diff --git a/hw-pci-host-add-pci-intack-write-method.patch b/hw-pci-host-add-pci-intack-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb09d022bb7b23fae8cc34e7c7feae65c6e5bc3e --- /dev/null +++ b/hw-pci-host-add-pci-intack-write-method.patch @@ -0,0 +1,50 @@ +From 80214941ed6ce24983d8f161a7c9532678acc6f1 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:03:57 +0800 +Subject: [PATCH] hw/pci-host: add pci-intack write method + +fix CVE-2020-15469 + +Add pci-intack mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/pci-host/prep.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c +index c564f234af..f03c81f651 100644 +--- a/hw/pci-host/prep.c ++++ b/hw/pci-host/prep.c +@@ -26,6 +26,7 @@ + #include "qemu/osdep.h" + #include "qemu-common.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qapi/error.h" + #include "hw/hw.h" + #include "hw/pci/pci.h" +@@ -117,8 +118,15 @@ static uint64_t raven_intack_read(void *opaque, hwaddr addr, + return pic_read_irq(isa_pic); + } + ++static void raven_intack_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++} ++ + static const MemoryRegionOps raven_intack_ops = { + .read = raven_intack_read, ++ .write = raven_intack_write, + .valid = { + .max_access_size = 1, + }, +-- +2.27.0 + diff --git a/imx7-ccm-add-digprog-mmio-write-method.patch b/imx7-ccm-add-digprog-mmio-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..b68bf028b9b3e9bc2fe2d1838f6d3cf64dce7866 --- /dev/null +++ b/imx7-ccm-add-digprog-mmio-write-method.patch @@ -0,0 +1,41 @@ +From 5979338f8fb4562f7af32c58b7e7542d7396954e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:29:28 +0800 +Subject: [PATCH] imx7-ccm: add digprog mmio write method + +fix CVE-2020-15469 + +Add digprog mmio write method to avoid assert failure during +initialisation. + +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/misc/imx7_ccm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c +index d9bdcf1027..831311a7c8 100644 +--- a/hw/misc/imx7_ccm.c ++++ b/hw/misc/imx7_ccm.c +@@ -130,8 +130,15 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { + }, + }; + ++static void imx7_digprog_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++} ++ + static const struct MemoryRegionOps imx7_digprog_ops = { + .read = imx7_set_clr_tog_read, ++ .write = imx7_digprog_write, + .endianness = DEVICE_NATIVE_ENDIAN, + .impl = { + .min_access_size = 4, +-- +2.27.0 + diff --git a/nvram-add-nrf51_soc-flash-read-method.patch b/nvram-add-nrf51_soc-flash-read-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..915bbf8a1e6eecaa0974f14db93847cedded7d85 --- /dev/null +++ b/nvram-add-nrf51_soc-flash-read-method.patch @@ -0,0 +1,44 @@ +From 6f88633406e546eb6a01786b910a2ab12373abf8 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:19:15 +0800 +Subject: [PATCH] nvram: add nrf51_soc flash read method + +fix CVE-2020-15469 + +Add nrf51_soc mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/nvram/nrf51_nvm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c +index eca0cb35b5..7b2b1351f4 100644 +--- a/hw/nvram/nrf51_nvm.c ++++ b/hw/nvram/nrf51_nvm.c +@@ -271,6 +271,10 @@ static const MemoryRegionOps io_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + }; + ++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) ++{ ++ g_assert_not_reached(); ++} + + static void flash_write(void *opaque, hwaddr offset, uint64_t value, + unsigned int size) +@@ -298,6 +302,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, + + + static const MemoryRegionOps flash_ops = { ++ .read = flash_read, + .write = flash_write, + .valid.min_access_size = 4, + .valid.max_access_size = 4, +-- +2.27.0 + diff --git a/pci-host-add-pcie-msi-read-method.patch b/pci-host-add-pcie-msi-read-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..7433fb0c3ce55f68593f3d612663c4db3a9960cd --- /dev/null +++ b/pci-host-add-pcie-msi-read-method.patch @@ -0,0 +1,56 @@ +From dd86dc83fcccc0d1773bd93c509e3a03e7ef9b38 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:08:24 +0800 +Subject: [PATCH] pci-host: add pcie-msi read method + +fix CVE-2020-15469 + +Add pcie-msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/pci-host/designware.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c +index 9ae8c0deb7..23e3de3cad 100644 +--- a/hw/pci-host/designware.c ++++ b/hw/pci-host/designware.c +@@ -21,6 +21,7 @@ + #include "qemu/osdep.h" + #include "qapi/error.h" + #include "qemu/module.h" ++#include "qemu/log.h" + #include "hw/pci/msi.h" + #include "hw/pci/pci_bridge.h" + #include "hw/pci/pci_host.h" +@@ -60,6 +61,13 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) + return DESIGNWARE_PCIE_HOST(bus->parent); + } + ++static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, ++ unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++ return 0; ++} ++ + static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + uint64_t val, unsigned len) + { +@@ -74,6 +82,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps designware_pci_host_msi_ops = { ++ .read = designware_pcie_root_msi_read, + .write = designware_pcie_root_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { +-- +2.27.0 + diff --git a/prep-add-ppc-parity-write-method.patch b/prep-add-ppc-parity-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..fbc3dcc8cf024a5f26ce66f73ff653b5c74837dd --- /dev/null +++ b/prep-add-ppc-parity-write-method.patch @@ -0,0 +1,50 @@ +From f4eed258b1b8b434927fbc9a18bbcb52d3f55ce6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:16:14 +0800 +Subject: [PATCH] prep: add ppc-parity write method + +fix CVE-2020-15469 + +Add ppc-parity mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Acked-by: David Gibson +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/ppc/prep_systemio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c +index df7603b986..67244ed48c 100644 +--- a/hw/ppc/prep_systemio.c ++++ b/hw/ppc/prep_systemio.c +@@ -23,6 +23,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "hw/isa/isa.h" + #include "exec/address-spaces.h" + #include "qemu/error-report.h" /* for error_report() */ +@@ -232,8 +233,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, + return val; + } + ++static void ppc_parity_error_writel(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid write access\n", __func__); ++} ++ + static const MemoryRegionOps ppc_parity_error_ops = { + .read = ppc_parity_error_readl, ++ .write = ppc_parity_error_writel, + .valid = { + .min_access_size = 4, + .max_access_size = 4, +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 61d3a32aa908d1ffc2ad0e37c66203f1ee796507..631f1a24aaf7aabf3aeadb640670a432024d5b59 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 53 +Release: 54 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -316,6 +316,14 @@ Patch0303: migration-tls-fix-inverted-semantics-in-multifd_chan.patch Patch0304: migration-tls-add-error-handling-in-multifd_tls_hand.patch Patch0305: net-vmxnet3-validate-configuration-values-during-act.patch Patch0306: block-Add-sanity-check-when-setting-retry-parameters.patch +Patch0307: hw-pci-host-add-pci-intack-write-method.patch +Patch0308: pci-host-add-pcie-msi-read-method.patch +Patch0309: vfio-add-quirk-device-write-method.patch +Patch0310: prep-add-ppc-parity-write-method.patch +Patch0311: nvram-add-nrf51_soc-flash-read-method.patch +Patch0312: spapr_pci-add-spapr-msi-read-method.patch +Patch0313: tz-ppc-add-dummy-read-write-methods.patch +Patch0314: imx7-ccm-add-digprog-mmio-write-method.patch BuildRequires: flex BuildRequires: bison @@ -705,6 +713,16 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Mar 26 2021 Chen Qun +- hw/pci-host: add pci-intack write method +- pci-host: add pcie-msi read method +- vfio: add quirk device write method +- prep: add ppc-parity write method +- nvram: add nrf51_soc flash read method +- spapr_pci: add spapr msi read method +- tz-ppc: add dummy read/write methods +- imx7-ccm: add digprog mmio write method + * Thu Mar 18 2021 Chen Qun - block: Add sanity check when setting retry parameters diff --git a/spapr_pci-add-spapr-msi-read-method.patch b/spapr_pci-add-spapr-msi-read-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..2cc4994f09171252daf5a435832480151c458f4b --- /dev/null +++ b/spapr_pci-add-spapr-msi-read-method.patch @@ -0,0 +1,61 @@ +From cbbcd56e090a59d0eaa4e35ed0efb24d6dd1003e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:23:24 +0800 +Subject: [PATCH] spapr_pci: add spapr msi read method + +fix CVE-2020-15469 + +Add spapr msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Acked-by: David Gibson +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/ppc/spapr_pci.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c +index 9003fe9010..1571e049ab 100644 +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -50,6 +50,7 @@ + #include "sysemu/kvm.h" + #include "sysemu/hostmem.h" + #include "sysemu/numa.h" ++#include "qemu/log.h" + + /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ + #define RTAS_QUERY_FN 0 +@@ -743,6 +744,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin) + return route; + } + ++static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++ return 0; ++} ++ + /* + * MSI/MSIX memory region implementation. + * The handler handles both MSI and MSIX. +@@ -760,8 +767,10 @@ static void spapr_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps spapr_msi_ops = { +- /* There is no .read as the read result is undefined by PCI spec */ +- .read = NULL, ++ /* .read result is undefined by PCI spec ++ * define .read method to avoid assert failure in memory_region_init_io ++ */ ++ .read = spapr_msi_read, + .write = spapr_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN + }; +-- +2.27.0 + diff --git a/tz-ppc-add-dummy-read-write-methods.patch b/tz-ppc-add-dummy-read-write-methods.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee8fa6b096bf8e359cb326c581d0a72733c8c1c4 --- /dev/null +++ b/tz-ppc-add-dummy-read-write-methods.patch @@ -0,0 +1,45 @@ +From 52d1c1a258aef2b8ace50bb202ee7338ed0060f0 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:27:07 +0800 +Subject: [PATCH] tz-ppc: add dummy read/write methods + +fix CVE-2020-15469 + +Add tz-ppc-dummy mmio read/write methods to avoid assert failure +during initialisation. + +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/misc/tz-ppc.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c +index 2a14a26f29..5b7b883866 100644 +--- a/hw/misc/tz-ppc.c ++++ b/hw/misc/tz-ppc.c +@@ -193,7 +193,20 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, + g_assert_not_reached(); + } + ++static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ ++static void tz_ppc_dummy_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ + static const MemoryRegionOps tz_ppc_dummy_ops = { ++ .read = tz_ppc_dummy_read, ++ .write = tz_ppc_dummy_write, + .valid.accepts = tz_ppc_dummy_accepts, + }; + +-- +2.27.0 + diff --git a/vfio-add-quirk-device-write-method.patch b/vfio-add-quirk-device-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..d7e2c99dc212605291627dac4dee0512e1b34f86 --- /dev/null +++ b/vfio-add-quirk-device-write-method.patch @@ -0,0 +1,40 @@ +From 95ee5273e25ed606aa86f8a154c06887efc20494 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:12:57 +0800 +Subject: [PATCH] vfio: add quirk device write method + +--- + hw/vfio/pci-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c +index b35a640030..9ce790bdd2 100644 +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -12,6 +12,7 @@ + + #include "qemu/osdep.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qemu/error-report.h" + #include "qemu/main-loop.h" + #include "qemu/module.h" +@@ -275,8 +276,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque, + return data; + } + ++static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s not implemented\n", __func__); ++} ++ + static const MemoryRegionOps vfio_ati_3c3_quirk = { + .read = vfio_ati_3c3_quirk_read, ++ .write = vfio_ati_3c3_quirk_write, + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +2.27.0 +