From 260326f08db1ea52c2928c7ac324f77505896a1b Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:03:57 +0800 Subject: [PATCH 1/8] hw/pci-host: add pci-intack write method fix CVE-2020-15469 Add pci-intack mmio write method to avoid NULL pointer dereference issue. Reported-by: Lei Sun Reviewed-by: Li Qiang Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/pci-host/prep.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c index c564f234af..f03c81f651 100644 --- a/hw/pci-host/prep.c +++ b/hw/pci-host/prep.c @@ -26,6 +26,7 @@ #include "qemu/osdep.h" #include "qemu-common.h" #include "qemu/units.h" +#include "qemu/log.h" #include "qapi/error.h" #include "hw/hw.h" #include "hw/pci/pci.h" @@ -117,8 +118,15 @@ static uint64_t raven_intack_read(void *opaque, hwaddr addr, return pic_read_irq(isa_pic); } +static void raven_intack_write(void *opaque, hwaddr addr, + uint64_t data, unsigned size) +{ + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); +} + static const MemoryRegionOps raven_intack_ops = { .read = raven_intack_read, + .write = raven_intack_write, .valid = { .max_access_size = 1, }, -- Gitee From 18047c6b9a4160ebbe84146b467d2cfa77070704 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:08:24 +0800 Subject: [PATCH 2/8] pci-host: add pcie-msi read method fix CVE-2020-15469 Add pcie-msi mmio read method to avoid NULL pointer dereference issue. Reported-by: Lei Sun Reviewed-by: Li Qiang Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/pci-host/designware.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c index 9ae8c0deb7..23e3de3cad 100644 --- a/hw/pci-host/designware.c +++ b/hw/pci-host/designware.c @@ -21,6 +21,7 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "qemu/module.h" +#include "qemu/log.h" #include "hw/pci/msi.h" #include "hw/pci/pci_bridge.h" #include "hw/pci/pci_host.h" @@ -60,6 +61,13 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) return DESIGNWARE_PCIE_HOST(bus->parent); } +static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, + unsigned size) +{ + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); + return 0; +} + static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, uint64_t val, unsigned len) { @@ -74,6 +82,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, } static const MemoryRegionOps designware_pci_host_msi_ops = { + .read = designware_pcie_root_msi_read, .write = designware_pcie_root_msi_write, .endianness = DEVICE_LITTLE_ENDIAN, .valid = { -- Gitee From 77d8a6ddb95190f892a8e2d5b6138f03b66d3ae5 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:12:57 +0800 Subject: [PATCH 3/8] vfio: add quirk device write method --- hw/vfio/pci-quirks.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c index b35a640030..9ce790bdd2 100644 --- a/hw/vfio/pci-quirks.c +++ b/hw/vfio/pci-quirks.c @@ -12,6 +12,7 @@ #include "qemu/osdep.h" #include "qemu/units.h" +#include "qemu/log.h" #include "qemu/error-report.h" #include "qemu/main-loop.h" #include "qemu/module.h" @@ -275,8 +276,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque, return data; } +static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, + uint64_t data, unsigned size) +{ + qemu_log_mask(LOG_GUEST_ERROR, "%s not implemented\n", __func__); +} + static const MemoryRegionOps vfio_ati_3c3_quirk = { .read = vfio_ati_3c3_quirk_read, + .write = vfio_ati_3c3_quirk_write, .endianness = DEVICE_LITTLE_ENDIAN, }; -- Gitee From 62efce98c61c0dee27c73eee996d19951412fe7a Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:16:14 +0800 Subject: [PATCH 4/8] prep: add ppc-parity write method fix CVE-2020-15469 Add ppc-parity mmio write method to avoid NULL pointer dereference issue. Reported-by: Lei Sun Acked-by: David Gibson Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/ppc/prep_systemio.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c index df7603b986..67244ed48c 100644 --- a/hw/ppc/prep_systemio.c +++ b/hw/ppc/prep_systemio.c @@ -23,6 +23,7 @@ */ #include "qemu/osdep.h" +#include "qemu/log.h" #include "hw/isa/isa.h" #include "exec/address-spaces.h" #include "qemu/error-report.h" /* for error_report() */ @@ -232,8 +233,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, return val; } +static void ppc_parity_error_writel(void *opaque, hwaddr addr, + uint64_t data, unsigned size) +{ + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid write access\n", __func__); +} + static const MemoryRegionOps ppc_parity_error_ops = { .read = ppc_parity_error_readl, + .write = ppc_parity_error_writel, .valid = { .min_access_size = 4, .max_access_size = 4, -- Gitee From 94a57b36119230bd9ec9bff913086dd18b680f45 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:19:15 +0800 Subject: [PATCH 5/8] nvram: add nrf51_soc flash read method fix CVE-2020-15469 Add nrf51_soc mmio read method to avoid NULL pointer dereference issue. Reported-by: Lei Sun Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/nvram/nrf51_nvm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c index eca0cb35b5..7b2b1351f4 100644 --- a/hw/nvram/nrf51_nvm.c +++ b/hw/nvram/nrf51_nvm.c @@ -271,6 +271,10 @@ static const MemoryRegionOps io_ops = { .endianness = DEVICE_LITTLE_ENDIAN, }; +static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) +{ + g_assert_not_reached(); +} static void flash_write(void *opaque, hwaddr offset, uint64_t value, unsigned int size) @@ -298,6 +302,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, static const MemoryRegionOps flash_ops = { + .read = flash_read, .write = flash_write, .valid.min_access_size = 4, .valid.max_access_size = 4, -- Gitee From 71e135b6bda02f3f728f11d2de2a8f877edeefa2 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:23:24 +0800 Subject: [PATCH 6/8] spapr_pci: add spapr msi read method fix CVE-2020-15469 Add spapr msi mmio read method to avoid NULL pointer dereference issue. Reported-by: Lei Sun Acked-by: David Gibson Reviewed-by: Li Qiang Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/ppc/spapr_pci.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index 9003fe9010..1571e049ab 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -50,6 +50,7 @@ #include "sysemu/kvm.h" #include "sysemu/hostmem.h" #include "sysemu/numa.h" +#include "qemu/log.h" /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ #define RTAS_QUERY_FN 0 @@ -743,6 +744,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin) return route; } +static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) +{ + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); + return 0; +} + /* * MSI/MSIX memory region implementation. * The handler handles both MSI and MSIX. @@ -760,8 +767,10 @@ static void spapr_msi_write(void *opaque, hwaddr addr, } static const MemoryRegionOps spapr_msi_ops = { - /* There is no .read as the read result is undefined by PCI spec */ - .read = NULL, + /* .read result is undefined by PCI spec + * define .read method to avoid assert failure in memory_region_init_io + */ + .read = spapr_msi_read, .write = spapr_msi_write, .endianness = DEVICE_LITTLE_ENDIAN }; -- Gitee From 48221a8586fc3965dc9efc131ccc45c6369f8a1e Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:27:07 +0800 Subject: [PATCH 7/8] tz-ppc: add dummy read/write methods fix CVE-2020-15469 Add tz-ppc-dummy mmio read/write methods to avoid assert failure during initialisation. Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/misc/tz-ppc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c index 2a14a26f29..5b7b883866 100644 --- a/hw/misc/tz-ppc.c +++ b/hw/misc/tz-ppc.c @@ -193,7 +193,20 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, g_assert_not_reached(); } +static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) +{ + g_assert_not_reached(); +} + +static void tz_ppc_dummy_write(void *opaque, hwaddr addr, + uint64_t data, unsigned size) +{ + g_assert_not_reached(); +} + static const MemoryRegionOps tz_ppc_dummy_ops = { + .read = tz_ppc_dummy_read, + .write = tz_ppc_dummy_write, .valid.accepts = tz_ppc_dummy_accepts, }; -- Gitee From 1b957f866ce24126cc7fb40545a604f11006282c Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 25 Mar 2021 17:29:28 +0800 Subject: [PATCH 8/8] imx7-ccm: add digprog mmio write method fix CVE-2020-15469 Add digprog mmio write method to avoid assert failure during initialisation. Reviewed-by: Li Qiang Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/misc/imx7_ccm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c index d9bdcf1027..831311a7c8 100644 --- a/hw/misc/imx7_ccm.c +++ b/hw/misc/imx7_ccm.c @@ -130,8 +130,15 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { }, }; +static void imx7_digprog_write(void *opaque, hwaddr addr, + uint64_t data, unsigned size) +{ + qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); +} + static const struct MemoryRegionOps imx7_digprog_ops = { .read = imx7_set_clr_tog_read, + .write = imx7_digprog_write, .endianness = DEVICE_NATIVE_ENDIAN, .impl = { .min_access_size = 4, -- Gitee