* [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592
@ 2022-01-14 18:03 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593 Sakib Sajal
` (5 more replies)
0 siblings, 6 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:03 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3592_1.patch | 58 ++++++
.../qemu/qemu/CVE-2021-3592_2.patch | 165 ++++++++++++++++++
.../qemu/qemu/CVE-2021-3592_3.patch | 40 +++++
4 files changed, 266 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 463339e42b..6c00bf274b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3607.patch \
file://CVE-2021-3608.patch \
file://CVE-2021-3682.patch \
+ file://CVE-2021-3592_1.patch \
+ file://CVE-2021-3592_2.patch \
+ file://CVE-2021-3592_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
new file mode 100644
index 0000000000..e374959594
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
@@ -0,0 +1,58 @@
+From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 15:58:25 +0400
+Subject: [PATCH 01/12] Add mtod_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent security issues demonstrate the lack of safety care when casting
+a mbuf to a particular structure type. At least, it should check that
+the buffer is large enough. The following patches will make use of this
+function.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/mbuf.c | 11 +++++++++++
+ slirp/src/mbuf.h | 1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index 54ec721eb..cb2e97108 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
+
+ return (struct mbuf *)0;
+ }
++
++void *mtod_check(struct mbuf *m, size_t len)
++{
++ if (m->m_len >= len) {
++ return m->m_data;
++ }
++
++ DEBUG_ERROR("mtod failed");
++
++ return NULL;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 546e7852c..2015e3232 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
+ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
++void *mtod_check(struct mbuf *, size_t len);
+
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
new file mode 100644
index 0000000000..799a95417e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
@@ -0,0 +1,165 @@
+From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 19:25:28 +0400
+Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet
+ memory buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
+from the structure, to help with the following patch checking for
+minimal header size. Modify the bootp_reply() function to take the
+buffer boundaries and avoiding potential buffer overflow.
+
+Related to CVE-2021-3592.
+
+https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 26 +++++++++++++++-----------
+ slirp/src/bootp.h | 2 +-
+ slirp/src/mbuf.c | 5 +++++
+ slirp/src/mbuf.h | 1 +
+ 4 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index 46e96810a..e0db8d196 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -92,21 +92,22 @@ found:
+ return bc;
+ }
+
+-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
++static void dhcp_decode(const struct bootp_t *bp,
++ const uint8_t *bp_end,
++ int *pmsg_type,
+ struct in_addr *preq_addr)
+ {
+- const uint8_t *p, *p_end;
++ const uint8_t *p;
+ int len, tag;
+
+ *pmsg_type = 0;
+ preq_addr->s_addr = htonl(0L);
+
+ p = bp->bp_vend;
+- p_end = p + DHCP_OPT_LEN;
+ if (memcmp(p, rfc1533_cookie, 4) != 0)
+ return;
+ p += 4;
+- while (p < p_end) {
++ while (p < bp_end) {
+ tag = p[0];
+ if (tag == RFC1533_PAD) {
+ p++;
+@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ break;
+ } else {
+ p++;
+- if (p >= p_end)
++ if (p >= bp_end)
+ break;
+ len = *p++;
+- if (p + len > p_end) {
++ if (p + len > bp_end) {
+ break;
+ }
+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ }
+ }
+
+-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
++static void bootp_reply(Slirp *slirp,
++ const struct bootp_t *bp,
++ const uint8_t *bp_end)
+ {
+ BOOTPClient *bc = NULL;
+ struct mbuf *m;
+@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ uint8_t client_ethaddr[ETH_ALEN];
+
+ /* extract exact DHCP msg type */
+- dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
+ DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
+ if (preq_addr.s_addr != htonl(0L))
+ DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
+@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ return;
+ }
+ m->m_data += IF_MAXLINKHDR;
++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+ rbp = (struct bootp_t *)m->m_data;
+ m->m_data += sizeof(struct udpiphdr);
+- memset(rbp, 0, sizeof(struct bootp_t));
++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+
+ if (dhcp_msg_type == DHCPDISCOVER) {
+ if (preq_addr.s_addr != htonl(0L)) {
+@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
+
+ q = rbp->bp_vend;
+- end = (uint8_t *)&rbp[1];
++ end = rbp->bp_vend + DHCP_OPT_LEN;
+ memcpy(q, rfc1533_cookie, 4);
+ q += 4;
+
+@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
+ struct bootp_t *bp = mtod(m, struct bootp_t *);
+
+ if (bp->bp_op == BOOTP_REQUEST) {
+- bootp_reply(m->slirp, bp);
++ bootp_reply(m->slirp, bp, m_end(m));
+ }
+ }
+diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h
+index a57fa51bc..31ce5fd33 100644
+--- a/slirp/src/bootp.h
++++ b/slirp/src/bootp.h
+@@ -114,7 +114,7 @@ struct bootp_t {
+ uint8_t bp_hwaddr[16];
+ uint8_t bp_sname[64];
+ char bp_file[128];
+- uint8_t bp_vend[DHCP_OPT_LEN];
++ uint8_t bp_vend[];
+ };
+
+ typedef struct {
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index cb2e97108..0c1a530f1 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
+
+ return NULL;
+ }
++
++void *m_end(struct mbuf *m)
++{
++ return m->m_data + m->m_len;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 2015e3232..a9752a36e 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
+ void *mtod_check(struct mbuf *, size_t len);
++void *m_end(struct mbuf *);
+
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
new file mode 100644
index 0000000000..f07a0faeb7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
@@ -0,0 +1,40 @@
+From d175694c607273b6c8f09717de9c455891d6765d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:15:14 +0400
+Subject: [PATCH 03/12] bootp: check bootp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3592
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [2eca0838eee1da96204545e22cdaed860d9d7c6c]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index e0db8d196..cafa1eb1f 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
+
+ void bootp_input(struct mbuf *m)
+ {
+- struct bootp_t *bp = mtod(m, struct bootp_t *);
++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
+
+- if (bp->bp_op == BOOTP_REQUEST) {
++ if (bp && bp->bp_op == BOOTP_REQUEST) {
+ bootp_reply(m->slirp, bp, m_end(m));
+ }
+ }
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593
2022-01-14 18:03 [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592 Sakib Sajal
@ 2022-01-14 18:03 ` Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594 Sakib Sajal
` (4 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:03 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3593.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6c00bf274b..6b544a4344 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3592_1.patch \
file://CVE-2021-3592_2.patch \
file://CVE-2021-3592_3.patch \
+ file://CVE-2021-3593.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
new file mode 100644
index 0000000000..dd14c240a8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
@@ -0,0 +1,40 @@
+From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:32:55 +0400
+Subject: [PATCH 04/12] upd6: check udp6_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3593
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b]
+CVE: CVE-2021-3593
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/udp6.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
+index 6f9486bbc..8c490e4d1 100644
+--- a/slirp/src/udp6.c
++++ b/slirp/src/udp6.c
+@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
+ ip = mtod(m, struct ip6 *);
+ m->m_len -= iphlen;
+ m->m_data += iphlen;
+- uh = mtod(m, struct udphdr *);
++ uh = mtod_check(m, sizeof(struct udphdr));
++ if (uh == NULL) {
++ goto bad;
++ }
+ m->m_len += iphlen;
+ m->m_data -= iphlen;
+
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594
2022-01-14 18:03 [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593 Sakib Sajal
@ 2022-01-14 18:03 ` Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 6/8] qemu: fix CVE-2021-3748 Sakib Sajal
` (3 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:03 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3594.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 811bdff426..4198d3a52c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3593.patch \
file://CVE-2021-3595_1.patch \
file://CVE-2021-3595_2.patch \
+ file://CVE-2021-3594.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
new file mode 100644
index 0000000000..c99ba7a7cc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
@@ -0,0 +1,40 @@
+From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:40:23 +0400
+Subject: [PATCH 07/12] udp: check upd_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3594
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824]
+CVE: CVE-2021-3594
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/udp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/src/udp.c b/slirp/src/udp.c
+index 0ad44d7c0..18b4acdfa 100644
+--- a/slirp/src/udp.c
++++ b/slirp/src/udp.c
+@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen)
+ /*
+ * Get IP and UDP header together in first mbuf.
+ */
+- ip = mtod(m, struct ip *);
++ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
++ if (ip == NULL) {
++ goto bad;
++ }
+ uh = (struct udphdr *)((char *)ip + iphlen);
+
+ /*
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 6/8] qemu: fix CVE-2021-3748
2022-01-14 18:03 [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594 Sakib Sajal
@ 2022-01-14 18:03 ` Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 8/8] qemu: fix CVE-2021-20196 Sakib Sajal
` (2 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:03 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3748.patch | 127 ++++++++++++++++++
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 970aa96608..7648ce9a38 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -78,6 +78,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3595_2.patch \
file://CVE-2021-3594.patch \
file://CVE-2021-3713.patch \
+ file://CVE-2021-3748.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..4765f24739
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,127 @@
+From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg
+
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+
+This addresses CVE-2021-3748.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6]
+CVE: CVE-2021-3748
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 9179013ac..df1d30e2c 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ VirtIONet *n = qemu_get_nic_opaque(nc);
+ VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+ VirtIODevice *vdev = VIRTIO_DEVICE(n);
++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++ size_t lens[VIRTQUEUE_MAX_SIZE];
+ struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+ struct virtio_net_hdr_mrg_rxbuf mhdr;
+ unsigned mhdr_cnt = 0;
+- size_t offset, i, guest_offset;
++ size_t offset, i, guest_offset, j;
++ ssize_t err;
+
+ if (!virtio_net_can_receive(nc)) {
+ return -1;
+@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+
+ total = 0;
+
++ if (i == VIRTQUEUE_MAX_SIZE) {
++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
++ err = size;
++ goto err;
++ }
++
+ elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+ if (!elem) {
+ if (i) {
+@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ n->guest_hdr_len, n->host_hdr_len,
+ vdev->guest_features);
+ }
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ if (elem->in_num < 1) {
+@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ "virtio-net receive queue contains no in buffers");
+ virtqueue_detach_element(q->rx_vq, elem, 0);
+ g_free(elem);
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ sg = elem->in_sg;
+@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ if (!n->mergeable_rx_bufs && offset < size) {
+ virtqueue_unpop(q->rx_vq, elem, total);
+ g_free(elem);
+- return size;
++ err = size;
++ goto err;
+ }
+
+- /* signal other side */
+- virtqueue_fill(q->rx_vq, elem, total, i++);
+- g_free(elem);
++ elems[i] = elem;
++ lens[i] = total;
++ i++;
+ }
+
+ if (mhdr_cnt) {
+@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ &mhdr.num_buffers, sizeof mhdr.num_buffers);
+ }
+
++ for (j = 0; j < i; j++) {
++ /* signal other side */
++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++ g_free(elems[j]);
++ }
++
+ virtqueue_flush(q->rx_vq, i);
+ virtio_notify(vdev, q->rx_vq);
+
+ return size;
++
++err:
++ for (j = 0; j < i; j++) {
++ g_free(elems[j]);
++ }
++
++ return err;
+ }
+
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [hardknott][PATCH 8/8] qemu: fix CVE-2021-20196
2022-01-14 18:03 [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592 Sakib Sajal
` (2 preceding siblings ...)
2022-01-14 18:03 ` [hardknott][PATCH 6/8] qemu: fix CVE-2021-3748 Sakib Sajal
@ 2022-01-14 18:03 ` Sakib Sajal
[not found] ` <16CA351C3E7E813D.13159@lists.openembedded.org>
[not found] ` <16CA351C3BA3B44B.29498@lists.openembedded.org>
5 siblings, 0 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:03 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-20196_1.patch | 54 +++++++++++++++
.../qemu/qemu/CVE-2021-20196_2.patch | 67 +++++++++++++++++++
3 files changed, 123 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4a5379893c..3401fd7194 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -80,6 +80,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3713.patch \
file://CVE-2021-3748.patch \
file://CVE-2021-3930.patch \
+ file://CVE-2021-20196_1.patch \
+ file://CVE-2021-20196_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
new file mode 100644
index 0000000000..8b1ad0423b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch
@@ -0,0 +1,54 @@
+From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-2-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2]
+CVE: CVE-2021-20196
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 4c2c35e22..854b4f172 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -61,6 +61,12 @@
+ } while (0)
+
+
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++}
++
+ /********************************************************/
+ /* qdev floppy bus */
+
+@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp)
+ }
+
+ if (!dev->conf.blk) {
+- /* Anonymous BlockBackend for an empty drive */
+- dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++ dev->conf.blk = blk_create_empty_drive();
+ ret = blk_attach_dev(dev->conf.blk, qdev);
+ assert(ret == 0);
+
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
new file mode 100644
index 0000000000..dd442ccb8f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
+From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20196
+Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-3-philmd@redhat.com
+BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+
+Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233]
+CVE: CVE-2021-20196
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 854b4f172..a736c4d14 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+- return get_drv(fdctrl, fdctrl->cur_drv);
++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++ if (!cur_drv->blk) {
++ /*
++ * Kludge: empty drive line selected. Create an anonymous
++ * BlockBackend to avoid NULL deref with various BlockBackend
++ * API calls within this model (CVE-2021-20196).
++ * Due to the controller QOM model limitations, we don't
++ * attach the created to the controller device.
++ */
++ cur_drv->blk = blk_create_empty_drive();
++ }
++ return cur_drv;
+ }
+
+ /* Status A register : 0x00 (read-only) */
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
[parent not found: <16CA351C3E7E813D.13159@lists.openembedded.org>]
* Re: [OE-core] [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594
[not found] ` <16CA351C3E7E813D.13159@lists.openembedded.org>
@ 2022-01-14 18:10 ` Sakib Sajal
0 siblings, 0 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:10 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3061 bytes --]
Please disregard, sorry for the barrage of incomplete patch set.
On 2022-01-14 1:03 p.m., Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 1 +
> .../qemu/qemu/CVE-2021-3594.patch | 40 +++++++++++++++++++
> 2 files changed, 41 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 811bdff426..4198d3a52c 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -76,6 +76,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2021-3593.patch \
> file://CVE-2021-3595_1.patch \
> file://CVE-2021-3595_2.patch \
> + file://CVE-2021-3594.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
> new file mode 100644
> index 0000000000..c99ba7a7cc
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3594.patch
> @@ -0,0 +1,40 @@
> +From 7a5ffd5475f2cbfe3cf91d9584893f1a4b3b4dff Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 16:40:23 +0400
> +Subject: [PATCH 07/12] udp: check upd_input buffer size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fixes: CVE-2021-3594
> +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport [74572be49247c8c5feae7c6e0b50c4f569ca9824]
> +CVE: CVE-2021-3594
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/udp.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/slirp/src/udp.c b/slirp/src/udp.c
> +index 0ad44d7c0..18b4acdfa 100644
> +--- a/slirp/src/udp.c
> ++++ b/slirp/src/udp.c
> +@@ -93,7 +93,10 @@ void udp_input(register struct mbuf *m, int iphlen)
> + /*
> + * Get IP and UDP header together in first mbuf.
> + */
> +- ip = mtod(m, struct ip *);
> ++ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
> ++ if (ip == NULL) {
> ++ goto bad;
> ++ }
> + uh = (struct udphdr *)((char *)ip + iphlen);
> +
> + /*
> +--
> +2.31.1
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160576): https://lists.openembedded.org/g/openembedded-core/message/160576
> Mute This Topic: https://lists.openembedded.org/mt/88426915/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #2: Type: text/html, Size: 4536 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
[parent not found: <16CA351C3BA3B44B.29498@lists.openembedded.org>]
* Re: [OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593
[not found] ` <16CA351C3BA3B44B.29498@lists.openembedded.org>
@ 2022-01-14 18:10 ` Sakib Sajal
2022-01-15 2:55 ` Mittal, Anuj
0 siblings, 1 reply; 9+ messages in thread
From: Sakib Sajal @ 2022-01-14 18:10 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3051 bytes --]
Please disregard, sorry for the barrage of incomplete patch set.
On 2022-01-14 1:03 p.m., Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 1 +
> .../qemu/qemu/CVE-2021-3593.patch | 40 +++++++++++++++++++
> 2 files changed, 41 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 6c00bf274b..6b544a4344 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -73,6 +73,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2021-3592_1.patch \
> file://CVE-2021-3592_2.patch \
> file://CVE-2021-3592_3.patch \
> + file://CVE-2021-3593.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> new file mode 100644
> index 0000000000..dd14c240a8
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> @@ -0,0 +1,40 @@
> +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 16:32:55 +0400
> +Subject: [PATCH 04/12] upd6: check udp6_input buffer size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fixes: CVE-2021-3593
> +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport [de71c15de66ba9350bf62c45b05f8fbff166517b]
> +CVE: CVE-2021-3593
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/udp6.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
> +index 6f9486bbc..8c490e4d1 100644
> +--- a/slirp/src/udp6.c
> ++++ b/slirp/src/udp6.c
> +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
> + ip = mtod(m, struct ip6 *);
> + m->m_len -= iphlen;
> + m->m_data += iphlen;
> +- uh = mtod(m, struct udphdr *);
> ++ uh = mtod_check(m, sizeof(struct udphdr));
> ++ if (uh == NULL) {
> ++ goto bad;
> ++ }
> + m->m_len += iphlen;
> + m->m_data -= iphlen;
> +
> +--
> +2.31.1
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160575): https://lists.openembedded.org/g/openembedded-core/message/160575
> Mute This Topic: https://lists.openembedded.org/mt/88426914/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #2: Type: text/html, Size: 4530 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593
2022-01-14 18:10 ` [OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593 Sakib Sajal
@ 2022-01-15 2:55 ` Mittal, Anuj
0 siblings, 0 replies; 9+ messages in thread
From: Mittal, Anuj @ 2022-01-15 2:55 UTC (permalink / raw)
To: openembedded-core, sakib.sajal
On Fri, 2022-01-14 at 13:10 -0500, Sakib Sajal wrote:
> Please disregard, sorry for the barrage of incomplete patch set.
Do you also have a branch on contrib that I can pull these patches
from?
Thanks,
Anuj
> On 2022-01-14 1:03 p.m., Sakib Sajal wrote:
>
> > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> > ---
> > meta/recipes-devtools/qemu/qemu.inc | 1 +
> > .../qemu/qemu/CVE-2021-3593.patch | 40
> > +++++++++++++++++++
> > 2 files changed, 41 insertions(+)
> > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> > 3593.patch
> >
> > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> > devtools/qemu/qemu.inc
> > index 6c00bf274b..6b544a4344 100644
> > --- a/meta/recipes-devtools/qemu/qemu.inc
> > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > @@ -73,6 +73,7 @@ SRC_URI =
> > "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> > file://CVE-2021-3592_1.patch \
> > file://CVE-2021-3592_2.patch \
> > file://CVE-2021-3592_3.patch \
> > + file://CVE-2021-3593.patch \
> > "
> > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
> >
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> > new file mode 100644
> > index 0000000000..dd14c240a8
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3593.patch
> > @@ -0,0 +1,40 @@
> > +From fe99634066e1074aaf55e83b576385877d7e4bcc Mon Sep 17 00:00:00
> > 2001
> > +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?=
> > <marcandre.lureau@redhat.com>
> > +Date: Fri, 4 Jun 2021 16:32:55 +0400
> > +Subject: [PATCH 04/12] upd6: check udp6_input buffer size
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Fixes: CVE-2021-3593
> > +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
> > +
> > +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > +
> > +Upstream-Status: Backport
> > [de71c15de66ba9350bf62c45b05f8fbff166517b]
> > +CVE: CVE-2021-3593
> > +
> > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> > +---
> > + slirp/src/udp6.c | 5 ++++-
> > + 1 file changed, 4 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
> > +index 6f9486bbc..8c490e4d1 100644
> > +--- a/slirp/src/udp6.c
> > ++++ b/slirp/src/udp6.c
> > +@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
> > + ip = mtod(m, struct ip6 *);
> > + m->m_len -= iphlen;
> > + m->m_data += iphlen;
> > +- uh = mtod(m, struct udphdr *);
> > ++ uh = mtod_check(m, sizeof(struct udphdr));
> > ++ if (uh == NULL) {
> > ++ goto bad;
> > ++ }
> > + m->m_len += iphlen;
> > + m->m_data -= iphlen;
> > +
> > +--
> > +2.31.1
> > +
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160583):
> https://lists.openembedded.org/g/openembedded-core/message/160583
> Mute This Topic: https://lists.openembedded.org/mt/88427080/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592
@ 2022-02-02 15:47 Sakib Sajal
0 siblings, 0 replies; 9+ messages in thread
From: Sakib Sajal @ 2022-02-02 15:47 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3592_1.patch | 58 ++++++
.../qemu/qemu/CVE-2021-3592_2.patch | 165 ++++++++++++++++++
.../qemu/qemu/CVE-2021-3592_3.patch | 40 +++++
4 files changed, 266 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 463339e42b..6c00bf274b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3607.patch \
file://CVE-2021-3608.patch \
file://CVE-2021-3682.patch \
+ file://CVE-2021-3592_1.patch \
+ file://CVE-2021-3592_2.patch \
+ file://CVE-2021-3592_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
new file mode 100644
index 0000000000..e374959594
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_1.patch
@@ -0,0 +1,58 @@
+From 0123c625aed2ed0679fa8c084104699d918c1da6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 15:58:25 +0400
+Subject: [PATCH 01/12] Add mtod_check()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent security issues demonstrate the lack of safety care when casting
+a mbuf to a particular structure type. At least, it should check that
+the buffer is large enough. The following patches will make use of this
+function.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [93e645e72a056ec0b2c16e0299fc5c6b94e4ca17]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/mbuf.c | 11 +++++++++++
+ slirp/src/mbuf.h | 1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index 54ec721eb..cb2e97108 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
+
+ return (struct mbuf *)0;
+ }
++
++void *mtod_check(struct mbuf *m, size_t len)
++{
++ if (m->m_len >= len) {
++ return m->m_data;
++ }
++
++ DEBUG_ERROR("mtod failed");
++
++ return NULL;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 546e7852c..2015e3232 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
+ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
++void *mtod_check(struct mbuf *, size_t len);
+
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
new file mode 100644
index 0000000000..799a95417e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_2.patch
@@ -0,0 +1,165 @@
+From fc2a4797f55016e78f2cde4806b05368fa5b7a97 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 19:25:28 +0400
+Subject: [PATCH 02/12] bootp: limit vendor-specific area to input packet
+ memory buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
+from the structure, to help with the following patch checking for
+minimal header size. Modify the bootp_reply() function to take the
+buffer boundaries and avoiding potential buffer overflow.
+
+Related to CVE-2021-3592.
+
+https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [f13cad45b25d92760bb0ad67bec0300a4d7d5275]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 26 +++++++++++++++-----------
+ slirp/src/bootp.h | 2 +-
+ slirp/src/mbuf.c | 5 +++++
+ slirp/src/mbuf.h | 1 +
+ 4 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index 46e96810a..e0db8d196 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -92,21 +92,22 @@ found:
+ return bc;
+ }
+
+-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
++static void dhcp_decode(const struct bootp_t *bp,
++ const uint8_t *bp_end,
++ int *pmsg_type,
+ struct in_addr *preq_addr)
+ {
+- const uint8_t *p, *p_end;
++ const uint8_t *p;
+ int len, tag;
+
+ *pmsg_type = 0;
+ preq_addr->s_addr = htonl(0L);
+
+ p = bp->bp_vend;
+- p_end = p + DHCP_OPT_LEN;
+ if (memcmp(p, rfc1533_cookie, 4) != 0)
+ return;
+ p += 4;
+- while (p < p_end) {
++ while (p < bp_end) {
+ tag = p[0];
+ if (tag == RFC1533_PAD) {
+ p++;
+@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ break;
+ } else {
+ p++;
+- if (p >= p_end)
++ if (p >= bp_end)
+ break;
+ len = *p++;
+- if (p + len > p_end) {
++ if (p + len > bp_end) {
+ break;
+ }
+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ }
+ }
+
+-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
++static void bootp_reply(Slirp *slirp,
++ const struct bootp_t *bp,
++ const uint8_t *bp_end)
+ {
+ BOOTPClient *bc = NULL;
+ struct mbuf *m;
+@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ uint8_t client_ethaddr[ETH_ALEN];
+
+ /* extract exact DHCP msg type */
+- dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
+ DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
+ if (preq_addr.s_addr != htonl(0L))
+ DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
+@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ return;
+ }
+ m->m_data += IF_MAXLINKHDR;
++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+ rbp = (struct bootp_t *)m->m_data;
+ m->m_data += sizeof(struct udpiphdr);
+- memset(rbp, 0, sizeof(struct bootp_t));
++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
+
+ if (dhcp_msg_type == DHCPDISCOVER) {
+ if (preq_addr.s_addr != htonl(0L)) {
+@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
+ rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
+
+ q = rbp->bp_vend;
+- end = (uint8_t *)&rbp[1];
++ end = rbp->bp_vend + DHCP_OPT_LEN;
+ memcpy(q, rfc1533_cookie, 4);
+ q += 4;
+
+@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
+ struct bootp_t *bp = mtod(m, struct bootp_t *);
+
+ if (bp->bp_op == BOOTP_REQUEST) {
+- bootp_reply(m->slirp, bp);
++ bootp_reply(m->slirp, bp, m_end(m));
+ }
+ }
+diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h
+index a57fa51bc..31ce5fd33 100644
+--- a/slirp/src/bootp.h
++++ b/slirp/src/bootp.h
+@@ -114,7 +114,7 @@ struct bootp_t {
+ uint8_t bp_hwaddr[16];
+ uint8_t bp_sname[64];
+ char bp_file[128];
+- uint8_t bp_vend[DHCP_OPT_LEN];
++ uint8_t bp_vend[];
+ };
+
+ typedef struct {
+diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
+index cb2e97108..0c1a530f1 100644
+--- a/slirp/src/mbuf.c
++++ b/slirp/src/mbuf.c
+@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
+
+ return NULL;
+ }
++
++void *m_end(struct mbuf *m)
++{
++ return m->m_data + m->m_len;
++}
+diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
+index 2015e3232..a9752a36e 100644
+--- a/slirp/src/mbuf.h
++++ b/slirp/src/mbuf.h
+@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
+ int m_copy(struct mbuf *, struct mbuf *, int, int);
+ struct mbuf *dtom(Slirp *, void *);
+ void *mtod_check(struct mbuf *, size_t len);
++void *m_end(struct mbuf *);
+
+ static inline void ifs_init(struct mbuf *ifm)
+ {
+--
+2.31.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
new file mode 100644
index 0000000000..f07a0faeb7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3592_3.patch
@@ -0,0 +1,40 @@
+From d175694c607273b6c8f09717de9c455891d6765d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 4 Jun 2021 16:15:14 +0400
+Subject: [PATCH 03/12] bootp: check bootp_input buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CVE-2021-3592
+Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Upstream-Status: Backport [2eca0838eee1da96204545e22cdaed860d9d7c6c]
+CVE: CVE-2021-3592
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ slirp/src/bootp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
+index e0db8d196..cafa1eb1f 100644
+--- a/slirp/src/bootp.c
++++ b/slirp/src/bootp.c
+@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
+
+ void bootp_input(struct mbuf *m)
+ {
+- struct bootp_t *bp = mtod(m, struct bootp_t *);
++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
+
+- if (bp->bp_op == BOOTP_REQUEST) {
++ if (bp && bp->bp_op == BOOTP_REQUEST) {
+ bootp_reply(m->slirp, bp, m_end(m));
+ }
+ }
+--
+2.31.1
+
--
2.33.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-02-02 15:47 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-14 18:03 [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 6/8] qemu: fix CVE-2021-3748 Sakib Sajal
2022-01-14 18:03 ` [hardknott][PATCH 8/8] qemu: fix CVE-2021-20196 Sakib Sajal
[not found] ` <16CA351C3E7E813D.13159@lists.openembedded.org>
2022-01-14 18:10 ` [OE-core] [hardknott][PATCH 4/8] qemu: fix CVE-2021-3594 Sakib Sajal
[not found] ` <16CA351C3BA3B44B.29498@lists.openembedded.org>
2022-01-14 18:10 ` [OE-core] [hardknott][PATCH 2/8] qemu: fix CVE-2021-3593 Sakib Sajal
2022-01-15 2:55 ` Mittal, Anuj
2022-02-02 15:47 [hardknott][PATCH 1/8] qemu: fix CVE-2021-3592 Sakib Sajal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).