw/display/vmware_vga.c | 2 ++
> > > + ui/cursor.c | 8 +++++++-
> > > + 3 files changed, 16 insertions(+), 1 deletion(-)
> > > +
> > > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index
> > > +237ed293ba..ca217004bf 100644
> > > +--- a/hw/display/qxl-render.c
> > > ++++ b/hw/display/qxl-render.c
> > > +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl,
> > QXLCursor *cursor,
> > > + size_t size;
> > > +
> > > + c = cursor_alloc(cursor->header.width, cursor->header.height);
> > > ++
> > > ++ if (!c) {
> > > ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
> > > ++ cursor->header.width, cursor->header.height);
> > > ++ goto fail;
> > > ++ }
> > > ++
> > > + c->hot_x = cursor->header.hot_spot_x;
> > > + c->hot_y = cursor->header.hot_spot_y;
> > > + switch (cursor->header.type) {
> > > +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index
> > > +98c83474ad..45d06cbe25 100644
> > > +--- a/hw/display/vmware_vga.c
> > > ++++ b/hw/display/vmware_vga.c
> > > +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct
> > vmsvga_state_s *s,
> > > + int i, pixels;
> > > +
> > > + qc = cursor_alloc(c->width, c->height);
> > > ++ assert(qc != NULL);
> > > ++
> > > + qc->hot_x = c->hot_x;
> > > + qc->hot_y = c->hot_y;
> > > + switch (c->bpp) {
> > > +diff --git a/ui/cursor.c b/ui/cursor.c index 1d62ddd4d0..835f0802f9
> > > +100644
> > > +--- a/ui/cursor.c
> > > ++++ b/ui/cursor.c
> > > +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char
> > > +*xpm[])
> > > +
> > > + /* parse pixel data */
> > > + c = cursor_alloc(width, height);
> > > ++ assert(c != NULL);
> > > ++
> > > + for (pixel = 0, y = 0; y < height; y++, line++) {
> > > + for (x = 0; x < height; x++, pixel++) {
> > > + idx = xpm[line][x];
> > > +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
> > > +QEMUCursor *cursor_alloc(int width, int height) {
> > > + QEMUCursor *c;
> > > +- int datasize = width * height * sizeof(uint32_t);
> > > ++ size_t datasize = width * height * sizeof(uint32_t);
> > > ++
> > > ++ if (width > 512 || height > 512) {
> > > ++ return NULL;
> > > ++ }
> > > +
> > > + c = g_malloc0(sizeof(QEMUCursor) + datasize);
> > > + c->width = width;
> > > +--
> > > +GitLab
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > > new file mode 100644
> > > index 0000000000..8418246247
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
> > > @@ -0,0 +1,43 @@
> > > +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Date: Thu, 7 Apr 2022 10:11:06 +0200
> > > +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
> > > + (CVE-2021-4207)
> > > +MIME-Version: 1.0
> > > +Content-Type: text/plain; charset=UTF-8
> > > +Content-Transfer-Encoding: 8bit
> > > +
> > > +Avoid fetching 'width' and 'height' a second time to prevent possible
> > > +race condition. Refer to security advisory
> > > +https://starlabs.sg/advisories/22-4207/ for more information.
> > > +
> > > +Fixes: CVE-2021-4207
> > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > > +Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
> > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > > +
> > > +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb
> > > +CVE: CVE-2021-4207
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/display/qxl-render.c | 2 +-
> > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > +
> > > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index
> > > +d28849b121..237ed293ba 100644
> > > +--- a/hw/display/qxl-render.c
> > > ++++ b/hw/display/qxl-render.c
> > > +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl,
> > QXLCursor *cursor,
> > > + }
> > > + break;
> > > + case SPICE_CURSOR_TYPE_ALPHA:
> > > +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
> > > ++ size = sizeof(uint32_t) * c->width * c->height;
> > > + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
> > > + if (qxl->debug > 2) {
> > > + cursor_print_ascii_art(c, "qxl/alpha");
> > > +--
> > > +GitLab
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > > new file mode 100644
> > > index 0000000000..6a7ce0e26c
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
> > > @@ -0,0 +1,42 @@
> > > +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Date: Tue, 5 Jul 2022 22:05:43 +0200
> > > +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
> > > + (CVE-2022-0216)
> > > +
> > > +Set current_req->req to NULL to prevent reusing a free'd buffer in
> > > +case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the
> > patch.
> > > +
> > > +Fixes: CVE-2022-0216
> > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
> > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Reviewed-by: Thomas Huth <thuth@redhat.com>
> > > +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > +
> > > +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52f
> > > +d3ad44b1e9e8ad4b8
> > > +CVE: CVE-2022-0216
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/scsi/lsi53c895a.c | 3 ++-
> > > + 1 file changed, 2 insertions(+), 1 deletion(-)
> > > +
> > > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index
> > > +c8773f73f7..99ea42d49b 100644
> > > +--- a/hw/scsi/lsi53c895a.c
> > > ++++ b/hw/scsi/lsi53c895a.c
> > > +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
> > > + case 0x0d:
> > > + /* The ABORT TAG message clears the current I/O process only. */
> > > + trace_lsi_do_msgout_abort(current_tag);
> > > +- if (current_req) {
> > > ++ if (current_req && current_req->req) {
> > > + scsi_req_cancel(current_req->req);
> > > ++ current_req->req = NULL;
> > > + }
> > > + lsi_disconnect(s);
> > > + break;
> > > +--
> > > +GitLab
> > > +
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > > new file mode 100644
> > > index 0000000000..137906cd30
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
> > > @@ -0,0 +1,52 @@
> > > +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00
> > > +2001
> > > +From: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Date: Mon, 11 Jul 2022 14:33:16 +0200
> > > +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in
> > > +lsi_do_msgout
> > > + (CVE-2022-0216)
> > > +
> > > +Set current_req to NULL, not current_req->req, to prevent reusing a
> > > +free'd buffer in case of repeated SCSI cancel requests. Also apply
> > > +the fix to CLEAR QUEUE and BUS DEVICE RESET messages as well, since
> > > +they also cancel the request.
> > > +
> > > +Thanks to Alexander Bulekov for providing a reproducer.
> > > +
> > > +Fixes: CVE-2022-0216
> > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
> > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> > > +Tested-by: Alexander Bulekov <alxndr@bu.edu>
> > > +Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > > +
> > > +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
> > > +CVE: CVE-2022-0216
> > > +Upstream-Status: Backport
> > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> > > +---
> > > + hw/scsi/lsi53c895a.c | 3 +-
> > > + 1 files changed, 2 insertions(+), 1 deletion(-)
> > > +
> > > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index
> > > +99ea42d49b..ad5f5e5f39 100644
> > > +--- a/hw/scsi/lsi53c895a.c
> > > ++++ b/hw/scsi/lsi53c895a.c
> > > +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
> > > + trace_lsi_do_msgout_abort(current_tag);
> > > + if (current_req && current_req->req) {
> > > + scsi_req_cancel(current_req->req);
> > > +- current_req->req = NULL;
> > > ++ current_req = NULL;
> > > + }
> > > + lsi_disconnect(s);
> > > + break;
> > > +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
> > > + /* clear the current I/O process */
> > > + if (s->current) {
> > > + scsi_req_cancel(s->current->req);
> > > ++ current_req = NULL;
> > > + }
> > > +
> > > + /* As the current implemented devices scsi_disk and
> > > +scsi_generic
> > > +--
> > > +GitLab
> > > +
> > > --
> > > 2.36.1
> > >
> > >
> > >
> > >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-21 2:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-14 6:04 [PATCH][dunfell 1/2] gst-plugins-good: fix several CVE chee.yang.lee
2022-09-14 6:04 ` [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs Lee Chee Yang
2022-09-15 14:13 ` [OE-core] " Steve Sakoman
2022-09-19 0:44 ` Mittal, Anuj
2022-09-21 2:41 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.