diff options
Diffstat (limited to 'meta/recipes-devtools/qemu')
21 files changed, 1543 insertions, 209 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b68be447f1..4747310ae4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -35,8 +35,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-4206.patch \ file://CVE-2021-4207.patch \ file://CVE-2022-35414.patch \ - file://CVE-2021-3507_1.patch \ - file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ file://CVE-2021-4158.patch \ file://CVE-2022-0358.patch \ @@ -93,6 +91,24 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ file://CVE-2022-3165.patch \ file://CVE-2022-4144.patch \ + file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \ + file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ + file://CVE-2023-0330.patch \ + file://CVE-2023-3301.patch \ + file://CVE-2023-3255.patch \ + file://CVE-2023-2861.patch \ + file://CVE-2020-14394.patch \ + file://CVE-2023-3354.patch \ + file://CVE-2023-3180.patch \ + file://CVE-2021-3638.patch \ + file://CVE-2023-1544.patch \ + file://CVE-2023-5088.patch \ + file://CVE-2024-24474.patch \ + file://CVE-2023-6693.patch \ + file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ + file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ + file://CVE-2023-42467.patch \ + file://CVE-2023-6683.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" @@ -112,6 +128,15 @@ CVE_CHECK_IGNORE += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_IGNORE += "CVE-2018-18438" +# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 +# https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +# this bug related to windows specific. +CVE_CHECK_IGNORE += "CVE-2023-0664" + +# As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 +# RHEL specific issue +CVE_CHECK_IGNORE += "CVE-2023-2680" + COMPATIBLE_HOST:mipsarchn32 = "null" COMPATIBLE_HOST:mipsarchn64 = "null" COMPATIBLE_HOST:riscv32 = "null" diff --git a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch new file mode 100644 index 0000000000..cd846222c9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch @@ -0,0 +1,57 @@ +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 61c34fc194b776ecadc39fb26b061331107e5599 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:37 +0100 +Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no + log_cmd handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only 3 command types are logged: no need to call qxl_phys2virt() +for the other types. Using different cases will help to pass +different structure sizes to qxl_phys2virt() in a pair of commits. + +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-2-philmd@linaro.org> +--- + hw/display/qxl-logger.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 68bfa47568..1bcf803db6 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_name(qxl_type, ext->cmd.type), + compat ? "(compat)" : ""); + ++ switch (ext->cmd.type) { ++ case QXL_CMD_DRAW: ++ break; ++ case QXL_CMD_SURFACE: ++ break; ++ case QXL_CMD_CURSOR: ++ break; ++ default: ++ goto out; ++ } + data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); + if (!data) { + return 1; +@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_log_cmd_cursor(qxl, data, ext->group_id); + break; + } ++out: + fprintf(stderr, "\n"); + return 0; + } +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch new file mode 100644 index 0000000000..ac51cf567a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch @@ -0,0 +1,217 @@ +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/8efec0e] + +Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch: + +../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': +../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'? + 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + | ^~~~ + | gsize +../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is reported only once for each function it appears in + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:39 +0100 +Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently qxl_phys2virt() doesn't check for buffer overrun. +In order to do so in the next commit, pass the buffer size +as argument. + +For QXLCursor in qxl_render_cursor() -> qxl_cursor() we +verify the size of the chunked data ahead, checking we can +access 'sizeof(QXLCursor) + chunk->data_size' bytes. +Since in the SPICE_CURSOR_TYPE_MONO case the cursor is +assumed to fit in one chunk, no change are required. +In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in +qxl_unpack_chunks(). + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Acked-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-4-philmd@linaro.org> +--- + hw/display/qxl-logger.c | 11 ++++++++--- + hw/display/qxl-render.c | 20 ++++++++++++++++---- + hw/display/qxl.c | 14 +++++++++----- + hw/display/qxl.h | 3 ++- + 4 files changed, 35 insertions(+), 13 deletions(-) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 1bcf803..35c38f6 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id) + QXLImage *image; + QXLImageDescriptor *desc; + +- image = qxl_phys2virt(qxl, addr, group_id); ++ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); + if (!image) { + return 1; + } +@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id) + cmd->u.set.position.y, + cmd->u.set.visible ? "yes" : "no", + cmd->u.set.shape); +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, ++ sizeof(QXLCursor)); + if (!cursor) { + return 1; + } +@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + { + bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; + void *data; ++ size_t datasz; + int ret; + + if (!qxl->cmdlog) { +@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + + switch (ext->cmd.type) { + case QXL_CMD_DRAW: ++ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); + break; + case QXL_CMD_SURFACE: ++ datasz = sizeof(QXLSurfaceCmd); + break; + case QXL_CMD_CURSOR: ++ datasz = sizeof(QXLCursorCmd); + break; + default: + goto out; + } +- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); + if (!data) { + return 1; + } +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index ca21700..fcfd40c 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) + qxl->guest_primary.resized = 0; + qxl->guest_primary.data = qxl_phys2virt(qxl, + qxl->guest_primary.surface.mem, +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, ++ qxl->guest_primary.abs_stride ++ * height); + if (!qxl->guest_primary.data) { + goto end; + } +@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, + if (offset == size) { + return; + } +- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); ++ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, ++ sizeof(QXLDataChunk) + chunk->data_size); + if (!chunk) { + return; + } +@@ -295,7 +298,8 @@ fail: + /* called from spice server thread context only */ + int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + QXLCursor *cursor; + QEMUCursor *c; + +@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + } + switch (cmd->type) { + case QXL_CURSOR_SET: +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id); ++ /* First read the QXLCursor to get QXLDataChunk::data_size ... */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor)); ++ if (!cursor) { ++ return 1; ++ } ++ /* Then read including the chunked data following QXLCursor. */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor) + cursor->chunk.data_size); + if (!cursor) { + return 1; + } +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index ae8aa07..2a4b2d4 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) + QXL_IO_MONITORS_CONFIG_ASYNC)); + } + +- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST); ++ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST, ++ sizeof(QXLMonitorsConfig)); + if (cfg != NULL && cfg->count == 1) { + qxl->guest_primary.resized = 1; + qxl->guest_head0_width = cfg->heads[0].width; +@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + switch (le32_to_cpu(ext->cmd.type)) { + case QXL_CMD_SURFACE: + { +- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLSurfaceCmd)); + + if (!cmd) { + return 1; +@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + } + case QXL_CMD_CURSOR: + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + + if (!cmd) { + return 1; +@@ -1463,7 +1466,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + } + + /* can be also called from spice server thread context */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, ++ size_t size) + { + uint64_t offset; + uint32_t slot; +@@ -1971,7 +1975,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl) + } + + cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i], +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd)); + assert(cmd); + assert(cmd->type == QXL_SURFACE_CMD_CREATE); + qxl_dirty_one_surface(qxl, cmd->u.surface_create.data, +diff --git a/hw/display/qxl.h b/hw/display/qxl.h +index 30d21f4..4551c23 100644 +--- a/hw/display/qxl.h ++++ b/hw/display/qxl.h +@@ -147,7 +147,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL) + #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1) + + /* qxl.c */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id, ++ size_t size); + void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) + GCC_FMT_ATTR(2, 3); + +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch new file mode 100644 index 0000000000..aff91a7355 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch @@ -0,0 +1,79 @@ +From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Tue, 8 Aug 2023 10:44:51 +0000 +Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in + xhci_ring_chain_length() (CVE-2020-14394) + +The loop condition in xhci_ring_chain_length() is under control of +the guest, and additionally the code does not check for failed DMA +transfers (e.g. if reaching the end of the RAM), so the loop there +could run for a very long time or even forever. Fix it by checking +the return value of dma_memory_read() and by introducing a maximum +loop length. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 +Message-Id: <20220804131300.96368-1-thuth@redhat.com> +Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com> +Acked-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +CVE: CVE-2020-14394 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + hw/usb/hcd-xhci.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 14bdb8967..c63a36dcc 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -21,6 +21,7 @@ + + #include "qemu/osdep.h" + #include "qemu/timer.h" ++#include "qemu/log.h" + #include "qemu/module.h" + #include "qemu/queue.h" + #include "migration/vmstate.h" +@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool control_td_set = 0; + uint32_t link_cnt = 0; + +- while (1) { ++ do { + TRBType type; +- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, +- MEMTXATTRS_UNSPECIFIED); ++ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n", ++ __func__); ++ return -1; ++ } + le64_to_cpus(&trb.parameter); + le32_to_cpus(&trb.status); + le32_to_cpus(&trb.control); +@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + if (!control_td_set && !(trb.control & TRB_TR_CH)) { + return length; + } +- } ++ ++ /* ++ * According to the xHCI spec, Transfer Ring segments should have ++ * a maximum size of 64 kB (see chapter "6 Data Structures") ++ */ ++ } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE); ++ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n", ++ __func__); ++ ++ return -1; + } + + static void xhci_er_reset(XHCIState *xhci, int v) +-- +2.35.5 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch deleted file mode 100644 index 4201610f4d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 963ac2cd5186b28fbfdecd15ac43afe1dbaf871a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> -Date: Thu, 18 Nov 2021 12:57:32 +0100 -Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun - (CVE-2021-3507) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Per the 82078 datasheet, if the end-of-track (EOT byte in -the FIFO) is more than the number of sectors per side, the -command is terminated unsuccessfully: - -* 5.2.5 DATA TRANSFER TERMINATION - - The 82078 supports terminal count explicitly through - the TC pin and implicitly through the underrun/over- - run and end-of-track (EOT) functions. For full sector - transfers, the EOT parameter can define the last - sector to be transferred in a single or multisector - transfer. If the last sector to be transferred is a par- - tial sector, the host can stop transferring the data in - mid-sector, and the 82078 will continue to complete - the sector as if a hardware TC was received. The - only difference between these implicit functions and - TC is that they return "abnormal termination" result - status. Such status indications can be ignored if they - were expected. - -* 6.1.3 READ TRACK - - This command terminates when the EOT specified - number of sectors have been read. If the 82078 - does not find an I D Address Mark on the diskette - after the second· occurrence of a pulse on the - INDX# pin, then it sets the IC code in Status Regis- - ter 0 to "01" (Abnormal termination), sets the MA bit - in Status Register 1 to "1", and terminates the com- - mand. - -* 6.1.6 VERIFY - - Refer to Table 6-6 and Table 6-7 for information - concerning the values of MT and EC versus SC and - EOT value. - -* Table 6·6. Result Phase Table - -* Table 6-7. Verify Command Result Phase Table - -Fix by aborting the transfer when EOT > # Sectors Per Side. - -Cc: qemu-stable@nongnu.org -Cc: Hervé Poussineau <hpoussin@reactos.org> -Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") -Reported-by: Alexander Bulekov <alxndr@bu.edu> -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 -Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-Id: <20211118115733.4038610-2-philmd@redhat.com> -Reviewed-by: Hanna Reitz <hreitz@redhat.com> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> - -Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/block/fdc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 21d18ac2e..24b05406e 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1529,6 +1529,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) - int tmp; - fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); - tmp = (fdctrl->fifo[6] - ks + 1); -+ if (tmp < 0) { -+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); -+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); -+ fdctrl->fifo[3] = kt; -+ fdctrl->fifo[4] = kh; -+ fdctrl->fifo[5] = ks; -+ return; -+ } - if (fdctrl->fifo[0] & 0x80) - tmp += fdctrl->fifo[6]; - fdctrl->data_len *= tmp; --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch deleted file mode 100644 index 9f00d9c0d0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch +++ /dev/null @@ -1,115 +0,0 @@ -From ec5725982f811d9728ad1f9940df0e9349397e67 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> -Date: Thu, 18 Nov 2021 12:57:33 +0100 -Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for - CVE-2021-3507 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 - -Without the previous commit, when running 'make check-qtest-i386' -with QEMU configured with '--enable-sanitizers' we get: - - ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 - READ of size 786432 at 0x619000062a00 thread T0 - #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) - #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 - #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 - #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 - #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 - #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 - #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 - #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 - #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 - #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 - #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 - #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 - #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 - - 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) - allocated by thread T0 here: - #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) - #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 - #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 - #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 - #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 - #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 - - SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy - Shadow bytes around the buggy address: - 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Heap left redzone: fa - Freed heap region: fd - ==4028352==ABORTING - -[ kwolf: Added snapshot=on to prevent write file lock failure ] - -Reported-by: Alexander Bulekov <alxndr@bu.edu> -Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Reviewed-by: Alexander Bulekov <alxndr@bu.edu> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> - -Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c -index 8f6eee84a..6f5850354 100644 ---- a/tests/qtest/fdc-test.c -+++ b/tests/qtest/fdc-test.c -@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) - qtest_quit(s); - } - -+static void test_cve_2021_3507(void) -+{ -+ QTestState *s; -+ -+ s = qtest_initf("-nographic -m 32M -nodefaults " -+ "-drive file=%s,format=raw,if=floppy,snapshot=on", -+ test_image); -+ qtest_outl(s, 0x9, 0x0a0206); -+ qtest_outw(s, 0x3f4, 0x1600); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_quit(s); -+} -+ - int main(int argc, char **argv) - { - int fd; -@@ -614,6 +634,7 @@ int main(int argc, char **argv) - qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); - qtest_add_func("/fdc/fuzz-registers", fuzz_registers); - qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); -+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); - - ret = g_test_run(); - --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..3cbb34c54c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch @@ -0,0 +1,88 @@ +From 205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daudé <philmd@redhat.com> +Date: Thu, 10 Aug 2023 07:30:54 +0000 +Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt + (CVE-2021-3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When building QEMU with DEBUG_ATI defined then running with +'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' +we get: + + ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 + ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 + ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 + ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 + ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 + ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 + ati_mm_write 4 0x1420 DST_Y <- 0x3fff + ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff + ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff + ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff + ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ + ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000) + Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. + (gdb) bt + #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 + #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 + #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196 + #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843 + #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492 + +Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced +the local dst_x and dst_y which adjust the (x, y) coordinates +depending on the direction in the SRCCOPY ROP3 operation, but +forgot to address the same issue for the PATCOPY, BLACKNESS and +WHITENESS operations, which also call pixman_fill(). + +Fix that now by using the adjusted coordinates in the pixman_fill +call, and update the related debug printf(). + +Reported-by: Qiang Liu <qiangliu@zju.edu.cn> +Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Tested-by: Mauro Matteo Cascella <mcascell@redhat.com> +Message-Id: <20210906153103.1661195-1-philmd@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3638 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + hw/display/ati_2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 4dc10ea79..692bec91d 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); +@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride /= sizeof(uint32_t); + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", + dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && +-- +2.40.0 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..025075fd6d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch @@ -0,0 +1,75 @@ +[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not + exist for this release] +From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 22 May 2023 11:10:11 +0200 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/jammy-security +Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 6 deletions(-) + +--- qemu-6.2+dfsg.orig/hw/scsi/lsi53c895a.c ++++ qemu-6.2+dfsg/hw/scsi/lsi53c895a.c +@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1597,6 +1606,8 @@ again: + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch new file mode 100644 index 0000000000..b4781e1c18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch @@ -0,0 +1,70 @@ +From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia <yuval.shaia.ml@gmail.com> +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +CVE: CVE-2023-1544 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c] + +Reported-by: Soul Chen <soulchen8650@gmail.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087) +Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 4fc6712025..55b338046e 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.35.6 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..a86413fbad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -0,0 +1,180 @@ +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 +From: Christian Schoenebeck <qemu_oss@crudebyte.com> +Date: Wed, 7 Jun 2023 18:29:33 +0200 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen <ywsPlz@gmail.com> +Reported-by: Jietao Xiao <shawtao1125@gmail.com> +Reported-by: Jinku Li <jkli@xidian.edu.cn> +Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> +Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> + +Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] +CVE: CVE-2023-2861 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 15c0e79b0..f9e4669a5 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) + } + } + ++/* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ + /* + * send response in two parts + * 1) ProxyHeader +@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index 546f46dc7..23000e917 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,12 +13,16 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else + #define O_PATH_9P_UTIL 0 + #endif + ++#define qemu_fstat fstat ++ + static inline void close_preserve_errno(int fd) + { + int serrno = errno; +@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (qemu_fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -56,6 +92,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() +-- +2.35.7 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch new file mode 100644 index 0000000000..30080924c8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch @@ -0,0 +1,50 @@ +From 49f1e02bac166821c712534aaa775f50e1afe17f Mon Sep 17 00:00:00 2001 +From: zhenwei pi <pizhenwei@bytedance.com> +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei <arei.gonglei@huawei.com> +Cc: Mauro Matteo Cascella <mcascell@redhat.com> +Cc: Yiming Tao <taoym@zju.edu.cn> +Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980) +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f] +CVE: CVE-2023-3180 +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index a1d122b9aa..ccaa704530 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -635,6 +635,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); +-- +2.40.0 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..f030df111f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch @@ -0,0 +1,64 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Tue, 4 Jul 2023 10:41:22 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis <kevin.denis@synacktiv.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] + +CVE: CVE-2023-3255 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> + +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 8aeadfaa21..c759be3438 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.40.0 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch new file mode 100644 index 0000000000..ffb5cd3861 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch @@ -0,0 +1,60 @@ +From a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 Mon Sep 17 00:00:00 2001 +From: Ani Sinha <anisinha@redhat.com> +Date: Mon, 19 Jun 2023 12:22:09 +0530 +Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if + peer nic is present + +When a peer nic is still attached to the vdpa backend, it is too early to free +up the vhost-net and vdpa structures. If these structures are freed here, then +QEMU crashes when the guest is being shut down. The following call chain +would result in an assertion failure since the pointer returned from +vhost_vdpa_get_vhost_net() would be NULL: + +do_vm_stop() -> vm_state_notify() -> virtio_set_status() -> +virtio_net_vhost_status() -> get_vhost_net(). + +Therefore, we defer freeing up the structures until at guest shutdown +time when qemu_cleanup() calls net_cleanup() which then calls +qemu_del_net_client() which would eventually call vhost_vdpa_cleanup() +again to free up the structures. This time, the loop in net_cleanup() +ensures that vhost_vdpa_cleanup() will be called one last time when +all the peer nics are detached and freed. + +All unit tests pass with this change. + +CC: imammedo@redhat.com +CC: jusual@redhat.com +CC: mst@redhat.com +Fixes: CVE-2023-3301 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929 +Signed-off-by: Ani Sinha <anisinha@redhat.com> +Message-Id: <20230619065209.442185-1-anisinha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8] +CVE: CVE-2023-3301 + + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + net/vhost-vdpa.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -140,6 +140,14 @@ static void vhost_vdpa_cleanup(NetClient + { + VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc); + ++ /* ++ * If a peer NIC is attached, do not cleanup anything. ++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup() ++ * when the guest is shutting down. ++ */ ++ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) { ++ return; ++ } + if (s->vhost_net) { + vhost_net_cleanup(s->vhost_net); + g_free(s->vhost_net); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..250716fcfc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch @@ -0,0 +1,87 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Tue, 20 Jun 2023 09:45:34 +0100 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen <jiangyegen@huawei.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] +CVE: CVE-2023-3354 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index 5672479e9..26c67f17e 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -48,6 +48,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 2ae1b92fc..34476e6b7 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -373,6 +375,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch new file mode 100644 index 0000000000..d53683faa7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch @@ -0,0 +1,46 @@ +From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 25 Sep 2023 11:18:54 +0200 +Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 + [CVE-2023-42467] + +We are doing things like + + nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); + +in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if +the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes +with a division by 0 exception. Thus disallow block sizes of 256 +bytes to avoid this situation. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 +CVE: 2023-42467 +Signed-off-by: Thomas Huth <thuth@redhat.com> +Message-ID: <20230925091854.49198-1-thuth@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2023-42467 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + hw/scsi/scsi-disk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e0d79c7966c..477ee2bcd47 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + * Since the existing code only checks/updates bits 8-15 of the block + * size, restrict ourselves to the same requirement for now to ensure + * that a block size set by a block descriptor and then read back by +- * a subsequent SCSI command will be the same ++ * a subsequent SCSI command will be the same. Also disallow a block ++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. + */ +- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { + s->qdev.blocksize = bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } +-- diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch new file mode 100644 index 0000000000..c5ea9d739a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch @@ -0,0 +1,112 @@ +From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001 +From: Fiona Ebner <f.ebner@proxmox.com> +Date: Wed, 6 Sep 2023 15:09:21 +0200 +Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there is a pending DMA operation during ide_bus_reset(), the fact +that the IDEState is already reset before the operation is canceled +can be problematic. In particular, ide_dma_cb() might be called and +then use the reset IDEState which contains the signature after the +reset. When used to construct the IO operation this leads to +ide_get_sector() returning 0 and nsector being 1. This is particularly +bad, because a write command will thus destroy the first sector which +often contains a partition table or similar. + +Traces showing the unsolicited write happening with IDEState +0x5595af6949d0 being used after reset: + +> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 +> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port +> ide_reset IDEstate 0x5595af6949d0 +> ide_reset IDEstate 0x5595af694da8 +> ide_bus_reset_aio aio_cancel +> dma_aio_cancel dbs=0x7f64600089a0 +> dma_blk_cb dbs=0x7f64600089a0 ret=0 +> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 +> ahci_populate_sglist ahci(0x5595af6923f0)[0] +> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 +> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE +> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 +> dma_blk_cb dbs=0x7f6420802010 ret=0 + +> (gdb) p *qiov +> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, +> iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", +> size = 512}}} +> (gdb) bt +> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, +> cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010) +> at ../block/block-backend.c:1682 +> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>) +> at ../softmmu/dma-helpers.c:179 +> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>, +> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, +> cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0, +> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 +> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0) +> at ../softmmu/dma-helpers.c:280 +> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>) +> at ../hw/ide/core.c:953 +> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) +> at ../softmmu/dma-helpers.c:107 +> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 +> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) +> at ../block/block-backend.c:1527 +> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 +> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 +> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>, +> i1=<optimized out>) at ../util/coroutine-ucontext.c:177 + +CVE: CVE-2023-5088 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e] + +Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Tested-by: simon.rowe@nutanix.com +Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Sourav Pramanik <sourav.pramanik@kpit.com> +--- + hw/ide/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index b5e0dcd29b2..63ba665f3d2 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s) + + void ide_bus_reset(IDEBus *bus) + { +- bus->unit = 0; +- bus->cmd = 0; +- ide_reset(&bus->ifs[0]); +- ide_reset(&bus->ifs[1]); +- ide_clear_hob(bus); +- +- /* pending async DMA */ ++ /* pending async DMA - needs the IDEState before it is reset */ + if (bus->dma->aiocb) { + trace_ide_bus_reset_aio(); + blk_aio_cancel(bus->dma->aiocb); + bus->dma->aiocb = NULL; + } + ++ bus->unit = 0; ++ bus->cmd = 0; ++ ide_reset(&bus->ifs[0]); ++ ide_reset(&bus->ifs[1]); ++ ide_clear_hob(bus); ++ + /* reset dma provider too */ + if (bus->dma->ops->reset) { + bus->dma->ops->reset(bus->dma); +-- diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch new file mode 100644 index 0000000000..e528574076 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch @@ -0,0 +1,92 @@ +From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001 +From: Fiona Ebner <f.ebner@proxmox.com> +Date: Wed, 24 Jan 2024 11:57:48 +0100 +Subject: [PATCH] ui/clipboard: mark type as not available when there is no + data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT +message with len=0. In qemu_clipboard_set_data(), the clipboard info +will be updated setting data to NULL (because g_memdup(data, size) +returns NULL when size is 0). If the client does not set the +VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then +the 'request' callback for the clipboard peer is not initialized. +Later, because data is NULL, qemu_clipboard_request() can be reached +via vdagent_chr_write() and vdagent_clipboard_recv_request() and +there, the clipboard owner's 'request' callback will be attempted to +be called, but that is a NULL pointer. + +In particular, this can happen when using the KRDC (22.12.3) VNC +client. + +Another scenario leading to the same issue is with two clients (say +noVNC and KRDC): + +The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and +initializes its cbpeer. + +The KRDC client does not, but triggers a vnc_client_cut_text() (note +it's not the _ext variant)). There, a new clipboard info with it as +the 'owner' is created and via qemu_clipboard_set_data() is called, +which in turn calls qemu_clipboard_update() with that info. + +In qemu_clipboard_update(), the notifier for the noVNC client will be +called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the +noVNC client. The 'owner' in that clipboard info is the clipboard peer +for the KRDC client, which did not initialize the 'request' function. +That sounds correct to me, it is the owner of that clipboard info. + +Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set +the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it +passes), that clipboard info is passed to qemu_clipboard_request() and +the original segfault still happens. + +Fix the issue by handling updates with size 0 differently. In +particular, mark in the clipboard info that the type is not available. + +While at it, switch to g_memdup2(), because g_memdup() is deprecated. + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2023-6683 +Reported-by: Markus Frank <m.frank@proxmox.com> +Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Markus Frank <m.frank@proxmox.com> +Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a] +CVE: CVE-2023-6683 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + ui/clipboard.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/ui/clipboard.c b/ui/clipboard.c +index 3d14bffaf80..b3f6fa3c9e1 100644 +--- a/ui/clipboard.c ++++ b/ui/clipboard.c +@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, + } + + g_free(info->types[type].data); +- info->types[type].data = g_memdup(data, size); +- info->types[type].size = size; +- info->types[type].available = true; ++ if (size) { ++ info->types[type].data = g_memdup2(data, size); ++ info->types[type].size = size; ++ info->types[type].available = true; ++ } else { ++ info->types[type].data = NULL; ++ info->types[type].size = 0; ++ info->types[type].available = false; ++ } + + if (update) { + qemu_clipboard_update(info); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch new file mode 100644 index 0000000000..b91f2e6902 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch @@ -0,0 +1,74 @@ +From 2220e8189fb94068dbad333228659fbac819abb0 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Tue, 2 Jan 2024 11:29:01 +0800 +Subject: [PATCH] virtio-net: correctly copy vnet header when flushing TX + +When HASH_REPORT is negotiated, the guest_hdr_len might be larger than +the size of the mergeable rx buffer header. Using +virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack +overflow in this case. Fixing this by using virtio_net_hdr_v1_hash +instead. + +Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> +Cc: Yuri Benditovich <yuri.benditovich@daynix.com> +Cc: qemu-stable@nongnu.org +Cc: Mauro Matteo Cascella <mcascell@redhat.com> +Fixes: CVE-2023-6693 +Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2220e8189fb94068dbad333228659fbac819abb0] +CVE: CVE-2023-6693 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + hw/net/virtio-net.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index e1f474883..42e66697f 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -600,6 +600,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs, + + n->mergeable_rx_bufs = mergeable_rx_bufs; + ++ /* ++ * Note: when extending the vnet header, please make sure to ++ * change the vnet header copying logic in virtio_net_flush_tx() ++ * as well. ++ */ + if (version_1) { + n->guest_hdr_len = hash_report ? + sizeof(struct virtio_net_hdr_v1_hash) : +@@ -2520,7 +2525,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + ssize_t ret; + unsigned int out_num; + struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg; +- struct virtio_net_hdr_mrg_rxbuf mhdr; ++ struct virtio_net_hdr_v1_hash vhdr; + + elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); + if (!elem) { +@@ -2537,7 +2542,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + } + + if (n->has_vnet_hdr) { +- if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < ++ if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < + n->guest_hdr_len) { + virtio_error(vdev, "virtio-net header incorrect"); + virtqueue_detach_element(q->tx_vq, elem, 0); +@@ -2545,8 +2550,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + return -EINVAL; + } + if (n->needs_vnet_hdr_swap) { +- virtio_net_hdr_swap(vdev, (void *) &mhdr); +- sg2[0].iov_base = &mhdr; ++ virtio_net_hdr_swap(vdev, (void *) &vhdr); ++ sg2[0].iov_base = &vhdr; + sg2[0].iov_len = n->guest_hdr_len; + out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, + out_sg, out_num, +-- +2.34.1 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch new file mode 100644 index 0000000000..e890fe56cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch @@ -0,0 +1,44 @@ +From 77668e4b9bca03a856c27ba899a2513ddf52bb52 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 13 Sep 2023 21:44:09 +0100 +Subject: [PATCH] esp: restrict non-DMA transfer length to that of available + data + +In the case where a SCSI layer transfer is incorrectly terminated, it is +possible for a TI command to cause a SCSI buffer overflow due to the +expected transfer data length being less than the available data in the +FIFO. When this occurs the unsigned async_len variable underflows and +becomes a large offset which writes past the end of the allocated SCSI +buffer. + +Restrict the non-DMA transfer length to be the smallest of the expected +transfer length and the available FIFO data to ensure that it is no longer +possible for the SCSI buffer overflow to occur. + +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810 +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52] +CVE: CVE-2024-24474 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/scsi/esp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 4218a6a96054..9b11d8c5738a 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s) + } + + if (to_device) { +- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); ++ len = MIN(s->async_len, ESP_FIFO_SZ); ++ len = MIN(len, fifo8_num_used(&s->fifo)); + esp_fifo_pop_buf(&s->fifo, s->async_buf, len); + s->async_buf += len; + s->async_len -= len; diff --git a/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch b/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch new file mode 100644 index 0000000000..d8e48d07dd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch @@ -0,0 +1,54 @@ +From 356c4c441ec01910314c5867c680bef80d1dd373 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 22 Jun 2022 11:53:12 +0100 +Subject: [PATCH] scsi-disk: allow MODE SELECT block descriptor to set the + block size + +The MODE SELECT command can contain an optional block descriptor that can be used +to set the device block size. If the block descriptor is present then update the +block size on the SCSI device accordingly. + +This allows CDROMs to be used with A/UX which requires a CDROM drive which is +capable of switching from a 2048 byte sector size to a 512 byte sector size. + +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Message-Id: <20220622105314.802852-13-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Comment: Patch is refreshed +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/356c4c441ec01910314c5867c680bef80d1dd373] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + hw/scsi/scsi-disk.c | 6 ++++++ + hw/scsi/trace-events | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index db27e834dae3..f5cdb9ad4b54 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1616,6 +1616,12 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + goto invalid_param; + } + ++ /* Allow changing the block size */ ++ if (bd_len && p[6] != (s->qdev.blocksize >> 8)) { ++ s->qdev.blocksize = p[6] << 8; ++ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ } ++ + len -= bd_len; + p += bd_len; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 8e927ff62de1..ab238293f0da 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -338,6 +338,7 @@scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 ", count %u)" + scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)" + scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s" + scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd=0x%x (sector %" PRId64 ", count %d) timeout=%u" ++scsi_disk_mode_select_set_blocksize(int blocksize) "set block size to %d" + + # scsi-generic.c + scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d" diff --git a/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch b/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch new file mode 100644 index 0000000000..1e1be683fc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch @@ -0,0 +1,67 @@ +From 55794c904df723109b228da28b5db778e0df3110 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Sat, 30 Jul 2022 13:26:56 +0100 +Subject: [PATCH] scsi-disk: ensure block size is non-zero and changes limited + to bits 8-15 + +The existing code assumes that the block size can be generated from p[1] << 8 +in multiple places which ignores the top and bottom 8 bits. If the block size +is allowed to be set to an arbitrary value then this causes a mismatch +between the value written by the guest in the block descriptor and the value +subsequently read back using READ CAPACITY causing the guest to generate +requests that can crash QEMU. + +For now restrict block size changes to bits 8-15 and also ignore requests to +set the block size to 0 which causes the SCSI emulation to crash in at least +one place with a divide by zero error. + +Fixes: 356c4c441e ("scsi-disk: allow MODE SELECT block descriptor to set the block size") +Closes: https://gitlab.com/qemu-project/qemu/-/issues/1112 +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Message-Id: <20220730122656.253448-3-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Comment: Patch is refreshed +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/55794c904df723109b228da28b5db778e0df3110] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + hw/scsi/scsi-disk.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index 3027ac3b1ed6..efee6739f9ad 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1532,7 +1532,7 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + int cmd = r->req.cmd.buf[0]; + int len = r->req.cmd.xfer; + int hdr_len = (cmd == MODE_SELECT ? 4 : 8); +- int bd_len; ++ int bd_len, bs; + int pass; + + /* We only support PF=1, SP=0. */ +@@ -1617,9 +1617,19 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + } + + /* Allow changing the block size */ +- if (bd_len && p[6] != (s->qdev.blocksize >> 8)) { +- s->qdev.blocksize = p[6] << 8; +- trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ if (bd_len) { ++ bs = p[5] << 16 | p[6] << 8 | p[7]; ++ ++ /* ++ * Since the existing code only checks/updates bits 8-15 of the block ++ * size, restrict ourselves to the same requirement for now to ensure ++ * that a block size set by a block descriptor and then read back by ++ * a subsequent SCSI command will be the same ++ */ ++ if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ s->qdev.blocksize = bs; ++ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ } + } + + len -= bd_len; + |