diff --git a/Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch b/Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch new file mode 100644 index 0000000000000000000000000000000000000000..57b712c803937b3b79b0ab3d8f25490216da4a3a --- /dev/null +++ b/Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch @@ -0,0 +1,107 @@ +From 1f0c212191d0f63744ef61e0725ab4c859b1d189 Mon Sep 17 00:00:00 2001 +From: yangxiangkai +Date: Mon, 23 Sep 2024 19:23:37 +0800 +Subject: [PATCH] Added CoDA feature support in the context of CVM. When + virtcca cvm is enabled, the iommu is tagged as secure. + +--- + hw/vfio/container.c | 15 +++++++++++++++ + hw/virtio/virtio-bus.c | 7 +++++++ + linux-headers/linux/vfio.h | 2 ++ + 3 files changed, 24 insertions(+) + +diff --git a/hw/vfio/container.c b/hw/vfio/container.c +index d8b9117f4f..422235a221 100644 +--- a/hw/vfio/container.c ++++ b/hw/vfio/container.c +@@ -33,6 +33,7 @@ + #include "trace.h" + #include "qapi/error.h" + #include "migration/migration.h" ++#include "sysemu/kvm.h" + + VFIOGroupList vfio_group_list = + QLIST_HEAD_INITIALIZER(vfio_group_list); +@@ -399,6 +400,14 @@ static int vfio_get_iommu_type(VFIOContainer *container, + VFIO_SPAPR_TCE_v2_IOMMU, VFIO_SPAPR_TCE_IOMMU }; + int i; + ++ if (virtcca_cvm_enabled()) { ++ if (ioctl(container->fd, VFIO_CHECK_EXTENSION, VFIO_TYPE1v2_S_IOMMU)) { ++ return VFIO_TYPE1v2_S_IOMMU; ++ } else { ++ return -errno; ++ } ++ } ++ + for (i = 0; i < ARRAY_SIZE(iommu_types); i++) { + if (ioctl(container->fd, VFIO_CHECK_EXTENSION, iommu_types[i])) { + return iommu_types[i]; +@@ -625,6 +634,7 @@ static int vfio_connect_container(VFIOGroup *group, AddressSpace *as, + switch (container->iommu_type) { + case VFIO_TYPE1v2_IOMMU: + case VFIO_TYPE1_IOMMU: ++ case VFIO_TYPE1v2_S_IOMMU: + { + struct vfio_iommu_type1_info *info; + +@@ -857,6 +867,11 @@ static int vfio_get_device(VFIOGroup *group, const char *name, + return -1; + } + ++ if (!virtcca_cvm_enabled() && (info->flags & VFIO_DEVICE_FLAGS_SECURE)) { ++ error_setg(errp, "Normal vm cannot use confidential device."); ++ return -1; ++ } ++ + /* + * Set discarding of RAM as not broken for this group if the driver knows + * the device operates compatibly with discarding. Setting must be +diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c +index 4f16e7ef77..749df6478e 100644 +--- a/hw/virtio/virtio-bus.c ++++ b/hw/virtio/virtio-bus.c +@@ -30,6 +30,7 @@ + #include "hw/virtio/virtio-bus.h" + #include "hw/virtio/virtio.h" + #include "exec/address-spaces.h" ++#include "sysemu/kvm.h" + + /* #define DEBUG_VIRTIO_BUS */ + +@@ -71,6 +72,12 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp) + return; + } + ++ if (virtcca_cvm_enabled() && (strcmp(vdev->name, "vhost-user-fs") == 0)) { ++ /* VIRTIO_F_IOMMU_PLATFORM should be enabled for vhost-user-fs using swiotlb */ ++ error_setg(errp, "iommu_platform is not supported by this device"); ++ return; ++ } ++ + if (klass->device_plugged != NULL) { + klass->device_plugged(qbus->parent, &local_err); + } +diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h +index 956154e509..c27a43d74b 100644 +--- a/linux-headers/linux/vfio.h ++++ b/linux-headers/linux/vfio.h +@@ -25,6 +25,7 @@ + #define VFIO_TYPE1_IOMMU 1 + #define VFIO_SPAPR_TCE_IOMMU 2 + #define VFIO_TYPE1v2_IOMMU 3 ++#define VFIO_TYPE1v2_S_IOMMU 12 + /* + * IOMMU enforces DMA cache coherence (ex. PCIe NoSnoop stripping). This + * capability is subject to change as groups are added or removed. +@@ -224,6 +225,7 @@ struct vfio_device_info { + #define VFIO_DEVICE_FLAGS_FSL_MC (1 << 6) /* vfio-fsl-mc device */ + #define VFIO_DEVICE_FLAGS_CAPS (1 << 7) /* Info supports caps */ + #define VFIO_DEVICE_FLAGS_CDX (1 << 8) /* vfio-cdx device */ ++#define VFIO_DEVICE_FLAGS_SECURE (1 << 9) /* secure pci device */ + __u32 num_regions; /* Max region index + 1 */ + __u32 num_irqs; /* Max IRQ index + 1 */ + __u32 cap_offset; /* Offset within info struct of first cap */ +-- +2.41.0.windows.1 + diff --git a/crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch b/crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ef683c316e4f829c1e246d76c17c2984516b189 --- /dev/null +++ b/crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch @@ -0,0 +1,48 @@ +From a0c5ce95e94a4621b12262423bfa021accb07625 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 16 Sep 2024 17:22:02 +0800 +Subject: [PATCH] =?UTF-8?q?crypto:=20avoid=20leak=20of=20ctx=20when=20bad?= + =?UTF-8?q?=20cipher=20mode=20is=20given=20Fixes:=20Coverity=20CID=2015468?= + =?UTF-8?q?84=20cherry=20picked=20from=20586ac2c67d707c2588766c5195d94fa55?= + =?UTF-8?q?3cc25af=20Reviewed-by:=20Peter=20Maydell=20=20Reviewed-by:=20Philippe=20Mathieu-Daud=C3=A9=20=20Signed-off-by:=20Daniel=20P.=20Berrang=C3=A9=20=20Signed-off-by:=20dinglimin=20?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + crypto/cipher-nettle.c.inc | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/crypto/cipher-nettle.c.inc b/crypto/cipher-nettle.c.inc +index 42b39e18a2..766de036ba 100644 +--- a/crypto/cipher-nettle.c.inc ++++ b/crypto/cipher-nettle.c.inc +@@ -734,16 +734,19 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg, + #ifdef CONFIG_CRYPTO_SM4 + case QCRYPTO_CIPHER_ALG_SM4: + { +- QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1); ++ QCryptoNettleSm4 *ctx; ++ const QCryptoCipherDriver *drv; + + switch (mode) { + case QCRYPTO_CIPHER_MODE_ECB: +- ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb; ++ drv = &qcrypto_nettle_sm4_driver_ecb; + break; + default: + goto bad_cipher_mode; + } + ++ ctx = g_new0(QCryptoNettleSm4, 1); ++ ctx->base.driver = drv; + sm4_set_encrypt_key(&ctx->key[0], key); + sm4_set_decrypt_key(&ctx->key[1], key); + +-- +2.41.0.windows.1 + diff --git a/hw-block-fix-uint32-overflow.patch b/hw-block-fix-uint32-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..09fa41f84f817faa2bd6075bc5666d29e8e1e75f --- /dev/null +++ b/hw-block-fix-uint32-overflow.patch @@ -0,0 +1,36 @@ +From fc5b9cb39257527568911f65c64d80e23f9f6ae3 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 18 Sep 2024 10:32:42 -0400 +Subject: [PATCH] hw/block: fix uint32 overflow + +cheery-pick from 89cd6254b80784a1b3f574407192493ef92fe65f + +The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow +uint32. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Frolov +Message-id: 20240917080356.270576-2-frolov@swemel.ru +Signed-off-by: Stefan Hajnoczi +Signed-off-by: qihao_yewu +--- + hw/block/virtio-blk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c +index 2eb096a6dc..beedc0cf5f 100644 +--- a/hw/block/virtio-blk.c ++++ b/hw/block/virtio-blk.c +@@ -860,7 +860,7 @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op) + } else { + if (bs->bl.zone_size > capacity - offset) { + /* The zoned device allows the last smaller zone. */ +- len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1); ++ len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull); + } else { + len = bs->bl.zone_size; + } +-- +2.41.0.windows.1 + diff --git a/hw-ufs-add-basic-info-of-query-response-upiu.patch b/hw-ufs-add-basic-info-of-query-response-upiu.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c8fe2312b4c9aee3827ff52c34dfb1cde16839f --- /dev/null +++ b/hw-ufs-add-basic-info-of-query-response-upiu.patch @@ -0,0 +1,71 @@ +From 450b67a5dd3954db8441a1ad65a5e4594ba2e405 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 16 Sep 2024 17:34:34 +0800 +Subject: [PATCH] hw/ufs: add basic info of query response upiu cherry picked + from de2cc4078240f8b745a7caeed461b02f2577e2d2 Modify to fill the opcode, idn, + index, selector information of all Query Response UPIU. because attr and flag + operation of query response upiu need these information too. + +Signed-off-by: KyoungrulKim +Reviewed-by: Minwoo Im +Reviewed-by: Jeuk Kim +Signed-off-by: Jeuk Kim +Signed-off-by: dinglimin +--- + hw/ufs/ufs.c | 13 +++++++++---- + hw/ufs/ufs.h | 1 + + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c +index bac78a32bb..068895b27b 100644 +--- a/hw/ufs/ufs.c ++++ b/hw/ufs/ufs.c +@@ -455,6 +455,14 @@ void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type, uint8_t flags, + req->rsp_upiu.header.data_segment_length = cpu_to_be16(data_segment_length); + } + ++void ufs_build_query_response(UfsRequest *req) ++{ ++ req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode; ++ req->rsp_upiu.qr.idn = req->req_upiu.qr.idn; ++ req->rsp_upiu.qr.index = req->req_upiu.qr.index; ++ req->rsp_upiu.qr.selector = req->req_upiu.qr.selector; ++} ++ + static UfsReqResult ufs_exec_scsi_cmd(UfsRequest *req) + { + UfsHc *u = req->hc; +@@ -931,10 +939,6 @@ static QueryRespCode ufs_read_desc(UfsRequest *req) + if (length > req->rsp_upiu.qr.data[0]) { + length = req->rsp_upiu.qr.data[0]; + } +- req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode; +- req->rsp_upiu.qr.idn = req->req_upiu.qr.idn; +- req->rsp_upiu.qr.index = req->req_upiu.qr.index; +- req->rsp_upiu.qr.selector = req->req_upiu.qr.selector; + req->rsp_upiu.qr.length = cpu_to_be16(length); + + return status; +@@ -1015,6 +1019,7 @@ static UfsReqResult ufs_exec_query_cmd(UfsRequest *req) + data_segment_length = be16_to_cpu(req->rsp_upiu.qr.length); + ufs_build_upiu_header(req, UFS_UPIU_TRANSACTION_QUERY_RSP, 0, status, 0, + data_segment_length); ++ ufs_build_query_response(req); + + if (status != UFS_QUERY_RESULT_SUCCESS) { + return UFS_REQUEST_FAIL; +diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h +index 8fda94f4ef..8a74b4c2ab 100644 +--- a/hw/ufs/ufs.h ++++ b/hw/ufs/ufs.h +@@ -132,6 +132,7 @@ static inline bool is_wlun(uint8_t lun) + void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type, uint8_t flags, + uint8_t response, uint8_t scsi_status, + uint16_t data_segment_length); ++void ufs_build_query_response(UfsRequest *req); + void ufs_complete_req(UfsRequest *req, UfsReqResult req_result); + void ufs_init_wlu(UfsLu *wlu, uint8_t wlun); + #endif /* HW_UFS_UFS_H */ +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index afb09cbaf360440c707377e7ade0feec384bb6ee..145f44f3582aa83fc71994a20fbab286c9e25d15 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 19 +Release: 20 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -359,6 +359,10 @@ Patch0342: system-physmem-Propagate-AddressSpace-to-MapClient-h.patch Patch0343: system-physmem-Per-AddressSpace-bounce-buffering.patch Patch0344: softmmu-Support-concurrent-bounce-buffers-CVE-2024-8.patch Patch0345: mac_dbdma-Remove-leftover-dma_memory_unmap-calls-CVE.patch +Patch0346: crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch +Patch0347: hw-ufs-add-basic-info-of-query-response-upiu.patch +Patch0348: hw-block-fix-uint32-overflow.patch +Patch0349: Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch BuildRequires: flex BuildRequires: gcc @@ -956,6 +960,12 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Oct 21 2024 Jiabo Feng - 11:8.2.0-20 +- Added CoDA feature support in the context of CVM. When virtcca cvm is enabled, the iommu is tagged as secure. +- hw/block: fix uint32 overflow +- hw/ufs: add basic info of query response upiu +- crypto: avoid leak of ctx when bad cipher mode is given Fixes: Coverity CID 1546884 + * Mon Oct 14 2024 Jiabo Feng - 11:8.2.0-19 - mac_dbdma: Remove leftover `dma_memory_unmap` calls(CVE-2024-8612) - softmmu: Support concurrent bounce buffers(CVE-2024-8612)