diff options
author | Steve Sakoman <steve@sakoman.com> | 2023-11-07 07:36:29 -1000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-11-13 05:34:11 -1000 |
commit | 14aa11aecf503cef08e43c90cf0bd574721ca965 (patch) | |
tree | c22c01e78f3db6eafd15e5a97d73ccfed4a50b5d | |
parent | bbe5e13c2ff981d7defd14f9e2d91ebbe107bb4b (diff) | |
download | openembedded-core-14aa11aecf503cef08e43c90cf0bd574721ca965.tar.gz |
Revert "qemu: Backport fix for CVE-2023-0330"
This reverts commit 45ce9885351a2344737170e6e810dc67ab3e7ea9.
Unfortunately this backport results in qemuarmv5 failing to boot with
a qemu lsi hw error.
[YOCTO #15274]
See discussion: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15274
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 3 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch (renamed from meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch) | 0 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch | 135 |
3 files changed, 1 insertions, 137 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e6b26aba88..a24915c35c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -137,8 +137,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3409-4.patch \ file://CVE-2021-3409-5.patch \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ - file://CVE-2023-0330_1.patch \ - file://CVE-2023-0330_2.patch \ + file://CVE-2023-0330.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ file://CVE-2020-24165.patch \ diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch index 26e22b4c31..26e22b4c31 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch deleted file mode 100644 index 3b45bc0411..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch +++ /dev/null @@ -1,135 +0,0 @@ -From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 -From: Alexander Bulekov <alxndr@bu.edu> -Date: Thu, 27 Apr 2023 17:10:06 -0400 -Subject: [PATCH] memory: prevent dma-reentracy issues - -Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. -This flag is set/checked prior to calling a device's MemoryRegion -handlers, and set when device code initiates DMA. The purpose of this -flag is to prevent two types of DMA-based reentrancy issues: - -1.) mmio -> dma -> mmio case -2.) bh -> dma write -> mmio case - -These issues have led to problems such as stack-exhaustion and -use-after-frees. - -Summary of the problem from Peter Maydell: -https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com - -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 -Resolves: CVE-2023-0330 - -Signed-off-by: Alexander Bulekov <alxndr@bu.edu> -Reviewed-by: Thomas Huth <thuth@redhat.com> -Message-Id: <20230427211013.2994127-2-alxndr@bu.edu> -[thuth: Replace warn_report() with warn_report_once()] -Signed-off-by: Thomas Huth <thuth@redhat.com> - -Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] -CVE: CVE-2023-0330 -Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> ---- - include/exec/memory.h | 5 +++++ - include/hw/qdev-core.h | 7 +++++++ - memory.c | 16 ++++++++++++++++ - 3 files changed, 28 insertions(+) - -diff --git a/include/exec/memory.h b/include/exec/memory.h -index 2b8bccdd..0c8cdb8e 100644 ---- a/include/exec/memory.h -+++ b/include/exec/memory.h -@@ -378,6 +378,8 @@ struct MemoryRegion { - bool is_iommu; - RAMBlock *ram_block; - Object *owner; -+ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ -+ DeviceState *dev; - - const MemoryRegionOps *ops; - void *opaque; -@@ -400,6 +402,9 @@ struct MemoryRegion { - const char *name; - unsigned ioeventfd_nb; - MemoryRegionIoeventfd *ioeventfds; -+ -+ /* For devices designed to perform re-entrant IO into their own IO MRs */ -+ bool disable_reentrancy_guard; - }; - - struct IOMMUMemoryRegion { -diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h -index 1518495b..206f0a70 100644 ---- a/include/hw/qdev-core.h -+++ b/include/hw/qdev-core.h -@@ -138,6 +138,10 @@ struct NamedGPIOList { - QLIST_ENTRY(NamedGPIOList) node; - }; - -+typedef struct { -+ bool engaged_in_io; -+} MemReentrancyGuard; -+ - /** - * DeviceState: - * @realized: Indicates whether the device has been fully constructed. -@@ -163,6 +167,9 @@ struct DeviceState { - int num_child_bus; - int instance_id_alias; - int alias_required_for_version; -+ -+ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */ -+ MemReentrancyGuard mem_reentrancy_guard; - }; - - struct DeviceListener { -diff --git a/memory.c b/memory.c -index 8cafb86a..94ebcaf9 100644 ---- a/memory.c -+++ b/memory.c -@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, - access_size_max = 4; - } - -+ /* Do not allow more than one simultaneous access to a device's IO Regions */ -+ if (mr->dev && !mr->disable_reentrancy_guard && -+ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) { -+ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { -+ warn_report_once("Blocked re-entrant IO on MemoryRegion: " -+ "%s at addr: 0x%" HWADDR_PRIX, -+ memory_region_name(mr), addr); -+ return MEMTX_ACCESS_ERROR; -+ } -+ mr->dev->mem_reentrancy_guard.engaged_in_io = true; -+ } -+ - /* FIXME: support unaligned access? */ - access_size = MAX(MIN(size, access_size_max), access_size_min); - access_mask = MAKE_64BIT_MASK(0, access_size * 8); -@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, - access_mask, attrs); - } - } -+ if (mr->dev) { -+ mr->dev->mem_reentrancy_guard.engaged_in_io = false; -+ } - return r; - } - -@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr, - } - mr->name = g_strdup(name); - mr->owner = owner; -+ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE); - mr->ram_block = NULL; - - if (name) { --- -2.25.1 - |