From adf69c7e9f576e267acda0a1f389f057126c9038 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Wed, 13 Jan 2021 14:50:59 +0800 Subject: [PATCH 1/3] memory: clamp cached translation in case it points to an MMIO region In using the address_space_translate_internal API, address_space_cache_init forgot one piece of advice that can be found in the code for address_space_translate_internal: /* MMIO registers can be expected to perform full-width accesses based only * on their address, without considering adjacent registers that could * decode to completely different MemoryRegions. When such registers * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO * regions overlap wildly. For this reason we cannot clamp the accesses * here. * * If the length is small (as is the case for address_space_ldl/stl), * everything works fine. If the incoming length is large, however, * the caller really has to do the clamping through memory_access_size. */ address_space_cache_init is exactly one such case where "the incoming length is large", therefore we need to clamp the resulting length---not to memory_access_size though, since we are not doing an access yet, but to the size of the resulting section. This ensures that subsequent accesses to the cached MemoryRegionSection will be in range. With this patch, the enclosed testcase notices that the used ring does not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" error. Signed-off-by: Paolo Bonzini (cherry-picked from 4bfb024b) Fix CVE-2020-27821 Signed-off-by: Alex Chen --- ...hed-translation-in-case-it-points-to.patch | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 memory-clamp-cached-translation-in-case-it-points-to.patch diff --git a/memory-clamp-cached-translation-in-case-it-points-to.patch b/memory-clamp-cached-translation-in-case-it-points-to.patch new file mode 100644 index 00000000..c4f74d4e --- /dev/null +++ b/memory-clamp-cached-translation-in-case-it-points-to.patch @@ -0,0 +1,72 @@ +From e07e9fc9d97e9cae3d6316b7286b504398a6fc80 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 13 Jan 2021 14:50:59 +0800 +Subject: [PATCH] memory: clamp cached translation in case it points to an MMIO + region + +In using the address_space_translate_internal API, address_space_cache_init +forgot one piece of advice that can be found in the code for +address_space_translate_internal: + + /* MMIO registers can be expected to perform full-width accesses based only + * on their address, without considering adjacent registers that could + * decode to completely different MemoryRegions. When such registers + * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO + * regions overlap wildly. For this reason we cannot clamp the accesses + * here. + * + * If the length is small (as is the case for address_space_ldl/stl), + * everything works fine. If the incoming length is large, however, + * the caller really has to do the clamping through memory_access_size. + */ + +address_space_cache_init is exactly one such case where "the incoming length +is large", therefore we need to clamp the resulting length---not to +memory_access_size though, since we are not doing an access yet, but to +the size of the resulting section. This ensures that subsequent accesses +to the cached MemoryRegionSection will be in range. + +With this patch, the enclosed testcase notices that the used ring does +not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" +error. + +Signed-off-by: Paolo Bonzini +(cherry-picked from 4bfb024b) +Fix CVE-2020-27821 +Signed-off-by: Alex Chen +--- + exec.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/exec.c b/exec.c +index 85c6d80353..8822c241d8 100644 +--- a/exec.c ++++ b/exec.c +@@ -3834,6 +3834,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, + AddressSpaceDispatch *d; + hwaddr l; + MemoryRegion *mr; ++ Int128 diff; + + assert(len > 0); + +@@ -3842,6 +3843,16 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, + d = flatview_to_dispatch(cache->fv); + cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true); + ++ /* ++ * cache->xlat is now relative to cache->mrs.mr, not to the section itself. ++ * Take that into account to compute how many bytes are there between ++ * cache->xlat and the end of the section. ++ */ ++ ++ diff = int128_sub(cache->mrs.size, ++ int128_make64(cache->xlat - cache->mrs.offset_within_region)); ++ l = int128_get64(int128_min(diff, int128_make64(l))); ++ + mr = cache->mrs.mr; + memory_region_ref(mr); + if (memory_access_is_direct(mr, is_write)) { +-- +2.27.0 + -- Gitee From 83a95bec067cf029d8f6470078b9d83d4972ec15 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Fri, 15 Jan 2021 11:26:50 +0800 Subject: [PATCH 2/3] spec: Update patch and changelog with !60 memory: clamp cached translation in case it points to an MMIO region Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index a41c459b..bd6c08a5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -287,6 +287,7 @@ Patch0274: hw-usb-hcd-ohci-check-len-and-frame_number-variables.patch Patch0275: hw-net-e1000e-advance-desc_offset-in-case-of-null-de.patch Patch0276: hostmem-Fix-up-free-host_nodes-list-right-after-visi.patch Patch0277: target-arm-Fix-write-redundant-values-to-kvm.patch +Patch0278: memory-clamp-cached-translation-in-case-it-points-to.patch BuildRequires: flex BuildRequires: bison @@ -664,6 +665,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jan 15 2021 Huawei Technologies Co., Ltd +- memory: clamp cached translation in case it points to an MMIO region + * Wed Dec 9 2020 Huawei Technologies Co., Ltd - target/arm: Fix write redundant values to kvm -- Gitee From d048d2e58f8092e3dcf2d29399eed459ab772597 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Fri, 15 Jan 2021 11:27:06 +0800 Subject: [PATCH 3/3] spec: Update release version with !60 increase release verison by one Signed-off-by: Euler Robot --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index bd6c08a5..aee99a9e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 40 +Release: 41 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee