* [PATCH 1/4] qemu: fix CVE-2021-4145
@ 2022-05-31 22:08 Sakib Sajal
2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw)
To: openembedded-core
Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit:
d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts")
Hence, backport both the patches to resolve the CVE.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-4145_1.patch | 67 +++++++++++++++
.../qemu/qemu/CVE-2021-4145_2.patch | 85 +++++++++++++++++++
3 files changed, 154 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 568ef1be94..aa372810ce 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3930.patch \
file://CVE-2021-20196_1.patch \
file://CVE-2021-20196_2.patch \
+ file://CVE-2021-4145_1.patch \
+ file://CVE-2021-4145_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
new file mode 100644
index 0000000000..02eae727d5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
@@ -0,0 +1,67 @@
+From 59fe260a352156261ad0d89be446e5dd0ac96de3 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Date: Sat, 3 Jul 2021 00:16:36 +0300
+Subject: [PATCH 1/2] block/mirror: fix active mirror dead-lock in
+ mirror_wait_on_conflicts
+
+It's possible that requests start to wait each other in
+mirror_wait_on_conflicts(). To avoid it let's use same technique as in
+block/io.c in bdrv_wait_serialising_requests_locked() /
+bdrv_find_conflicting_request(): don't wait on intersecting request if
+it is already waiting for some other request.
+
+For details of the dead-lock look at testIntersectingActiveIO()
+test-case which we actually fixing now.
+
+Fixes: d06107ade0ce74dc39739bac80de84b51ec18546
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Message-Id: <20210702211636.228981-4-vsementsov@virtuozzo.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+CVE: CVE-2021-4145
+Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ block/mirror.c | 12 ++++++++++++
+ tests/qemu-iotests/151 | 0
+ 2 files changed, 12 insertions(+)
+ mode change 100755 => 100644 tests/qemu-iotests/151
+
+diff --git a/block/mirror.c b/block/mirror.c
+index 8e1ad6ece..fab008568 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -106,6 +106,7 @@ struct MirrorOp {
+ bool is_in_flight;
+ CoQueue waiting_requests;
+ Coroutine *co;
++ MirrorOp *waiting_for_op;
+
+ QTAILQ_ENTRY(MirrorOp) next;
+ };
+@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self,
+ if (ranges_overlap(self_start_chunk, self_nb_chunks,
+ op_start_chunk, op_nb_chunks))
+ {
++ /*
++ * If the operation is already (indirectly) waiting for us, or
++ * will wait for us as soon as it wakes up, then just go on
++ * (instead of producing a deadlock in the former case).
++ */
++ if (op->waiting_for_op) {
++ continue;
++ }
++
++ self->waiting_for_op = op;
+ qemu_co_queue_wait(&op->waiting_requests, NULL);
++ self->waiting_for_op = NULL;
+ break;
+ }
+ }
+diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151
+old mode 100755
+new mode 100644
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
new file mode 100644
index 0000000000..891664375c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
@@ -0,0 +1,85 @@
+From 09036c63a4a498d65de0d035211b01f0482e3533 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Sep 2021 14:45:33 +0200
+Subject: [PATCH 2/2] block/mirror: fix NULL pointer dereference in
+ mirror_wait_on_conflicts()
+
+In mirror_iteration() we call mirror_wait_on_conflicts() with
+`self` parameter set to NULL.
+
+Starting from commit d44dae1a7c we dereference `self` pointer in
+mirror_wait_on_conflicts() without checks if it is not NULL.
+
+Backtrace:
+ Program terminated with signal SIGSEGV, Segmentation fault.
+ #0 mirror_wait_on_conflicts (self=0x0, s=<optimized out>, offset=<optimized out>, bytes=<optimized out>)
+ at ../block/mirror.c:172
+ 172 self->waiting_for_op = op;
+ [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))]
+ (gdb) bt
+ #0 mirror_wait_on_conflicts (self=0x0, s=<optimized out>, offset=<optimized out>, bytes=<optimized out>)
+ at ../block/mirror.c:172
+ #1 0x00005610c5d9d631 in mirror_run (job=0x5610c76a2c00, errp=<optimized out>) at ../block/mirror.c:491
+ #2 0x00005610c5d58726 in job_co_entry (opaque=0x5610c76a2c00) at ../job.c:917
+ #3 0x00005610c5f046c6 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
+ at ../util/coroutine-ucontext.c:173
+ #4 0x00007f0909975820 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91
+ from /usr/lib64/libc.so.6
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2001404
+Fixes: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20210910124533.288318-1-sgarzare@redhat.com>
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+
+CVE: CVE-2021-4145
+Upstream-Status: Backport [66fed30c9cd11854fc878a4eceb507e915d7c9cd]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ block/mirror.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index fab008568..ca0be146f 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -159,18 +159,25 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self,
+ if (ranges_overlap(self_start_chunk, self_nb_chunks,
+ op_start_chunk, op_nb_chunks))
+ {
+- /*
+- * If the operation is already (indirectly) waiting for us, or
+- * will wait for us as soon as it wakes up, then just go on
+- * (instead of producing a deadlock in the former case).
+- */
+- if (op->waiting_for_op) {
+- continue;
++ if (self) {
++ /*
++ * If the operation is already (indirectly) waiting for us,
++ * or will wait for us as soon as it wakes up, then just go
++ * on (instead of producing a deadlock in the former case).
++ */
++ if (op->waiting_for_op) {
++ continue;
++ }
++
++ self->waiting_for_op = op;
+ }
+
+- self->waiting_for_op = op;
+ qemu_co_queue_wait(&op->waiting_requests, NULL);
+- self->waiting_for_op = NULL;
++
++ if (self) {
++ self->waiting_for_op = NULL;
++ }
++
+ break;
+ }
+ }
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] qemu: fix CVE-2021-3750
2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
@ 2022-05-31 22:08 ` Sakib Sajal
2022-05-31 22:08 ` [PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw)
To: openembedded-core
Backport appropriate patches to resolve CVE-2021-3750.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3750_1.patch | 60 +++++++
.../qemu/qemu/CVE-2021-3750_2.patch | 65 ++++++++
.../qemu/qemu/CVE-2021-3750_3.patch | 156 ++++++++++++++++++
4 files changed, 284 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index aa372810ce..5605ece5bb 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-20196_2.patch \
file://CVE-2021-4145_1.patch \
file://CVE-2021-4145_2.patch \
+ file://CVE-2021-3750_1.patch \
+ file://CVE-2021-3750_2.patch \
+ file://CVE-2021-3750_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
new file mode 100644
index 0000000000..8381661886
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
@@ -0,0 +1,60 @@
+From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:19 +0100
+Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
+ MEMTX_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Quoting Peter Maydell:
+
+ "These MEMTX_* aren't from the memory transaction
+ API functions; they're just being used by gicd_readl() and
+ friends as a way to indicate a success/failure so that the
+ actual MemoryRegionOps read/write fns like gicv3_dist_read()
+ can log a guest error."
+
+We are going to introduce more MemTxResult bits, so it is
+safer to check for !MEMTX_OK rather than MEMTX_ERROR.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/intc/arm_gicv3_redist.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index 8645220d6..44368e285 100644
+--- a/hw/intc/arm_gicv3_redist.c
++++ b/hw/intc/arm_gicv3_redist.c
+@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
+ break;
+ }
+
+- if (r == MEMTX_ERROR) {
++ if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
new file mode 100644
index 0000000000..82d2675ab2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
@@ -0,0 +1,65 @@
+From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:20 +0100
+Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
+ address_space_access_valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove unuseful local 'result' variables.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211215182421.418374-3-philmd@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ softmmu/physmem.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 2cd1de4a2..68612afbd 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+ hwaddr l;
+ hwaddr addr1;
+ MemoryRegion *mr;
+- MemTxResult result = MEMTX_OK;
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+- result = flatview_write_continue(fv, addr, attrs, buf, len,
+- addr1, l, mr);
+-
+- return result;
++ return flatview_write_continue(fv, addr, attrs, buf, len,
++ addr1, l, mr);
+ }
+
+ /* Called within RCU critical section. */
+@@ -3096,12 +3093,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
+ MemTxAttrs attrs)
+ {
+ FlatView *fv;
+- bool result;
+
+ RCU_READ_LOCK_GUARD();
+ fv = address_space_to_flatview(as);
+- result = flatview_access_valid(fv, addr, len, is_write, attrs);
+- return result;
++ return flatview_access_valid(fv, addr, len, is_write, attrs);
+ }
+
+ static hwaddr
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
new file mode 100644
index 0000000000..e5748b50ce
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
@@ -0,0 +1,156 @@
+From 9df520db8c1bf24f1ff1c9739b7870056f2bc991 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 15 Dec 2021 19:24:21 +0100
+Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and
+ MEMTX_ACCESS_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add the 'memory' bit to the memory attributes to restrict bus
+controller accesses to memories.
+
+Introduce flatview_access_allowed() to check bus permission
+before running any bus transaction.
+
+Have read/write accessors return MEMTX_ACCESS_ERROR if an access is
+restricted.
+
+There is no change for the default case where 'memory' is not set.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211215182421.418374-4-philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [3ab6fdc91b72e156da22848f0003ff4225690ced]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/exec/memattrs.h | 9 +++++++++
+ softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 51 insertions(+), 2 deletions(-)
+
+diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
+index 95f2d20d5..9fb98bc1e 100644
+--- a/include/exec/memattrs.h
++++ b/include/exec/memattrs.h
+@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
+ unsigned int secure:1;
+ /* Memory access is usermode (unprivileged) */
+ unsigned int user:1;
++ /*
++ * Bus interconnect and peripherals can access anything (memories,
++ * devices) by default. By setting the 'memory' bit, bus transaction
++ * are restricted to "normal" memories (per the AMBA documentation)
++ * versus devices. Access to devices will be logged and rejected
++ * (see MEMTX_ACCESS_ERROR).
++ */
++ unsigned int memory:1;
+ /* Requester ID (for MSI for example) */
+ unsigned int requester_id:16;
+ /* Invert endianness for this page */
+@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
+ #define MEMTX_OK 0
+ #define MEMTX_ERROR (1U << 0) /* device returned an error */
+ #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
+ typedef uint32_t MemTxResult;
+
+ #endif
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 68612afbd..f15216da0 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -38,6 +38,7 @@
+ #include "qemu/config-file.h"
+ #include "qemu/error-report.h"
+ #include "qemu/qemu-print.h"
++#include "qemu/log.h"
+ #include "exec/memory.h"
+ #include "exec/ioport.h"
+ #include "sysemu/dma.h"
+@@ -2736,6 +2737,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
+ return release_lock;
+ }
+
++/**
++ * flatview_access_allowed
++ * @mr: #MemoryRegion to be accessed
++ * @attrs: memory transaction attributes
++ * @addr: address within that memory region
++ * @len: the number of bytes to access
++ *
++ * Check if a memory transaction is allowed.
++ *
++ * Returns: true if transaction is allowed, false if denied.
++ */
++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
++ hwaddr addr, hwaddr len)
++{
++ if (likely(!attrs.memory)) {
++ return true;
++ }
++ if (memory_region_is_ram(mr)) {
++ return true;
++ }
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "Invalid access to non-RAM device at "
++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
++ "region '%s'\n", addr, len, memory_region_name(mr));
++ return false;
++}
++
+ /* Called within RCU critical section. */
+ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ MemTxAttrs attrs,
+@@ -2750,7 +2778,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+ const uint8_t *buf = ptr;
+
+ for (;;) {
+- if (!memory_access_is_direct(mr, true)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, true)) {
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+ /* XXX: could force current_cpu to NULL to avoid
+@@ -2795,6 +2826,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_write_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+@@ -2812,7 +2846,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
+ uint8_t *buf = ptr;
+
+ for (;;) {
+- if (!memory_access_is_direct(mr, false)) {
++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++ result |= MEMTX_ACCESS_ERROR;
++ /* Keep going. */
++ } else if (!memory_access_is_direct(mr, false)) {
+ /* I/O case */
+ release_lock |= prepare_mmio_access(mr);
+ l = memory_access_size(mr, l, addr1);
+@@ -2856,6 +2893,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+
+ l = len;
+ mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
++ return MEMTX_ACCESS_ERROR;
++ }
+ return flatview_read_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
+ }
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] qemu: fix CVE-2022-26353
2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
@ 2022-05-31 22:08 ` Sakib Sajal
2022-05-31 22:08 ` [PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal
[not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org>
3 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw)
To: openembedded-core
Backport fix to resolve CVE-2022-26353:
abe300d9d8 virtio-net: fix map leaking on error during receive
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-26353.patch | 44 +++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5605ece5bb..898377d11b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -80,6 +80,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3750_1.patch \
file://CVE-2021-3750_2.patch \
file://CVE-2021-3750_3.patch \
+ file://CVE-2022-26353.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch
new file mode 100644
index 0000000000..e76444b9fe
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch
@@ -0,0 +1,44 @@
+From 2263354a272db3e520687af31675684c9c705456 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 8 Mar 2022 10:42:51 +0800
+Subject: [PATCH] virtio-net: fix map leaking on error during receive
+
+Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+tries to fix the use after free of the sg by caching the virtqueue
+elements in an array and unmap them at once after receiving the
+packets, But it forgot to unmap the cached elements on error which
+will lead to leaking of mapping and other unexpected results.
+
+Fixing this by detaching the cached elements on error. This addresses
+CVE-2022-26353.
+
+Reported-by: Victor Tom <vv474172261@gmail.com>
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2022-26353
+Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+CVE: CVE-2022-26353
+Upstream-Status: Backport [abe300d9d894f7138e1af7c8e9c88c04bfe98b37]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index df1d30e2c..a351d16b5 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1795,6 +1795,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ err:
+ for (j = 0; j < i; j++) {
++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
+ g_free(elems[j]);
+ }
+
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] qemu: fix CVE-2021-4206
2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-05-31 22:08 ` [PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
@ 2022-05-31 22:08 ` Sakib Sajal
[not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org>
3 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw)
To: openembedded-core
Backport fix to resolve CVE-2021-4206:
fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++++++++
2 files changed, 90 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 898377d11b..b6595a7731 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3750_2.patch \
file://CVE-2021-3750_3.patch \
file://CVE-2022-26353.patch \
+ file://CVE-2021-4206.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
new file mode 100644
index 0000000000..bc76d3a206
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
@@ -0,0 +1,89 @@
+From 1ed7525cc9d9a98ef126e9803b09f50aa9f2e3bf Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:17:12 +0200
+Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
+ (CVE-2021-4206)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Prevent potential integer overflow by limiting 'width' and 'height' to
+512x512. Also change 'datasize' type to size_t. Refer to security
+advisory https://starlabs.sg/advisories/22-4206/ for more information.
+
+Fixes: CVE-2021-4206
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-4206
+Upstream-Status: Backport [fa892e9abb728e76afcf27323ab29c57fb0fe7aa]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/display/qxl-render.c | 7 +++++++
+ hw/display/vmware_vga.c | 2 ++
+ ui/cursor.c | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 3ce2e57b8..c2ecef706 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -246,6 +246,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+ size_t size;
+
+ c = cursor_alloc(cursor->header.width, cursor->header.height);
++
++ if (!c) {
++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
++ cursor->header.width, cursor->header.height);
++ goto fail;
++ }
++
+ c->hot_x = cursor->header.hot_spot_x;
+ c->hot_y = cursor->header.hot_spot_y;
+ switch (cursor->header.type) {
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index bef0d7d69..e30dbdcb3 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -510,6 +510,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+ int i, pixels;
+
+ qc = cursor_alloc(c->width, c->height);
++ assert(qc != NULL);
++
+ qc->hot_x = c->hot_x;
+ qc->hot_y = c->hot_y;
+ switch (c->bpp) {
+diff --git a/ui/cursor.c b/ui/cursor.c
+index 1d62ddd4d..835f0802f 100644
+--- a/ui/cursor.c
++++ b/ui/cursor.c
+@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
+
+ /* parse pixel data */
+ c = cursor_alloc(width, height);
++ assert(c != NULL);
++
+ for (pixel = 0, y = 0; y < height; y++, line++) {
+ for (x = 0; x < height; x++, pixel++) {
+ idx = xpm[line][x];
+@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
+ QEMUCursor *cursor_alloc(int width, int height)
+ {
+ QEMUCursor *c;
+- int datasize = width * height * sizeof(uint32_t);
++ size_t datasize = width * height * sizeof(uint32_t);
++
++ if (width > 512 || height > 512) {
++ return NULL;
++ }
+
+ c = g_malloc0(sizeof(QEMUCursor) + datasize);
+ c->width = width;
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
[not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org>
@ 2022-06-01 3:52 ` Sakib Sajal
2022-06-01 8:00 ` Davide Gardenal
0 siblings, 1 reply; 6+ messages in thread
From: Sakib Sajal @ 2022-06-01 3:52 UTC (permalink / raw)
To: openembedded-core
This set of patches is for hardknott branch.
On 2022-05-31 18:08, Sakib Sajal wrote:
> Backport appropriate patches to resolve CVE-2021-3750.
>
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 3 +
> .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++++++
> .../qemu/qemu/CVE-2021-3750_2.patch | 65 ++++++++
> .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++++++++++++++++++
> 4 files changed, 284 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index aa372810ce..5605ece5bb 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2021-20196_2.patch \
> file://CVE-2021-4145_1.patch \
> file://CVE-2021-4145_2.patch \
> + file://CVE-2021-3750_1.patch \
> + file://CVE-2021-3750_2.patch \
> + file://CVE-2021-3750_3.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
> new file mode 100644
> index 0000000000..8381661886
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
> @@ -0,0 +1,60 @@
> +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
> +Date: Wed, 15 Dec 2021 19:24:19 +0100
> +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
> + MEMTX_ERROR
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Quoting Peter Maydell:
> +
> + "These MEMTX_* aren't from the memory transaction
> + API functions; they're just being used by gicd_readl() and
> + friends as a way to indicate a success/failure so that the
> + actual MemoryRegionOps read/write fns like gicv3_dist_read()
> + can log a guest error."
> +
> +We are going to introduce more MemTxResult bits, so it is
> +safer to check for !MEMTX_OK rather than MEMTX_ERROR.
> +
> +Reviewed-by: Peter Xu <peterx@redhat.com>
> +Reviewed-by: David Hildenbrand <david@redhat.com>
> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> +
> +CVE: CVE-2021-3750
> +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529]
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + hw/intc/arm_gicv3_redist.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
> +index 8645220d6..44368e285 100644
> +--- a/hw/intc/arm_gicv3_redist.c
> ++++ b/hw/intc/arm_gicv3_redist.c
> +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
> + break;
> + }
> +
> +- if (r == MEMTX_ERROR) {
> ++ if (r != MEMTX_OK) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "%s: invalid guest read at offset " TARGET_FMT_plx
> + "size %u\n", __func__, offset, size);
> +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
> + break;
> + }
> +
> +- if (r == MEMTX_ERROR) {
> ++ if (r != MEMTX_OK) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "%s: invalid guest write at offset " TARGET_FMT_plx
> + "size %u\n", __func__, offset, size);
> +--
> +2.33.0
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
> new file mode 100644
> index 0000000000..82d2675ab2
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
> @@ -0,0 +1,65 @@
> +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
> +Date: Wed, 15 Dec 2021 19:24:20 +0100
> +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
> + address_space_access_valid
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Remove unuseful local 'result' variables.
> +
> +Reviewed-by: Peter Xu <peterx@redhat.com>
> +Reviewed-by: David Hildenbrand <david@redhat.com>
> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> +Message-Id: <20211215182421.418374-3-philmd@redhat.com>
> +Signed-off-by: Thomas Huth <thuth@redhat.com>
> +
> +CVE: CVE-2021-3750
> +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + softmmu/physmem.c | 11 +++--------
> + 1 file changed, 3 insertions(+), 8 deletions(-)
> +
> +diff --git a/softmmu/physmem.c b/softmmu/physmem.c
> +index 2cd1de4a2..68612afbd 100644
> +--- a/softmmu/physmem.c
> ++++ b/softmmu/physmem.c
> +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
> + hwaddr l;
> + hwaddr addr1;
> + MemoryRegion *mr;
> +- MemTxResult result = MEMTX_OK;
> +
> + l = len;
> + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
> +- result = flatview_write_continue(fv, addr, attrs, buf, len,
> +- addr1, l, mr);
> +-
> +- return result;
> ++ return flatview_write_continue(fv, addr, attrs, buf, len,
> ++ addr1, l, mr);
> + }
> +
> + /* Called within RCU critical section. */
> +@@ -3096,12 +3093,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
> + MemTxAttrs attrs)
> + {
> + FlatView *fv;
> +- bool result;
> +
> + RCU_READ_LOCK_GUARD();
> + fv = address_space_to_flatview(as);
> +- result = flatview_access_valid(fv, addr, len, is_write, attrs);
> +- return result;
> ++ return flatview_access_valid(fv, addr, len, is_write, attrs);
> + }
> +
> + static hwaddr
> +--
> +2.33.0
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
> new file mode 100644
> index 0000000000..e5748b50ce
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
> @@ -0,0 +1,156 @@
> +From 9df520db8c1bf24f1ff1c9739b7870056f2bc991 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
> +Date: Wed, 15 Dec 2021 19:24:21 +0100
> +Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and
> + MEMTX_ACCESS_ERROR
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Add the 'memory' bit to the memory attributes to restrict bus
> +controller accesses to memories.
> +
> +Introduce flatview_access_allowed() to check bus permission
> +before running any bus transaction.
> +
> +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is
> +restricted.
> +
> +There is no change for the default case where 'memory' is not set.
> +
> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> +Message-Id: <20211215182421.418374-4-philmd@redhat.com>
> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"]
> +Signed-off-by: Thomas Huth <thuth@redhat.com>
> +
> +CVE: CVE-2021-3750
> +Upstream-Status: Backport [3ab6fdc91b72e156da22848f0003ff4225690ced]
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + include/exec/memattrs.h | 9 +++++++++
> + softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++--
> + 2 files changed, 51 insertions(+), 2 deletions(-)
> +
> +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
> +index 95f2d20d5..9fb98bc1e 100644
> +--- a/include/exec/memattrs.h
> ++++ b/include/exec/memattrs.h
> +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
> + unsigned int secure:1;
> + /* Memory access is usermode (unprivileged) */
> + unsigned int user:1;
> ++ /*
> ++ * Bus interconnect and peripherals can access anything (memories,
> ++ * devices) by default. By setting the 'memory' bit, bus transaction
> ++ * are restricted to "normal" memories (per the AMBA documentation)
> ++ * versus devices. Access to devices will be logged and rejected
> ++ * (see MEMTX_ACCESS_ERROR).
> ++ */
> ++ unsigned int memory:1;
> + /* Requester ID (for MSI for example) */
> + unsigned int requester_id:16;
> + /* Invert endianness for this page */
> +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
> + #define MEMTX_OK 0
> + #define MEMTX_ERROR (1U << 0) /* device returned an error */
> + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
> ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
> + typedef uint32_t MemTxResult;
> +
> + #endif
> +diff --git a/softmmu/physmem.c b/softmmu/physmem.c
> +index 68612afbd..f15216da0 100644
> +--- a/softmmu/physmem.c
> ++++ b/softmmu/physmem.c
> +@@ -38,6 +38,7 @@
> + #include "qemu/config-file.h"
> + #include "qemu/error-report.h"
> + #include "qemu/qemu-print.h"
> ++#include "qemu/log.h"
> + #include "exec/memory.h"
> + #include "exec/ioport.h"
> + #include "sysemu/dma.h"
> +@@ -2736,6 +2737,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
> + return release_lock;
> + }
> +
> ++/**
> ++ * flatview_access_allowed
> ++ * @mr: #MemoryRegion to be accessed
> ++ * @attrs: memory transaction attributes
> ++ * @addr: address within that memory region
> ++ * @len: the number of bytes to access
> ++ *
> ++ * Check if a memory transaction is allowed.
> ++ *
> ++ * Returns: true if transaction is allowed, false if denied.
> ++ */
> ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
> ++ hwaddr addr, hwaddr len)
> ++{
> ++ if (likely(!attrs.memory)) {
> ++ return true;
> ++ }
> ++ if (memory_region_is_ram(mr)) {
> ++ return true;
> ++ }
> ++ qemu_log_mask(LOG_GUEST_ERROR,
> ++ "Invalid access to non-RAM device at "
> ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
> ++ "region '%s'\n", addr, len, memory_region_name(mr));
> ++ return false;
> ++}
> ++
> + /* Called within RCU critical section. */
> + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
> + MemTxAttrs attrs,
> +@@ -2750,7 +2778,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
> + const uint8_t *buf = ptr;
> +
> + for (;;) {
> +- if (!memory_access_is_direct(mr, true)) {
> ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
> ++ result |= MEMTX_ACCESS_ERROR;
> ++ /* Keep going. */
> ++ } else if (!memory_access_is_direct(mr, true)) {
> + release_lock |= prepare_mmio_access(mr);
> + l = memory_access_size(mr, l, addr1);
> + /* XXX: could force current_cpu to NULL to avoid
> +@@ -2795,6 +2826,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
> +
> + l = len;
> + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
> ++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
> ++ return MEMTX_ACCESS_ERROR;
> ++ }
> + return flatview_write_continue(fv, addr, attrs, buf, len,
> + addr1, l, mr);
> + }
> +@@ -2812,7 +2846,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
> + uint8_t *buf = ptr;
> +
> + for (;;) {
> +- if (!memory_access_is_direct(mr, false)) {
> ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
> ++ result |= MEMTX_ACCESS_ERROR;
> ++ /* Keep going. */
> ++ } else if (!memory_access_is_direct(mr, false)) {
> + /* I/O case */
> + release_lock |= prepare_mmio_access(mr);
> + l = memory_access_size(mr, l, addr1);
> +@@ -2856,6 +2893,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
> +
> + l = len;
> + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
> ++ if (!flatview_access_allowed(mr, attrs, addr, len)) {
> ++ return MEMTX_ACCESS_ERROR;
> ++ }
> + return flatview_read_continue(fv, addr, attrs, buf, len,
> + addr1, l, mr);
> + }
> +--
> +2.33.0
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166342): https://lists.openembedded.org/g/openembedded-core/message/166342
> Mute This Topic: https://lists.openembedded.org/mt/91462670/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/4] qemu: fix CVE-2021-3750
2022-06-01 3:52 ` [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
@ 2022-06-01 8:00 ` Davide Gardenal
0 siblings, 0 replies; 6+ messages in thread
From: Davide Gardenal @ 2022-06-01 8:00 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 113 bytes --]
Could you send this one for kirkstone too?
You just need to change qemu.inc diff in theory.
Thanks,
Davide
[-- Attachment #2: Type: text/html, Size: 129 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-06-01 8:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-05-31 22:08 ` [PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
2022-05-31 22:08 ` [PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal
[not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org>
2022-06-01 3:52 ` [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-06-01 8:00 ` Davide Gardenal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.