From 42a23f0a2fe9d5125e67a04d0f4a9d51edaf949b Mon Sep 17 00:00:00 2001
From: "Huawei Technologies Co., Ltd" <alex.chen@huawei.com>
Date: Tue, 23 Feb 2021 15:20:03 +0800
Subject: [PATCH 1/5] ide:atapi: check io_buffer_index in
 ide_atapi_cmd_reply_end

Fix CVE-2020-29443

During data transfer via packet command in 'ide_atapi_cmd_reply_end'
's->io_buffer_index' could exceed the 's->io_buffer' length, leading
to OOB access issue. Add check to avoid it.
 ...
 #9  ahci_pio_transfer ../hw/ide/ahci.c:1383
 #10 ide_transfer_start_norecurse ../hw/ide/core.c:553
 #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284
 #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329
 #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442
 #14 cmd_read ../hw/ide/atapi.c:988
 #15 ide_atapi_cmd ../hw/ide/atapi.c:1352
 #16 ide_transfer_start ../hw/ide/core.c:561
 #17 cmd_packet ../hw/ide/core.c:1729
 #18 ide_exec_cmd ../hw/ide/core.c:2107
 #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267
 #20 handle_cmd ../hw/ide/ahci.c:1318
 #21 check_cmd ../hw/ide/ahci.c:592
 #22 ahci_port_write ../hw/ide/ahci.c:373
 #23 ahci_mem_write ../hw/ide/ahci.c:513

Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
---
 ...io_buffer_index-in-ide_atapi_cmd_rep.patch | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch

diff --git a/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
new file mode 100644
index 0000000..da58bb9
--- /dev/null
+++ b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
@@ -0,0 +1,52 @@
+From 5209fbd340efe3fa7f8ea82f671db2fa04dda19b Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 23 Feb 2021 15:20:03 +0800
+Subject: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
+
+Fix CVE-2020-29443
+
+During data transfer via packet command in 'ide_atapi_cmd_reply_end'
+'s->io_buffer_index' could exceed the 's->io_buffer' length, leading
+to OOB access issue. Add check to avoid it.
+ ...
+ #9  ahci_pio_transfer ../hw/ide/ahci.c:1383
+ #10 ide_transfer_start_norecurse ../hw/ide/core.c:553
+ #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284
+ #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329
+ #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442
+ #14 cmd_read ../hw/ide/atapi.c:988
+ #15 ide_atapi_cmd ../hw/ide/atapi.c:1352
+ #16 ide_transfer_start ../hw/ide/core.c:561
+ #17 cmd_packet ../hw/ide/core.c:1729
+ #18 ide_exec_cmd ../hw/ide/core.c:2107
+ #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267
+ #20 handle_cmd ../hw/ide/ahci.c:1318
+ #21 check_cmd ../hw/ide/ahci.c:592
+ #22 ahci_port_write ../hw/ide/ahci.c:373
+ #23 ahci_mem_write ../hw/ide/ahci.c:513
+
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/ide/atapi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 1b0f66cc08..fc9dc87f03 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -300,6 +300,9 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+         s->packet_transfer_size -= size;
+         s->elementary_transfer_size -= size;
+         s->io_buffer_index += size;
++	if (s->io_buffer_index > s->io_buffer_total_len) {
++            return;
++        }
+ 
+         /* Some adapters process PIO data right away.  In that case, we need
+          * to avoid mutual recursion between ide_transfer_start
+-- 
+2.27.0
+
-- 
Gitee


From f8b7dd549da33db40cb9082bd41a5be19d2b02a7 Mon Sep 17 00:00:00 2001
From: Euler Robot <euler.robot@huawei.com>
Date: Fri, 26 Feb 2021 16:27:53 +0800
Subject: [PATCH 2/5] spec: Update patch and changelog with !77

ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end

Signed-off-by: Alex Chen <alex.chen@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index da3f255..8ecfdb4 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -309,6 +309,7 @@ Patch0296: configure-Enable-test-and-libs-for-zstd.patch
 Patch0297: ati-use-vga_read_byte-in-ati_cursor_define.patch
 Patch0298: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch
 Patch0299: msix-add-valid.accepts-methods-to-check-address.patch
+Patch0300: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -688,6 +689,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Fri Feb 26 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
+- ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
+
 * Fri Feb 19 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
 - ati: use vga_read_byte in ati_cursor_define
 - sd: sdhci: assert data_count is within fifo_buffer
-- 
Gitee


From 5f96f6bac36ffa987ba318e007070b2f70871884 Mon Sep 17 00:00:00 2001
From: "Huawei Technologies Co., Ltd" <alex.chen@huawei.com>
Date: Thu, 25 Feb 2021 18:03:57 +0800
Subject: [PATCH 3/5] block-backend: Stop retrying when draining

Retrying failed requests when draining would make the draining hung. So it
is better not to trigger the retry timer when draining. And after the
virtual devices go back to work, they would retry those queued requests.

Signed-off-by: Jiahui Cen <cenjiahui@huawei.com>
Signed-off-by: Ying Fang <fangying1@huawei.com>
---
 ...-backend-Stop-retrying-when-draining.patch | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 block-backend-Stop-retrying-when-draining.patch

diff --git a/block-backend-Stop-retrying-when-draining.patch b/block-backend-Stop-retrying-when-draining.patch
new file mode 100644
index 0000000..13f3ad6
--- /dev/null
+++ b/block-backend-Stop-retrying-when-draining.patch
@@ -0,0 +1,37 @@
+From da64af4b1e92c345296d937e66136f86027d1ca2 Mon Sep 17 00:00:00 2001
+From: Jiahui Cen <cenjiahui@huawei.com>
+Date: Thu, 25 Feb 2021 18:03:57 +0800
+Subject: [PATCH] block-backend: Stop retrying when draining
+
+Retrying failed requests when draining would make the draining hung. So it
+is better not to trigger the retry timer when draining. And after the
+virtual devices go back to work, they would retry those queued requests.
+
+Signed-off-by: Jiahui Cen <cenjiahui@huawei.com>
+Signed-off-by: Ying Fang <fangying1@huawei.com>
+---
+ block/block-backend.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/block/block-backend.c b/block/block-backend.c
+index 2d812e2254..f6c918f1d9 100644
+--- a/block/block-backend.c
++++ b/block/block-backend.c
+@@ -1741,9 +1741,11 @@ void blk_error_action(BlockBackend *blk, BlockErrorAction action,
+         send_qmp_error_event(blk, action, is_read, error);
+         qemu_system_vmstop_request(RUN_STATE_IO_ERROR);
+     } else if (action == BLOCK_ERROR_ACTION_RETRY) {
+-        timer_mod(blk->retry_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
+-                                    blk->retry_interval);
+-        send_qmp_error_event(blk, action, is_read, error);
++        if (!blk->quiesce_counter) {
++            timer_mod(blk->retry_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
++                                        blk->retry_interval);
++            send_qmp_error_event(blk, action, is_read, error);
++        }
+     } else {
+         send_qmp_error_event(blk, action, is_read, error);
+     }
+-- 
+2.27.0
+
-- 
Gitee


From f8f7dd42e802d21f27d22b758584f839df4ce2dd Mon Sep 17 00:00:00 2001
From: Euler Robot <euler.robot@huawei.com>
Date: Fri, 26 Feb 2021 16:27:55 +0800
Subject: [PATCH 4/5] spec: Update patch and changelog with !78

block-backend: Stop retrying when draining

Signed-off-by: Alex Chen <alex.chen@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 8ecfdb4..38f6211 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -310,6 +310,7 @@ Patch0297: ati-use-vga_read_byte-in-ati_cursor_define.patch
 Patch0298: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch
 Patch0299: msix-add-valid.accepts-methods-to-check-address.patch
 Patch0300: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch
+Patch0301: block-backend-Stop-retrying-when-draining.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -689,6 +690,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Fri Feb 26 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
+- block-backend: Stop retrying when draining
+
 * Fri Feb 26 2021 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
 - ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
 
-- 
Gitee


From 6dd68908128fc58d805e15c4866c72b37dbc00f7 Mon Sep 17 00:00:00 2001
From: Euler Robot <euler.robot@huawei.com>
Date: Fri, 26 Feb 2021 16:28:21 +0800
Subject: [PATCH 5/5] spec: Update release version with !77 !78

increase release verison by one

Signed-off-by: Euler Robot <euler.robot@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index 38f6211..1efb716 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 46
+Release: 47
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
-- 
Gitee