From 4529242367d85f39c2525208190d2f3bc71e8dc6 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Fri, 5 Feb 2021 10:38:24 +0800 Subject: [PATCH 01/10] ati: use vga_read_byte in ati_cursor_define MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fix CVE-2019-20808 This makes sure reads are confined to vga video memory. v3: use uint32_t, fix cut+paste bug. v2: fix ati_cursor_draw_line too. Reported-by: xu hang Signed-off-by: Gerd Hoffmann Reviewed-by: BALATON Zoltan Reviewed-by: Philippe Mathieu-Daudé Message-id: 20190917111441.27405-3-kraxel@redhat.com cherry-pick from aab0e2a661b2b6bf7915c0aefe807fb60d6d9d13 Signed-off-by: Jiajie Li --- ...e-vga_read_byte-in-ati_cursor_define.patch | 198 ++++++++++++++++++ 1 file changed, 198 insertions(+) create mode 100644 ati-use-vga_read_byte-in-ati_cursor_define.patch diff --git a/ati-use-vga_read_byte-in-ati_cursor_define.patch b/ati-use-vga_read_byte-in-ati_cursor_define.patch new file mode 100644 index 0000000..a4b7e80 --- /dev/null +++ b/ati-use-vga_read_byte-in-ati_cursor_define.patch @@ -0,0 +1,198 @@ +From 1ebe0e71d04bfdc76777a3a672e873f006d207e2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 5 Feb 2021 10:38:24 +0800 +Subject: [PATCH] ati: use vga_read_byte in ati_cursor_define +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +fix CVE-2019-20808 + +This makes sure reads are confined to vga video memory. + +v3: use uint32_t, fix cut+paste bug. +v2: fix ati_cursor_draw_line too. + +Reported-by: xu hang +Signed-off-by: Gerd Hoffmann +Reviewed-by: BALATON Zoltan +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20190917111441.27405-3-kraxel@redhat.com + +cherry-pick from aab0e2a661b2b6bf7915c0aefe807fb60d6d9d13 +Signed-off-by: Jiajie Li +--- + hw/display/ati.c | 21 ++++++++--------- + hw/display/vga-access.h | 49 ++++++++++++++++++++++++++++++++++++++++ + hw/display/vga-helpers.h | 27 +--------------------- + 3 files changed, 60 insertions(+), 37 deletions(-) + create mode 100644 hw/display/vga-access.h + +diff --git a/hw/display/ati.c b/hw/display/ati.c +index 5943040416..b17569874e 100644 +--- a/hw/display/ati.c ++++ b/hw/display/ati.c +@@ -19,6 +19,7 @@ + #include "qemu/osdep.h" + #include "ati_int.h" + #include "ati_regs.h" ++#include "vga-access.h" + #include "vga_regs.h" + #include "qemu/log.h" + #include "qemu/module.h" +@@ -125,20 +126,19 @@ static void ati_vga_switch_mode(ATIVGAState *s) + static void ati_cursor_define(ATIVGAState *s) + { + uint8_t data[1024]; +- uint8_t *src; ++ uint32_t srcoff; + int i, j, idx = 0; + + if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) { + return; /* Do not update cursor if locked or rendered by guest */ + } + /* FIXME handle cur_hv_offs correctly */ +- src = s->vga.vram_ptr + (s->regs.crtc_offset & 0x07ffffff) + +- s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) - +- (s->regs.cur_hv_offs & 0xffff) * 16; ++ srcoff = s->regs.cur_offset - ++ (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16; + for (i = 0; i < 64; i++) { + for (j = 0; j < 8; j++, idx++) { +- data[idx] = src[i * 16 + j]; +- data[512 + idx] = src[i * 16 + j + 8]; ++ data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j); ++ data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8); + } + } + if (!s->cursor) { +@@ -180,7 +180,7 @@ static void ati_cursor_invalidate(VGACommonState *vga) + static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y) + { + ATIVGAState *s = container_of(vga, ATIVGAState, vga); +- uint8_t *src; ++ uint32_t srcoff; + uint32_t *dp = (uint32_t *)d; + int i, j, h; + +@@ -190,14 +190,13 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y) + return; + } + /* FIXME handle cur_hv_offs correctly */ +- src = s->vga.vram_ptr + (s->regs.crtc_offset & 0x07ffffff) + +- s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16; ++ srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16; + dp = &dp[vga->hw_cursor_x]; + h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8; + for (i = 0; i < 8; i++) { + uint32_t color; +- uint8_t abits = src[i]; +- uint8_t xbits = src[i + 8]; ++ uint8_t abits = vga_read_byte(vga, srcoff + i); ++ uint8_t xbits = vga_read_byte(vga, srcoff + i + 8); + for (j = 0; j < 8; j++, abits <<= 1, xbits <<= 1) { + if (abits & BIT(7)) { + if (xbits & BIT(7)) { +diff --git a/hw/display/vga-access.h b/hw/display/vga-access.h +new file mode 100644 +index 0000000000..c0fbd9958b +--- /dev/null ++++ b/hw/display/vga-access.h +@@ -0,0 +1,49 @@ ++/* ++ * QEMU VGA Emulator templates ++ * ++ * Copyright (c) 2003 Fabrice Bellard ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ ++static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) ++{ ++ return vga->vram_ptr[addr & vga->vbe_size_mask]; ++} ++ ++static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~1; ++ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); ++ return lduw_le_p(ptr); ++} ++ ++static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~1; ++ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); ++ return lduw_be_p(ptr); ++} ++ ++static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~3; ++ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); ++ return ldl_le_p(ptr); ++} +diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h +index 5a752b3f9e..5b6c02faa6 100644 +--- a/hw/display/vga-helpers.h ++++ b/hw/display/vga-helpers.h +@@ -21,6 +21,7 @@ + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ ++#include "vga-access.h" + + static inline void vga_draw_glyph_line(uint8_t *d, uint32_t font_data, + uint32_t xorcol, uint32_t bgcol) +@@ -95,32 +96,6 @@ static void vga_draw_glyph9(uint8_t *d, int linesize, + } while (--h); + } + +-static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) +-{ +- return vga->vram_ptr[addr & vga->vbe_size_mask]; +-} +- +-static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) +-{ +- uint32_t offset = addr & vga->vbe_size_mask & ~1; +- uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); +- return lduw_le_p(ptr); +-} +- +-static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) +-{ +- uint32_t offset = addr & vga->vbe_size_mask & ~1; +- uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); +- return lduw_be_p(ptr); +-} +- +-static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) +-{ +- uint32_t offset = addr & vga->vbe_size_mask & ~3; +- uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); +- return ldl_le_p(ptr); +-} +- + /* + * 4 color mode + */ +-- +2.27.0 + -- Gitee From 580074d6871bab42f171f9f56ed0ac71f88cbf4a Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Mon, 8 Feb 2021 17:14:21 +0800 Subject: [PATCH 02/10] sd: sdhci: assert data_count is within fifo_buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2020-17380 While doing multi block SDMA, transfer block size may exceed the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the current element pointer 's->data_count' pointing out of bounds. Leading the subsequent DMA r/w operation to OOB access issue. Assert that 's->data_count' is within fifo_buffer. -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow WRITE of size 54722048 at 0x61500001e280 thread T3 #0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d) #1 flatview_read_continue ../exec.c:3245 #2 flatview_read ../exec.c:3278 #3 address_space_read_full ../exec.c:3291 #4 address_space_rw ../exec.c:3319 #5 dma_memory_rw_relaxed ../include/sysemu/dma.h:87 #6 dma_memory_rw ../include/sysemu/dma.h:110 #7 dma_memory_read ../include/sysemu/dma.h:116 #8 sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629 #9 sdhci_write ../hw/sd/sdhci.c:1097 #10 memory_region_write_accessor ../softmmu/memory.c:483 ... Reported-by: Ruhr-University Suggested-by: Philippe Mathieu-Daudé Signed-off-by: Prasad J Pandit patch link: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html Signed-off-by: Jiajie Li --- ...ert-data_count-is-within-fifo_buffer.patch | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 sd-sdhci-assert-data_count-is-within-fifo_buffer.patch diff --git a/sd-sdhci-assert-data_count-is-within-fifo_buffer.patch b/sd-sdhci-assert-data_count-is-within-fifo_buffer.patch new file mode 100644 index 0000000..e38bfaa --- /dev/null +++ b/sd-sdhci-assert-data_count-is-within-fifo_buffer.patch @@ -0,0 +1,65 @@ +From e8d2655821caa2b8efce429c0036a93342b8383d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 8 Feb 2021 17:14:21 +0800 +Subject: [PATCH] sd: sdhci: assert data_count is within fifo_buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-17380 + +While doing multi block SDMA, transfer block size may exceed +the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the +current element pointer 's->data_count' pointing out of bounds. +Leading the subsequent DMA r/w operation to OOB access issue. +Assert that 's->data_count' is within fifo_buffer. + + -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 + ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow + WRITE of size 54722048 at 0x61500001e280 thread T3 + #0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d) + #1 flatview_read_continue ../exec.c:3245 + #2 flatview_read ../exec.c:3278 + #3 address_space_read_full ../exec.c:3291 + #4 address_space_rw ../exec.c:3319 + #5 dma_memory_rw_relaxed ../include/sysemu/dma.h:87 + #6 dma_memory_rw ../include/sysemu/dma.h:110 + #7 dma_memory_read ../include/sysemu/dma.h:116 + #8 sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629 + #9 sdhci_write ../hw/sd/sdhci.c:1097 + #10 memory_region_write_accessor ../softmmu/memory.c:483 + ... + +Reported-by: Ruhr-University +Suggested-by: Philippe Mathieu-Daudé +Signed-off-by: Prasad J Pandit + +patch link: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html +Signed-off-by: Jiajie Li +--- + hw/sd/sdhci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 7b80b1d93f..e51573fe3c 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -613,6 +613,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->blkcnt--; + } + } ++ assert(s->data_count <= s->buf_maxsz && s->data_count > begin); + dma_memory_write(s->dma_as, s->sdmasysad, + &s->fifo_buffer[begin], s->data_count - begin); + s->sdmasysad += s->data_count - begin; +@@ -635,6 +636,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->data_count = block_size; + boundary_count -= block_size - begin; + } ++ assert(s->data_count <= s->buf_maxsz && s->data_count > begin); + dma_memory_read(s->dma_as, s->sdmasysad, + &s->fifo_buffer[begin], s->data_count - begin); + s->sdmasysad += s->data_count - begin; +-- +2.27.0 + -- Gitee From a946231a235fb8bb2d88a2241d46d4a3ba999235 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Fri, 19 Feb 2021 16:28:00 +0800 Subject: [PATCH 03/10] msix: add valid.accepts methods to check address Fix CVE-2020-13754 While doing msi-x mmio operations, a guest may send an address that leads to an OOB access issue. Add valid.accepts methods to ensure that ensuing mmio r/w operation don't go beyond regions. Reported-by: Ren Ding Reported-by: Hanqing Zhao Reported-by: Anatoly Trosinenko Reported-by: Alexander Bulekov Signed-off-by: Prasad J Pandit patch link: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00004.html Signed-off-by: Jiajie Li --- ...lid.accepts-methods-to-check-address.patch | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 msix-add-valid.accepts-methods-to-check-address.patch diff --git a/msix-add-valid.accepts-methods-to-check-address.patch b/msix-add-valid.accepts-methods-to-check-address.patch new file mode 100644 index 0000000..6739754 --- /dev/null +++ b/msix-add-valid.accepts-methods-to-check-address.patch @@ -0,0 +1,78 @@ +From e9cc24b1737f745b23c408b183dd34fda5abc30c Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 19 Feb 2021 16:28:00 +0800 +Subject: [PATCH] msix: add valid.accepts methods to check address + +Fix CVE-2020-13754 + +While doing msi-x mmio operations, a guest may send an address +that leads to an OOB access issue. Add valid.accepts methods to +ensure that ensuing mmio r/w operation don't go beyond regions. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Reported-by: Anatoly Trosinenko +Reported-by: Alexander Bulekov +Signed-off-by: Prasad J Pandit + +patch link: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00004.html +Signed-off-by: Jiajie Li +--- + hw/pci/msix.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/hw/pci/msix.c b/hw/pci/msix.c +index d39dcf32e8..ec43f16875 100644 +--- a/hw/pci/msix.c ++++ b/hw/pci/msix.c +@@ -192,6 +192,15 @@ static void msix_table_mmio_write(void *opaque, hwaddr addr, + msix_handle_mask_update(dev, vector, was_masked); + } + ++static bool msix_table_accepts(void *opaque, hwaddr addr, unsigned size, ++ bool is_write, MemTxAttrs attrs) ++{ ++ PCIDevice *dev = opaque; ++ uint16_t tbl_size = dev->msix_entries_nr * PCI_MSIX_ENTRY_SIZE; ++ ++ return dev->msix_table + addr + 4 <= dev->msix_table + tbl_size; ++} ++ + static const MemoryRegionOps msix_table_mmio_ops = { + .read = msix_table_mmio_read, + .write = msix_table_mmio_write, +@@ -199,6 +208,7 @@ static const MemoryRegionOps msix_table_mmio_ops = { + .valid = { + .min_access_size = 4, + .max_access_size = 4, ++ .accepts = msix_table_accepts + }, + }; + +@@ -220,6 +230,15 @@ static void msix_pba_mmio_write(void *opaque, hwaddr addr, + { + } + ++static bool msix_pba_accepts(void *opaque, hwaddr addr, unsigned size, ++ bool is_write, MemTxAttrs attrs) ++{ ++ PCIDevice *dev = opaque; ++ uint16_t pba_size = QEMU_ALIGN_UP(dev->msix_entries_nr, 64) / 8; ++ ++ return dev->msix_pba + addr + 4 <= dev->msix_pba + pba_size; ++} ++ + static const MemoryRegionOps msix_pba_mmio_ops = { + .read = msix_pba_mmio_read, + .write = msix_pba_mmio_write, +@@ -227,6 +246,7 @@ static const MemoryRegionOps msix_pba_mmio_ops = { + .valid = { + .min_access_size = 4, + .max_access_size = 4, ++ .accepts = msix_pba_accepts + }, + }; + +-- +2.27.0 + -- Gitee From 76a1e40aec037130a7e243564e6f68caaccaad2d Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Fri, 19 Feb 2021 21:27:56 +0800 Subject: [PATCH 04/10] spec: Update patch and changelog with !71 ati: use vga_read_byte in ati_cursor_define sd: sdhci: assert data_count is within fifo_buffer msix: add valid.accepts methods to check address Signed-off-by: Alex Chen --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index 870909f..6c10e00 100644 --- a/qemu.spec +++ b/qemu.spec @@ -306,6 +306,9 @@ Patch0293: migration-Add-zstd-support-in-multi-thread-compressi.patch Patch0294: migration-Add-compress_level-sanity-check.patch Patch0295: doc-Update-multi-thread-compression-doc.patch Patch0296: configure-Enable-test-and-libs-for-zstd.patch +Patch0297: ati-use-vga_read_byte-in-ati_cursor_define.patch +Patch0298: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch +Patch0299: msix-add-valid.accepts-methods-to-check-address.patch BuildRequires: flex BuildRequires: bison @@ -687,6 +690,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Feb 19 2021 Huawei Technologies Co., Ltd +- ati: use vga_read_byte in ati_cursor_define +- sd: sdhci: assert data_count is within fifo_buffer +- msix: add valid.accepts methods to check address + * Tue Mar 02 2021 Huawei Technologies Co., Ltd - qemu.spec: Add --enable-zstd compile parameter -- Gitee From d452f79021680b9cf6dae0a1ac1acf2e91625d15 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Wed, 3 Mar 2021 14:30:20 +0800 Subject: [PATCH 05/10] spec: Update release version with yum clean all increase release verison by one Signed-off-by: Euler Robot --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 6c10e00..ab57e10 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 46 +Release: 47 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee From 79bd9ed21659ee892acfbe7fde7625f7268277e9 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Tue, 23 Feb 2021 15:20:03 +0800 Subject: [PATCH 06/10] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end Fix CVE-2020-29443 During data transfer via packet command in 'ide_atapi_cmd_reply_end' 's->io_buffer_index' could exceed the 's->io_buffer' length, leading to OOB access issue. Add check to avoid it. ... #9 ahci_pio_transfer ../hw/ide/ahci.c:1383 #10 ide_transfer_start_norecurse ../hw/ide/core.c:553 #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284 #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329 #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442 #14 cmd_read ../hw/ide/atapi.c:988 #15 ide_atapi_cmd ../hw/ide/atapi.c:1352 #16 ide_transfer_start ../hw/ide/core.c:561 #17 cmd_packet ../hw/ide/core.c:1729 #18 ide_exec_cmd ../hw/ide/core.c:2107 #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267 #20 handle_cmd ../hw/ide/ahci.c:1318 #21 check_cmd ../hw/ide/ahci.c:592 #22 ahci_port_write ../hw/ide/ahci.c:373 #23 ahci_mem_write ../hw/ide/ahci.c:513 Reported-by: Wenxiang Qian Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- ...io_buffer_index-in-ide_atapi_cmd_rep.patch | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch diff --git a/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch new file mode 100644 index 0000000..da58bb9 --- /dev/null +++ b/ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch @@ -0,0 +1,52 @@ +From 5209fbd340efe3fa7f8ea82f671db2fa04dda19b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 23 Feb 2021 15:20:03 +0800 +Subject: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end + +Fix CVE-2020-29443 + +During data transfer via packet command in 'ide_atapi_cmd_reply_end' +'s->io_buffer_index' could exceed the 's->io_buffer' length, leading +to OOB access issue. Add check to avoid it. + ... + #9 ahci_pio_transfer ../hw/ide/ahci.c:1383 + #10 ide_transfer_start_norecurse ../hw/ide/core.c:553 + #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284 + #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329 + #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442 + #14 cmd_read ../hw/ide/atapi.c:988 + #15 ide_atapi_cmd ../hw/ide/atapi.c:1352 + #16 ide_transfer_start ../hw/ide/core.c:561 + #17 cmd_packet ../hw/ide/core.c:1729 + #18 ide_exec_cmd ../hw/ide/core.c:2107 + #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267 + #20 handle_cmd ../hw/ide/ahci.c:1318 + #21 check_cmd ../hw/ide/ahci.c:592 + #22 ahci_port_write ../hw/ide/ahci.c:373 + #23 ahci_mem_write ../hw/ide/ahci.c:513 + +Reported-by: Wenxiang Qian +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/ide/atapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index 1b0f66cc08..fc9dc87f03 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -300,6 +300,9 @@ void ide_atapi_cmd_reply_end(IDEState *s) + s->packet_transfer_size -= size; + s->elementary_transfer_size -= size; + s->io_buffer_index += size; ++ if (s->io_buffer_index > s->io_buffer_total_len) { ++ return; ++ } + + /* Some adapters process PIO data right away. In that case, we need + * to avoid mutual recursion between ide_transfer_start +-- +2.27.0 + -- Gitee From 4d38bf401601af310b33a2e2891bb1e4620bd413 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Fri, 26 Feb 2021 16:27:53 +0800 Subject: [PATCH 07/10] spec: Update patch and changelog with !77 ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index ab57e10..7b5a09f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -309,6 +309,7 @@ Patch0296: configure-Enable-test-and-libs-for-zstd.patch Patch0297: ati-use-vga_read_byte-in-ati_cursor_define.patch Patch0298: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch Patch0299: msix-add-valid.accepts-methods-to-check-address.patch +Patch0300: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch BuildRequires: flex BuildRequires: bison @@ -690,6 +691,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Feb 26 2021 Huawei Technologies Co., Ltd +- ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end + * Fri Feb 19 2021 Huawei Technologies Co., Ltd - ati: use vga_read_byte in ati_cursor_define - sd: sdhci: assert data_count is within fifo_buffer -- Gitee From c5f9057e9e61ebc5722af568750035c917faf090 Mon Sep 17 00:00:00 2001 From: "Huawei Technologies Co., Ltd" Date: Thu, 25 Feb 2021 18:03:57 +0800 Subject: [PATCH 08/10] block-backend: Stop retrying when draining Retrying failed requests when draining would make the draining hung. So it is better not to trigger the retry timer when draining. And after the virtual devices go back to work, they would retry those queued requests. Signed-off-by: Jiahui Cen Signed-off-by: Ying Fang --- ...-backend-Stop-retrying-when-draining.patch | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 block-backend-Stop-retrying-when-draining.patch diff --git a/block-backend-Stop-retrying-when-draining.patch b/block-backend-Stop-retrying-when-draining.patch new file mode 100644 index 0000000..13f3ad6 --- /dev/null +++ b/block-backend-Stop-retrying-when-draining.patch @@ -0,0 +1,37 @@ +From da64af4b1e92c345296d937e66136f86027d1ca2 Mon Sep 17 00:00:00 2001 +From: Jiahui Cen +Date: Thu, 25 Feb 2021 18:03:57 +0800 +Subject: [PATCH] block-backend: Stop retrying when draining + +Retrying failed requests when draining would make the draining hung. So it +is better not to trigger the retry timer when draining. And after the +virtual devices go back to work, they would retry those queued requests. + +Signed-off-by: Jiahui Cen +Signed-off-by: Ying Fang +--- + block/block-backend.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/block/block-backend.c b/block/block-backend.c +index 2d812e2254..f6c918f1d9 100644 +--- a/block/block-backend.c ++++ b/block/block-backend.c +@@ -1741,9 +1741,11 @@ void blk_error_action(BlockBackend *blk, BlockErrorAction action, + send_qmp_error_event(blk, action, is_read, error); + qemu_system_vmstop_request(RUN_STATE_IO_ERROR); + } else if (action == BLOCK_ERROR_ACTION_RETRY) { +- timer_mod(blk->retry_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + +- blk->retry_interval); +- send_qmp_error_event(blk, action, is_read, error); ++ if (!blk->quiesce_counter) { ++ timer_mod(blk->retry_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + ++ blk->retry_interval); ++ send_qmp_error_event(blk, action, is_read, error); ++ } + } else { + send_qmp_error_event(blk, action, is_read, error); + } +-- +2.27.0 + -- Gitee From 78c54ee10eea90b730415f86e682284cf1aaacae Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Fri, 26 Feb 2021 16:27:55 +0800 Subject: [PATCH 09/10] spec: Update patch and changelog with !78 block-backend: Stop retrying when draining Signed-off-by: Alex Chen --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 7b5a09f..467fd8d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -310,6 +310,7 @@ Patch0297: ati-use-vga_read_byte-in-ati_cursor_define.patch Patch0298: sd-sdhci-assert-data_count-is-within-fifo_buffer.patch Patch0299: msix-add-valid.accepts-methods-to-check-address.patch Patch0300: ide-atapi-check-io_buffer_index-in-ide_atapi_cmd_rep.patch +Patch0301: block-backend-Stop-retrying-when-draining.patch BuildRequires: flex BuildRequires: bison @@ -691,6 +692,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Feb 26 2021 Huawei Technologies Co., Ltd +- block-backend: Stop retrying when draining + * Fri Feb 26 2021 Huawei Technologies Co., Ltd - ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end -- Gitee From b1c51b8dec206e3601e1ef03390529ba420bd3dd Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Wed, 3 Mar 2021 14:39:17 +0800 Subject: [PATCH 10/10] spec: Update release version with !77 !78 increase release verison by one Signed-off-by: Euler Robot --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 467fd8d..6f7afbe 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 47 +Release: 48 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee