From 354a43b28451284176602522e085489628814c40 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 18 Nov 2020 10:22:32 +0800 Subject: [PATCH 1/7] ati: check x y display parameter values fix CVE-2020-24352 The source and destination x,y display parameters in ati_2d_blt() may run off the vga limits if either of s->regs.[src|dst]_[xy] is zero. Check the parameter values to avoid potential crash. Reported-by: Gaoning Pan Signed-off-by: Prasad J Pandit Message-id: 20201021103818.1704030-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann cherry-pick from commit ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Signed-off-by: Jiajie Li --- ati-check-x-y-display-parameter-values.patch | 53 ++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 ati-check-x-y-display-parameter-values.patch diff --git a/ati-check-x-y-display-parameter-values.patch b/ati-check-x-y-display-parameter-values.patch new file mode 100644 index 00000000..219ec0d1 --- /dev/null +++ b/ati-check-x-y-display-parameter-values.patch @@ -0,0 +1,53 @@ +From 2a3f92b2ba5fe015f83fa8c8fceb2dfc426d908c Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 18 Nov 2020 10:22:32 +0800 +Subject: [PATCH] ati: check x y display parameter values + +fix CVE-2020-24352 + +The source and destination x,y display parameters in ati_2d_blt() +may run off the vga limits if either of s->regs.[src|dst]_[xy] is +zero. Check the parameter values to avoid potential crash. + +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +Message-id: 20201021103818.1704030-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann + +cherry-pick from commit ca1f9cbfdce4d63b10d57de80fef89a89d92a540 +Signed-off-by: Jiajie Li +--- + hw/display/ati_2d.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 23a8ae0cd8..4dc10ea795 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride *= bpp; + } + uint8_t *end = s->vga.vram_ptr + s->vga.vram_size; +- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) * +- dst_stride >= end) { ++ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end ++ || dst_bits + dst_x ++ + (dst_y + s->regs.dst_height) * dst_stride >= end) { + qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n"); + return; + } +@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s) + src_bits += s->regs.crtc_offset & 0x07ffffff; + src_stride *= bpp; + } +- if (src_bits >= end || src_bits + src_x + +- (src_y + s->regs.dst_height) * src_stride >= end) { ++ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end ++ || src_bits + src_x ++ + (src_y + s->regs.dst_height) * src_stride >= end) { + qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n"); + return; + } +-- +2.27.0 + -- Gitee From 4a5b95e8af871c5fdb870b2535414675ea440e83 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 8 Dec 2020 17:36:19 +0800 Subject: [PATCH 2/7] spec: Update patch and changelog with !33 ati: check x y display parameter values Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index a71198f8..166b69cf 100644 --- a/qemu.spec +++ b/qemu.spec @@ -304,6 +304,7 @@ Patch0291: sm501-Replace-hand-written-implementation-with-pixma.patch Patch0292: pci-check-bus-pointer-before-dereference.patch Patch0293: hw-ide-check-null-block-before-_cancel_dma_sync.patch Patch0294: Bugfix-hw-acpi-Use-max_cpus-instead-of-cpus-when-bui.patch +Patch0295: ati-check-x-y-display-parameter-values.patch BuildRequires: flex BuildRequires: bison @@ -650,6 +651,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Nov 18 2020 Huawei Technologies Co., Ltd +- ati: check x y display parameter values + * Thu Oct 29 2020 Huawei Technologies Co., Ltd - Bugfix: hw/acpi: Use max_cpus instead of cpus when build PPTT table -- Gitee From 199d81338a860d20025d3578ca1ec07536797775 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 21 Oct 2020 11:35:50 +0530 Subject: [PATCH 3/7] net: remove an assert call in eth_get_gso_type fix CVE-2020-27617 eth_get_gso_type() routine returns segmentation offload type based on L3 protocol type. It calls g_assert_not_reached if L3 protocol is unknown, making the following return statement unreachable. Remove the g_assert call, it maybe triggered by a guest user. Reported-by: Gaoning Pan Signed-off-by: Prasad J Pandit Signed-off-by: Jason Wang cherry-pick from commit 7564bf7701f00214cdc8a678a9f7df765244def1 Signed-off-by: Jiajie Li --- ...e-an-assert-call-in-eth_get_gso_type.patch | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 net-remove-an-assert-call-in-eth_get_gso_type.patch diff --git a/net-remove-an-assert-call-in-eth_get_gso_type.patch b/net-remove-an-assert-call-in-eth_get_gso_type.patch new file mode 100644 index 00000000..d66cc18e --- /dev/null +++ b/net-remove-an-assert-call-in-eth_get_gso_type.patch @@ -0,0 +1,49 @@ +From 1b1cf9c4d34cf25aa06740b2b48f676f04064106 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 21 Oct 2020 11:35:50 +0530 +Subject: [PATCH] net: remove an assert call in eth_get_gso_type + +fix CVE-2020-27617 + +eth_get_gso_type() routine returns segmentation offload type based on +L3 protocol type. It calls g_assert_not_reached if L3 protocol is +unknown, making the following return statement unreachable. Remove the +g_assert call, it maybe triggered by a guest user. + +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang + +cherry-pick from commit 7564bf7701f00214cdc8a678a9f7df765244def1 +Signed-off-by: Jiajie Li +--- + net/eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/eth.c b/net/eth.c +index 0c1d413ee2..1e0821c5f8 100644 +--- a/net/eth.c ++++ b/net/eth.c +@@ -16,6 +16,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "net/eth.h" + #include "net/checksum.h" + #include "net/tap.h" +@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) + return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; + } + } +- +- /* Unsupported offload */ +- g_assert_not_reached(); ++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, " ++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); + + return VIRTIO_NET_HDR_GSO_NONE | ecn_state; + } +-- +2.27.0 + -- Gitee From eddd5f755be4d72ad4707b5b5efca2683d18b5b6 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 8 Dec 2020 17:36:20 +0800 Subject: [PATCH 4/7] spec: Update patch and changelog with !42 net: remove an assert call in eth_get_gso_type Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 166b69cf..337d29cb 100644 --- a/qemu.spec +++ b/qemu.spec @@ -305,6 +305,7 @@ Patch0292: pci-check-bus-pointer-before-dereference.patch Patch0293: hw-ide-check-null-block-before-_cancel_dma_sync.patch Patch0294: Bugfix-hw-acpi-Use-max_cpus-instead-of-cpus-when-bui.patch Patch0295: ati-check-x-y-display-parameter-values.patch +Patch0296: net-remove-an-assert-call-in-eth_get_gso_type.patch BuildRequires: flex BuildRequires: bison @@ -651,6 +652,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 21 2020 Huawei Technologies Co., Ltd +- net: remove an assert call in eth_get_gso_type + * Wed Nov 18 2020 Huawei Technologies Co., Ltd - ati: check x y display parameter values -- Gitee From 3849a7b9ed8a36fb02695d0b3bafc705ef8f1539 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Fri, 13 Nov 2020 14:55:25 +0000 Subject: [PATCH 5/7] json: Fix a memleak in parse_pair() In qobject_type(), NULL is returned when the 'QObject' returned from parse_value() is not of QString type, and this 'QObject' memory will leaked. So we need to first cache the 'QObject' returned from parse_value(), and finally free 'QObject' memory at the end of the function. Also, we add a testcast about invalid dict key. The memleak stack is as follows: Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0xfffe4b3c34fb in __interceptor_malloc (/lib64/libasan.so.4+0xd34fb) #1 0xfffe4ae48aa3 in g_malloc (/lib64/libglib-2.0.so.0+0x58aa3) #2 0xaaab3557d9f7 in qnum_from_int qemu/qobject/qnum.c:25 #3 0xaaab35584d23 in parse_literal qemu/qobject/json-parser.c:511 #4 0xaaab35584d23 in parse_value qemu/qobject/json-parser.c:554 #5 0xaaab35583d77 in parse_pair qemu/qobject/json-parser.c:270 #6 0xaaab355845db in parse_object qemu/qobject/json-parser.c:327 #7 0xaaab355845db in parse_value qemu/qobject/json-parser.c:546 #8 0xaaab35585b1b in json_parser_parse qemu/qobject/json-parser.c:580 #9 0xaaab35583703 in json_message_process_token qemu/qobject/json-streamer.c:92 #10 0xaaab355ddccf in json_lexer_feed_char qemu/qobject/json-lexer.c:313 #11 0xaaab355de0eb in json_lexer_feed qemu/qobject/json-lexer.c:350 #12 0xaaab354aff67 in tcp_chr_read qemu/chardev/char-socket.c:525 #13 0xfffe4ae429db in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x529db) #14 0xfffe4ae42d8f (/lib64/libglib-2.0.so.0+0x52d8f) #15 0xfffe4ae430df in g_main_loop_run (/lib64/libglib-2.0.so.0+0x530df) #16 0xaaab34d70bff in iothread_run qemu/iothread.c:82 #17 0xaaab3559d71b in qemu_thread_start qemu/util/qemu-thread-posix.c:519 Fixes: 532fb5328473 ("qapi: Make more of qobject_to()") Reported-by: Euler Robot Signed-off-by: Alex Chen Signed-off-by: Chen Qun Signed-off-by: Markus Armbruster Message-Id: <20201113145525.85151-1-alex.chen@huawei.com> [Commit message tweaked] (cherry-picked form commit 922d42bb) --- json-Fix-a-memleak-in-parse_pair.patch | 116 +++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 json-Fix-a-memleak-in-parse_pair.patch diff --git a/json-Fix-a-memleak-in-parse_pair.patch b/json-Fix-a-memleak-in-parse_pair.patch new file mode 100644 index 00000000..a8e2b480 --- /dev/null +++ b/json-Fix-a-memleak-in-parse_pair.patch @@ -0,0 +1,116 @@ +From 3c37283532334162876ac78d0a8eb0c8a951d18b Mon Sep 17 00:00:00 2001 +From: Alex Chen +Date: Fri, 13 Nov 2020 14:55:25 +0000 +Subject: [PATCH] json: Fix a memleak in parse_pair() + +In qobject_type(), NULL is returned when the 'QObject' returned from parse_value() is not of QString type, +and this 'QObject' memory will leaked. +So we need to first cache the 'QObject' returned from parse_value(), and finally +free 'QObject' memory at the end of the function. +Also, we add a testcast about invalid dict key. + +The memleak stack is as follows: +Direct leak of 32 byte(s) in 1 object(s) allocated from: + #0 0xfffe4b3c34fb in __interceptor_malloc (/lib64/libasan.so.4+0xd34fb) + #1 0xfffe4ae48aa3 in g_malloc (/lib64/libglib-2.0.so.0+0x58aa3) + #2 0xaaab3557d9f7 in qnum_from_int qemu/qobject/qnum.c:25 + #3 0xaaab35584d23 in parse_literal qemu/qobject/json-parser.c:511 + #4 0xaaab35584d23 in parse_value qemu/qobject/json-parser.c:554 + #5 0xaaab35583d77 in parse_pair qemu/qobject/json-parser.c:270 + #6 0xaaab355845db in parse_object qemu/qobject/json-parser.c:327 + #7 0xaaab355845db in parse_value qemu/qobject/json-parser.c:546 + #8 0xaaab35585b1b in json_parser_parse qemu/qobject/json-parser.c:580 + #9 0xaaab35583703 in json_message_process_token qemu/qobject/json-streamer.c:92 + #10 0xaaab355ddccf in json_lexer_feed_char qemu/qobject/json-lexer.c:313 + #11 0xaaab355de0eb in json_lexer_feed qemu/qobject/json-lexer.c:350 + #12 0xaaab354aff67 in tcp_chr_read qemu/chardev/char-socket.c:525 + #13 0xfffe4ae429db in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x529db) + #14 0xfffe4ae42d8f (/lib64/libglib-2.0.so.0+0x52d8f) + #15 0xfffe4ae430df in g_main_loop_run (/lib64/libglib-2.0.so.0+0x530df) + #16 0xaaab34d70bff in iothread_run qemu/iothread.c:82 + #17 0xaaab3559d71b in qemu_thread_start qemu/util/qemu-thread-posix.c:519 + +Fixes: 532fb5328473 ("qapi: Make more of qobject_to()") +Reported-by: Euler Robot +Signed-off-by: Alex Chen +Signed-off-by: Chen Qun +Signed-off-by: Markus Armbruster +Message-Id: <20201113145525.85151-1-alex.chen@huawei.com> +[Commit message tweaked] +(cherry-picked form commit 922d42bb) +--- + qobject/json-parser.c | 12 ++++++------ + tests/check-qjson.c | 9 +++++++++ + 2 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/qobject/json-parser.c b/qobject/json-parser.c +index 7d23e12e33..840909ea6a 100644 +--- a/qobject/json-parser.c ++++ b/qobject/json-parser.c +@@ -257,8 +257,9 @@ static JSONToken *parser_context_peek_token(JSONParserContext *ctxt) + */ + static int parse_pair(JSONParserContext *ctxt, QDict *dict) + { ++ QObject *key_obj = NULL; ++ QString *key; + QObject *value; +- QString *key = NULL; + JSONToken *peek, *token; + + peek = parser_context_peek_token(ctxt); +@@ -267,7 +268,8 @@ static int parse_pair(JSONParserContext *ctxt, QDict *dict) + goto out; + } + +- key = qobject_to(QString, parse_value(ctxt)); ++ key_obj = parse_value(ctxt); ++ key = qobject_to(QString, key_obj); + if (!key) { + parse_error(ctxt, peek, "key is not a string in object"); + goto out; +@@ -297,13 +299,11 @@ static int parse_pair(JSONParserContext *ctxt, QDict *dict) + + qdict_put_obj(dict, qstring_get_str(key), value); + +- qobject_unref(key); +- ++ qobject_unref(key_obj); + return 0; + + out: +- qobject_unref(key); +- ++ qobject_unref(key_obj); + return -1; + } + +diff --git a/tests/check-qjson.c b/tests/check-qjson.c +index fa2afccb0a..5e3e08fe79 100644 +--- a/tests/check-qjson.c ++++ b/tests/check-qjson.c +@@ -1415,6 +1415,14 @@ static void invalid_dict_comma(void) + g_assert(obj == NULL); + } + ++static void invalid_dict_key(void) ++{ ++ Error *err = NULL; ++ QObject *obj = qobject_from_json("{32:'abc'}", &err); ++ error_free_or_abort(&err); ++ g_assert(obj == NULL); ++} ++ + static void unterminated_literal(void) + { + Error *err = NULL; +@@ -1500,6 +1508,7 @@ int main(int argc, char **argv) + g_test_add_func("/errors/unterminated/dict_comma", unterminated_dict_comma); + g_test_add_func("/errors/invalid_array_comma", invalid_array_comma); + g_test_add_func("/errors/invalid_dict_comma", invalid_dict_comma); ++ g_test_add_func("/errors/invalid_dict_key", invalid_dict_key); + g_test_add_func("/errors/unterminated/literal", unterminated_literal); + g_test_add_func("/errors/limits/nesting", limits_nesting); + g_test_add_func("/errors/multiple_values", multiple_values); +-- +2.27.0 + -- Gitee From 07b25d8861feb82a811f482e3a7bd45686849e18 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 8 Dec 2020 17:36:20 +0800 Subject: [PATCH 6/7] spec: Update patch and changelog with !46 json: Fix a memleak in parse_pair() Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 337d29cb..918dc30d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -306,6 +306,7 @@ Patch0293: hw-ide-check-null-block-before-_cancel_dma_sync.patch Patch0294: Bugfix-hw-acpi-Use-max_cpus-instead-of-cpus-when-bui.patch Patch0295: ati-check-x-y-display-parameter-values.patch Patch0296: net-remove-an-assert-call-in-eth_get_gso_type.patch +Patch0297: json-Fix-a-memleak-in-parse_pair.patch BuildRequires: flex BuildRequires: bison @@ -652,6 +653,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Nov 13 2020 Huawei Technologies Co., Ltd +- json: Fix a memleak in parse_pair() + * Wed Oct 21 2020 Huawei Technologies Co., Ltd - net: remove an assert call in eth_get_gso_type -- Gitee From 114a0f1200545b8110ff3521eac41f8acc9d3772 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Tue, 8 Dec 2020 17:36:21 +0800 Subject: [PATCH 7/7] spec: Update release version with !33 !42 !46 increase release verison by one Signed-off-by: Euler Robot --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 918dc30d..6fb993ff 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 34 +Release: 35 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee