diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
5 files changed, 369 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch new file mode 100644 index 0000000000..8b1ad0423b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_1.patch @@ -0,0 +1,54 @@ +From e907ff3d4cb7fd20d402f45355059e67d0dc93e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH 11/12] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz <hreitz@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 20211124161536.631563-2-philmd@redhat.com +Signed-off-by: John Snow <jsnow@redhat.com> + +Upstream-Status: Backport [b154791e7b6d4ca5cdcd54443484d97360bd7ad2] +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/block/fdc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 4c2c35e22..854b4f172 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -61,6 +61,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ + /********************************************************/ + /* qdev floppy bus */ + +@@ -543,8 +549,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) + } + + if (!dev->conf.blk) { +- /* Anonymous BlockBackend for an empty drive */ +- dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++ dev->conf.blk = blk_create_empty_drive(); + ret = blk_attach_dev(dev->conf.blk, qdev); + assert(ret == 0); + +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 0000000000..dd442ccb8f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch @@ -0,0 +1,67 @@ +From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20196 +Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn> +Reviewed-by: Darren Kenny <darren.kenny@oracle.com> +Reviewed-by: Hanna Reitz <hreitz@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 20211124161536.631563-3-philmd@redhat.com +BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 +Reviewed-by: Darren Kenny <darren.kenny@oracle.com> +Reviewed-by: Hanna Reitz <hreitz@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: John Snow <jsnow@redhat.com> + +Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233] +CVE: CVE-2021-20196 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/block/fdc.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 854b4f172..a736c4d14 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +- return get_drv(fdctrl, fdctrl->cur_drv); ++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); ++ ++ if (!cur_drv->blk) { ++ /* ++ * Kludge: empty drive line selected. Create an anonymous ++ * BlockBackend to avoid NULL deref with various BlockBackend ++ * API calls within this model (CVE-2021-20196). ++ * Due to the controller QOM model limitations, we don't ++ * attach the created to the controller device. ++ */ ++ cur_drv->blk = blk_create_empty_drive(); ++ } ++ return cur_drv; + } + + /* Status A register : 0x00 (read-only) */ +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..33fca66d3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,68 @@ +From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH 08/12] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reported-by: Chen Zhe <chenzhe@huawei.com> +Reported-by: Tan Jingguo <tanjingguo@huawei.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> +(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a) +Signed-off-by: Michael Roth <michael.roth@amd.com> + +Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1] +CVE: CVE-2021-3713 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/usb/dev-uas.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index cec071d96..157734eb0 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + QTAILQ_FOREACH(st, &uas->results, next) { + if (st->stream == p->stream) { +@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++ error_report("%s: invalid stream %d", __func__, p->stream); ++ p->status = USB_RET_STALL; ++ return; + } + + static void usb_uas_unrealize(USBDevice *dev) +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..4765f24739 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,127 @@ +From bacc200f623647632258f7efc0f098ac30dd4225 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH 09/12] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [bedd7e93d01961fcb16a97ae45d93acf357e11f6] +CVE: CVE-2021-3748 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 9179013ac..df1d30e2c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1665,10 +1665,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++ size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +- size_t offset, i, guest_offset; ++ size_t offset, i, guest_offset, j; ++ ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1699,6 +1702,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++ if (i == VIRTQUEUE_MAX_SIZE) { ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++ err = size; ++ goto err; ++ } ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1710,7 +1719,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +- return -1; ++ err = -1; ++ goto err; + } + + if (elem->in_num < 1) { +@@ -1718,7 +1728,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +- return -1; ++ err = -1; ++ goto err; + } + + sg = elem->in_sg; +@@ -1755,12 +1766,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +- return size; ++ err = size; ++ goto err; + } + +- /* signal other side */ +- virtqueue_fill(q->rx_vq, elem, total, i++); +- g_free(elem); ++ elems[i] = elem; ++ lens[i] = total; ++ i++; + } + + if (mhdr_cnt) { +@@ -1770,10 +1782,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + &mhdr.num_buffers, sizeof mhdr.num_buffers); + } + ++ for (j = 0; j < i; j++) { ++ /* signal other side */ ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++ g_free(elems[j]); ++ } ++ + virtqueue_flush(q->rx_vq, i); + virtio_notify(vdev, q->rx_vq); + + return size; ++ ++err: ++ for (j = 0; j < i; j++) { ++ g_free(elems[j]); ++ } ++ ++ return err; + } + + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, +-- +2.31.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..bfbe5cee33 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From cdca50eff9c38367be54f92839734ab490c8b0f7 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH 10/12] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE + SELECT commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8] +CVE: CVE-2021-3930 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/scsi/scsi-disk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index 90841ad79..5b44ed7d8 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1100,6 +1100,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++ assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1441,6 +1442,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++ if (page == MODE_PAGE_ALLS) { ++ return -1; ++ } ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, &p, 0); +-- +2.31.1 + |