diff --git a/hw-pci-host-add-pci-intack-write-method.patch b/hw-pci-host-add-pci-intack-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..7aa079133005fc5428099bb87bdbb2d6622d7a8f --- /dev/null +++ b/hw-pci-host-add-pci-intack-write-method.patch @@ -0,0 +1,50 @@ +From 50402aa839e366f6365d9da5a46f3261f54dbd06 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:03:57 +0800 +Subject: [PATCH] hw/pci-host: add pci-intack write method + +fix CVE-2020-15469 + +Add pci-intack mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/pci-host/prep.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c +index c564f234af..f03c81f651 100644 +--- a/hw/pci-host/prep.c ++++ b/hw/pci-host/prep.c +@@ -26,6 +26,7 @@ + #include "qemu/osdep.h" + #include "qemu-common.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qapi/error.h" + #include "hw/hw.h" + #include "hw/pci/pci.h" +@@ -117,8 +118,15 @@ static uint64_t raven_intack_read(void *opaque, hwaddr addr, + return pic_read_irq(isa_pic); + } + ++static void raven_intack_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++} ++ + static const MemoryRegionOps raven_intack_ops = { + .read = raven_intack_read, ++ .write = raven_intack_write, + .valid = { + .max_access_size = 1, + }, +-- +2.27.0 + diff --git a/imx7-ccm-add-digprog-mmio-write-method.patch b/imx7-ccm-add-digprog-mmio-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..f145d3246d96d24955ee4d85630c01af13f47e1c --- /dev/null +++ b/imx7-ccm-add-digprog-mmio-write-method.patch @@ -0,0 +1,41 @@ +From b1fdcea193cd962d107da770c3344409c3c88e82 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:29:28 +0800 +Subject: [PATCH] imx7-ccm: add digprog mmio write method + +fix CVE-2020-15469 + +Add digprog mmio write method to avoid assert failure during +initialisation. + +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/misc/imx7_ccm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c +index d9bdcf1027..831311a7c8 100644 +--- a/hw/misc/imx7_ccm.c ++++ b/hw/misc/imx7_ccm.c +@@ -130,8 +130,15 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { + }, + }; + ++static void imx7_digprog_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++} ++ + static const struct MemoryRegionOps imx7_digprog_ops = { + .read = imx7_set_clr_tog_read, ++ .write = imx7_digprog_write, + .endianness = DEVICE_NATIVE_ENDIAN, + .impl = { + .min_access_size = 4, +-- +2.27.0 + diff --git a/nvram-add-nrf51_soc-flash-read-method.patch b/nvram-add-nrf51_soc-flash-read-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..6f0bd2197eb774b84941c6ffd529b0600065ff76 --- /dev/null +++ b/nvram-add-nrf51_soc-flash-read-method.patch @@ -0,0 +1,44 @@ +From 0f754e16372feda4996054c6986b496e244d9bed Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:19:15 +0800 +Subject: [PATCH] nvram: add nrf51_soc flash read method + +fix CVE-2020-15469 + +Add nrf51_soc mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/nvram/nrf51_nvm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c +index eca0cb35b5..7b2b1351f4 100644 +--- a/hw/nvram/nrf51_nvm.c ++++ b/hw/nvram/nrf51_nvm.c +@@ -271,6 +271,10 @@ static const MemoryRegionOps io_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + }; + ++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) ++{ ++ g_assert_not_reached(); ++} + + static void flash_write(void *opaque, hwaddr offset, uint64_t value, + unsigned int size) +@@ -298,6 +302,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, + + + static const MemoryRegionOps flash_ops = { ++ .read = flash_read, + .write = flash_write, + .valid.min_access_size = 4, + .valid.max_access_size = 4, +-- +2.27.0 + diff --git a/pci-host-add-pcie-msi-read-method.patch b/pci-host-add-pcie-msi-read-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..349d9dbb5e020df77d077727892239f62f672a23 --- /dev/null +++ b/pci-host-add-pcie-msi-read-method.patch @@ -0,0 +1,56 @@ +From 0e7715733eff67efae448d15c7bd995b316c71ec Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:08:24 +0800 +Subject: [PATCH] pci-host: add pcie-msi read method + +fix CVE-2020-15469 + +Add pcie-msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/pci-host/designware.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c +index 9ae8c0deb7..23e3de3cad 100644 +--- a/hw/pci-host/designware.c ++++ b/hw/pci-host/designware.c +@@ -21,6 +21,7 @@ + #include "qemu/osdep.h" + #include "qapi/error.h" + #include "qemu/module.h" ++#include "qemu/log.h" + #include "hw/pci/msi.h" + #include "hw/pci/pci_bridge.h" + #include "hw/pci/pci_host.h" +@@ -60,6 +61,13 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) + return DESIGNWARE_PCIE_HOST(bus->parent); + } + ++static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, ++ unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++ return 0; ++} ++ + static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + uint64_t val, unsigned len) + { +@@ -74,6 +82,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps designware_pci_host_msi_ops = { ++ .read = designware_pcie_root_msi_read, + .write = designware_pcie_root_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { +-- +2.27.0 + diff --git a/prep-add-ppc-parity-write-method.patch b/prep-add-ppc-parity-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..aff8dc80e83526817cc298cf6969493c76f1201d --- /dev/null +++ b/prep-add-ppc-parity-write-method.patch @@ -0,0 +1,50 @@ +From aedfad7d11fd23087bc5da6480b5a8b1ad0319a7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:16:14 +0800 +Subject: [PATCH] prep: add ppc-parity write method + +fix CVE-2020-15469 + +Add ppc-parity mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Acked-by: David Gibson +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/ppc/prep_systemio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c +index df7603b986..67244ed48c 100644 +--- a/hw/ppc/prep_systemio.c ++++ b/hw/ppc/prep_systemio.c +@@ -23,6 +23,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "hw/isa/isa.h" + #include "exec/address-spaces.h" + #include "qemu/error-report.h" /* for error_report() */ +@@ -232,8 +233,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, + return val; + } + ++static void ppc_parity_error_writel(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid write access\n", __func__); ++} ++ + static const MemoryRegionOps ppc_parity_error_ops = { + .read = ppc_parity_error_readl, ++ .write = ppc_parity_error_writel, + .valid = { + .min_access_size = 4, + .max_access_size = 4, +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 73b59a9cddf95bdbd0ecd02dc191fdfa669bff1d..974379d65cf7958671bd1ee019599a3d4c783799 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 45 +Release: 46 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -301,6 +301,14 @@ Patch0288: rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch Patch0289: pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch Patch0290: cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch Patch0291: lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch +Patch0292: hw-pci-host-add-pci-intack-write-method.patch +Patch0293: pci-host-add-pcie-msi-read-method.patch +Patch0294: vfio-add-quirk-device-write-method.patch +Patch0295: prep-add-ppc-parity-write-method.patch +Patch0296: nvram-add-nrf51_soc-flash-read-method.patch +Patch0297: spapr_pci-add-spapr-msi-read-method.patch +Patch0298: tz-ppc-add-dummy-read-write-methods.patch +Patch0299: imx7-ccm-add-digprog-mmio-write-method.patch BuildRequires: flex BuildRequires: bison @@ -685,6 +693,16 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Jun 01 2021 Chen Qun +- hw/pci-host: add pci-intack write method +- pci-host: add pcie-msi read method +- vfio: add quirk device write method +- prep: add ppc-parity write method +- nvram: add nrf51_soc flash read method +- spapr_pci: add spapr msi read method +- tz-ppc: add dummy read/write methods +- imx7-ccm: add digprog mmio write method + * Thu May 20 2021 Chen Qun - hw/sd: sdhci: Don't transfer any data when command time out - hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress diff --git a/spapr_pci-add-spapr-msi-read-method.patch b/spapr_pci-add-spapr-msi-read-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..e187efdb6f2ea9520bfc7e92958bb65e2468c4a7 --- /dev/null +++ b/spapr_pci-add-spapr-msi-read-method.patch @@ -0,0 +1,61 @@ +From 91050bc3c22fbfe88d0cd41e2115f258d7efcc0d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:23:24 +0800 +Subject: [PATCH] spapr_pci: add spapr msi read method + +fix CVE-2020-15469 + +Add spapr msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Acked-by: David Gibson +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/ppc/spapr_pci.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c +index 9003fe9010..1571e049ab 100644 +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -50,6 +50,7 @@ + #include "sysemu/kvm.h" + #include "sysemu/hostmem.h" + #include "sysemu/numa.h" ++#include "qemu/log.h" + + /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ + #define RTAS_QUERY_FN 0 +@@ -743,6 +744,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin) + return route; + } + ++static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++ return 0; ++} ++ + /* + * MSI/MSIX memory region implementation. + * The handler handles both MSI and MSIX. +@@ -760,8 +767,10 @@ static void spapr_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps spapr_msi_ops = { +- /* There is no .read as the read result is undefined by PCI spec */ +- .read = NULL, ++ /* .read result is undefined by PCI spec ++ * define .read method to avoid assert failure in memory_region_init_io ++ */ ++ .read = spapr_msi_read, + .write = spapr_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN + }; +-- +2.27.0 + diff --git a/tz-ppc-add-dummy-read-write-methods.patch b/tz-ppc-add-dummy-read-write-methods.patch new file mode 100644 index 0000000000000000000000000000000000000000..c0356ab95d7c8aeb1ff0b05979b072990760e817 --- /dev/null +++ b/tz-ppc-add-dummy-read-write-methods.patch @@ -0,0 +1,45 @@ +From bbe130bf59e2640f2f5a6ab24aac7763b17c636a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:27:07 +0800 +Subject: [PATCH] tz-ppc: add dummy read/write methods + +fix CVE-2020-15469 + +Add tz-ppc-dummy mmio read/write methods to avoid assert failure +during initialisation. + +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/misc/tz-ppc.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c +index 2a14a26f29..5b7b883866 100644 +--- a/hw/misc/tz-ppc.c ++++ b/hw/misc/tz-ppc.c +@@ -193,7 +193,20 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, + g_assert_not_reached(); + } + ++static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ ++static void tz_ppc_dummy_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ + static const MemoryRegionOps tz_ppc_dummy_ops = { ++ .read = tz_ppc_dummy_read, ++ .write = tz_ppc_dummy_write, + .valid.accepts = tz_ppc_dummy_accepts, + }; + +-- +2.27.0 + diff --git a/vfio-add-quirk-device-write-method.patch b/vfio-add-quirk-device-write-method.patch new file mode 100644 index 0000000000000000000000000000000000000000..d185be1a99528414e439c0e4177695b430f23ba8 --- /dev/null +++ b/vfio-add-quirk-device-write-method.patch @@ -0,0 +1,40 @@ +From 80eaf4423763d215c589efcb96ccee7462728627 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 25 Mar 2021 17:12:57 +0800 +Subject: [PATCH] vfio: add quirk device write method + +--- + hw/vfio/pci-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c +index b35a640030..9ce790bdd2 100644 +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -12,6 +12,7 @@ + + #include "qemu/osdep.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qemu/error-report.h" + #include "qemu/main-loop.h" + #include "qemu/module.h" +@@ -275,8 +276,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque, + return data; + } + ++static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s not implemented\n", __func__); ++} ++ + static const MemoryRegionOps vfio_ati_3c3_quirk = { + .read = vfio_ati_3c3_quirk_read, ++ .write = vfio_ati_3c3_quirk_write, + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +2.27.0 +