From a1e520b00deef803cb7f05ab71ffdf2fec513e47 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 24 Sep 2020 10:47:29 +0800 Subject: [PATCH 1/2] qemu: enrich commit info for some patchs Signed-off-by: AlexChen --- ...ci-Fix-DMA-Transfer-Block-Size-field.patch | 23 +++++++-- ...check-return-value-of-usb_packet_map.patch | 49 +++++++++++++++++-- qemu.spec | 7 ++- 3 files changed, 69 insertions(+), 10 deletions(-) diff --git a/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch b/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch index 42df965..4d4533a 100644 --- a/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch +++ b/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch @@ -1,14 +1,27 @@ -From 8b8d3992db22a583b69b6e2ae1d9cd87e2179e21 Mon Sep 17 00:00:00 2001 +From d99d965c232c649686b4d8bc42dc11dcaf90dc0b Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Fri, 18 Sep 2020 10:55:22 +0800 -Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field The 'Transfer - Block Size' field is 12-bit wide. See section '2.2.2 Block Size Register - (Offset 004h)' in datasheet. +Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +The 'Transfer Block Size' field is 12-bit wide. + +See section '2.2.2. Block Size Register (Offset 004h)' in datasheet. + +Cc: qemu-stable@nongnu.org +Cc: Igor Mitsyanko Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/sd/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 7b80b1d9..acf482b8 100644 +index 7b80b1d93f..65a530aee4 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1127,7 +1127,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) diff --git a/hw-xhci-check-return-value-of-usb_packet_map.patch b/hw-xhci-check-return-value-of-usb_packet_map.patch index fd81478..7c31967 100644 --- a/hw-xhci-check-return-value-of-usb_packet_map.patch +++ b/hw-xhci-check-return-value-of-usb_packet_map.patch @@ -1,17 +1,60 @@ -From e43f0019b0aff881c562c8d2428bce6b3d55845c Mon Sep 17 00:00:00 2001 +From ff7545a6911bc7b9d818a541130f666a81077b44 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Fri, 18 Sep 2020 11:08:28 +0800 Subject: [PATCH] hw: xhci: check return value of 'usb_packet_map' Currently we don't check the return value of 'usb_packet_map', -this will cause an NAF issue. This is LP#1891341. +this will cause an UAF issue. This is LP#1891341. Following is the reproducer provided in: -->https://bugs.launchpad.net/qemu/+bug/1891341 +cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ +-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \ +-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ +-nodefaults -nographic -qtest stdio +outl 0xcf8 0x80001016 +outl 0xcfc 0x3c009f0d +outl 0xcf8 0x80001004 +outl 0xcfc 0xc77695e +writel 0x9f0d000000000040 0xffff3655 +writeq 0x9f0d000000002000 0xff2f9e0000000000 +write 0x1d 0x1 0x27 +write 0x2d 0x1 0x2e +write 0x17232 0x1 0x03 +write 0x17254 0x1 0x06 +write 0x17278 0x1 0x34 +write 0x3d 0x1 0x27 +write 0x40 0x1 0x2e +write 0x41 0x1 0x72 +write 0x42 0x1 0x01 +write 0x4d 0x1 0x2e +write 0x4f 0x1 0x01 +writeq 0x9f0d000000002000 0x5c051a0100000000 +write 0x34001d 0x1 0x13 +write 0x340026 0x1 0x30 +write 0x340028 0x1 0x08 +write 0x34002c 0x1 0xfe +write 0x34002d 0x1 0x08 +write 0x340037 0x1 0x5e +write 0x34003a 0x1 0x05 +write 0x34003d 0x1 0x05 +write 0x34004d 0x1 0x13 +writeq 0x9f0d000000002000 0xff00010100400009 +EOF + This patch fixes this. +Buglink: https://bugs.launchpad.net/qemu/+bug/1891341 +Reported-by: Alexander Bulekov +Signed-off-by: Li Qiang +Message-id: 20200812153139.15146-1-liq3ea@163.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-xhci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index a21485fe..3b25abca 100644 +index a21485fe8a..3b25abcacd 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1614,7 +1614,10 @@ static int xhci_setup_packet(XHCITransfer *xfer) diff --git a/qemu.spec b/qemu.spec index b17fc5f..7bf6498 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 20 +Release: 21 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -183,7 +183,7 @@ Patch0170: megasas-avoid-NULL-pointer-dereference.patch Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch Patch0173: hw-arm-acpi-enable-SHPC-native-hot-plug.patch -PATCH0174: hw-usb-core-fix-buffer-overflow.patch +Patch0174: hw-usb-core-fix-buffer-overflow.patch Patch0175: Drop-bogus-IPv6-messages.patch Patch0176: hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch Patch0177: hw-xhci-check-return-value-of-usb_packet_map.patch @@ -532,6 +532,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Sep 24 2020 Huawei Technologies Co., Ltd +- enrich commit info for some patchs + * Fri Sep 18 2020 Huawei Technologies Co., Ltd - hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch - hw-xhci-check-return-value-of-usb_packet_map.patch -- Gitee From abd04658737f9264ebb46e0962e156ef5e648e88 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 24 Sep 2020 10:59:22 +0800 Subject: [PATCH 2/2] qemu: rename some patches for slirp Signed-off-by: AlexChen --- qemu.spec | 13 +++++++------ ...es.patch => slirp-drop-bogus-IPv6-messages.patch | 0 ...patch => slirp-ip_reass-Fix-use-after-free.patch | 0 ...cess.patch => slirp-tcp_emu-Fix-oob-access.patch | 0 ...> slirp-tcp_emu-fix-unsafe-snprintf-usages.patch | 0 ....patch => slirp-util-add-slirp_fmt-helpers.patch | 0 6 files changed, 7 insertions(+), 6 deletions(-) rename Drop-bogus-IPv6-messages.patch => slirp-drop-bogus-IPv6-messages.patch (100%) rename ip_reass-Fix-use-after-free.patch => slirp-ip_reass-Fix-use-after-free.patch (100%) rename tcp_emu-Fix-oob-access.patch => slirp-tcp_emu-Fix-oob-access.patch (100%) rename tcp_emu-fix-unsafe-snprintf-usages.patch => slirp-tcp_emu-fix-unsafe-snprintf-usages.patch (100%) rename util-add-slirp_fmt-helpers.patch => slirp-util-add-slirp_fmt-helpers.patch (100%) diff --git a/qemu.spec b/qemu.spec index 7bf6498..ddf8110 100644 --- a/qemu.spec +++ b/qemu.spec @@ -40,11 +40,11 @@ Patch0027: nbd-fix-uninitialized-variable-warning.patch Patch0028: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch Patch0029: block-fix-memleaks-in-bdrv_refresh_filename.patch Patch0030: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch -Patch0031: tcp_emu-Fix-oob-access.patch +Patch0031: slirp-tcp_emu-Fix-oob-access.patch Patch0032: slirp-use-correct-size-while-emulating-IRC-commands.patch Patch0033: slirp-use-correct-size-while-emulating-commands.patch -Patch0034: util-add-slirp_fmt-helpers.patch -Patch0035: tcp_emu-fix-unsafe-snprintf-usages.patch +Patch0034: slirp-util-add-slirp_fmt-helpers.patch +Patch0035: slirp-tcp_emu-fix-unsafe-snprintf-usages.patch Patch0036: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch Patch0037: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch Patch0038: memory-Align-MemoryRegionSections-fields.patch @@ -165,7 +165,7 @@ Patch0152: arm-virt-Support-CPU-cold-plug.patch Patch0153: ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch Patch0154: ati-vga-Fix-checks-in-ati_2d_blt-to-avoid-crash.patch Patch0155: slirp-tftp-restrict-relative-path-access.patch -Patch0156: ip_reass-Fix-use-after-free.patch +Patch0156: slirp-ip_reass-Fix-use-after-free.patch Patch0157: bt-use-size_t-type-for-length-parameters-instead-of-.patch Patch0158: log-Add-some-logs-on-VM-runtime-path.patch Patch0159: Revert-vtimer-compat-cross-version-migration-from-v4.patch @@ -184,7 +184,7 @@ Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch Patch0173: hw-arm-acpi-enable-SHPC-native-hot-plug.patch Patch0174: hw-usb-core-fix-buffer-overflow.patch -Patch0175: Drop-bogus-IPv6-messages.patch +Patch0175: slirp-drop-bogus-IPv6-messages.patch Patch0176: hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch Patch0177: hw-xhci-check-return-value-of-usb_packet_map.patch @@ -533,7 +533,8 @@ getent passwd qemu >/dev/null || \ %changelog * Thu Sep 24 2020 Huawei Technologies Co., Ltd -- enrich commit info for some patchs +- enrich commit info for some patches +- rename some patches for slirp * Fri Sep 18 2020 Huawei Technologies Co., Ltd - hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch diff --git a/Drop-bogus-IPv6-messages.patch b/slirp-drop-bogus-IPv6-messages.patch similarity index 100% rename from Drop-bogus-IPv6-messages.patch rename to slirp-drop-bogus-IPv6-messages.patch diff --git a/ip_reass-Fix-use-after-free.patch b/slirp-ip_reass-Fix-use-after-free.patch similarity index 100% rename from ip_reass-Fix-use-after-free.patch rename to slirp-ip_reass-Fix-use-after-free.patch diff --git a/tcp_emu-Fix-oob-access.patch b/slirp-tcp_emu-Fix-oob-access.patch similarity index 100% rename from tcp_emu-Fix-oob-access.patch rename to slirp-tcp_emu-Fix-oob-access.patch diff --git a/tcp_emu-fix-unsafe-snprintf-usages.patch b/slirp-tcp_emu-fix-unsafe-snprintf-usages.patch similarity index 100% rename from tcp_emu-fix-unsafe-snprintf-usages.patch rename to slirp-tcp_emu-fix-unsafe-snprintf-usages.patch diff --git a/util-add-slirp_fmt-helpers.patch b/slirp-util-add-slirp_fmt-helpers.patch similarity index 100% rename from util-add-slirp_fmt-helpers.patch rename to slirp-util-add-slirp_fmt-helpers.patch -- Gitee