From acfb66fabba1edd43345da41810ea8becc75a881 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 09:22:35 +0800 Subject: [PATCH 1/5] ide: ahci: add check to avoid null dereference (CVE-2019-12067) Fix CVE-2019-12067 AHCI emulator while committing DMA buffer in ahci_commit_buf() may do a NULL dereference if the command header 'ad->cur_cmd' is null. Add check to avoid it. Reported-by: Bugs SysSec Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- ...ck-to-avoid-null-dereference-CVE-201.patch | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch diff --git a/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch b/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch new file mode 100644 index 0000000..aa614fa --- /dev/null +++ b/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch @@ -0,0 +1,40 @@ +From 6a329da8b0198ac20bda53ced33a38307702b9c1 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 21 Jun 2021 09:22:35 +0800 +Subject: [PATCH] ide: ahci: add check to avoid null dereference + (CVE-2019-12067) + +Fix CVE-2019-12067 + +AHCI emulator while committing DMA buffer in ahci_commit_buf() +may do a NULL dereference if the command header 'ad->cur_cmd' +is null. Add check to avoid it. + +Reported-by: Bugs SysSec +Signed-off-by: Prasad J Pandit + +Signed-off-by: Jiajie Li +--- + hw/ide/ahci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 6aaf66534a..a7be0ae4fe 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1455,8 +1455,10 @@ static void ahci_commit_buf(IDEDMA *dma, uint32_t tx_bytes) + { + AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma); + +- tx_bytes += le32_to_cpu(ad->cur_cmd->status); +- ad->cur_cmd->status = cpu_to_le32(tx_bytes); ++ if (ad->cur_cmd) { ++ tx_bytes += le32_to_cpu(ad->cur_cmd->status); ++ ad->cur_cmd->status = cpu_to_le32(tx_bytes); ++ } + } + + static int ahci_dma_rw_buf(IDEDMA *dma, int is_write) +-- +2.27.0 + -- Gitee From af78fe594fa00765805f3930802769c669767673 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 10:12:41 +0800 Subject: [PATCH 2/5] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-20221 Per the ARM Generic Interrupt Controller Architecture specification (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, not 10: - 4.3 Distributor register descriptions - 4.3.15 Software Generated Interrupt Register, GICD_SG - Table 4-21 GICD_SGIR bit assignments The Interrupt ID of the SGI to forward to the specified CPU interfaces. The value of this field is the Interrupt ID, in the range 0-15, for example a value of 0b0011 specifies Interrupt ID 3. Correct the irq mask to fix an undefined behavior (which eventually lead to a heap-buffer-overflow, see [Buglink]): $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio [I 1612088147.116987] OPENED [R +0.278293] writel 0x8000f00 0xff4affb0 ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 This fixes a security issue when running with KVM on Arm with kernel-irqchip=off. (The default is kernel-irqchip=on, which is unaffected, and which is also the correct choice for performance.) Cc: qemu-stable@nongnu.org Fixes: CVE-2021-20221 Fixes: 9ee6e8bb ("ARMv7 support.") Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 Reported-by: Alexander Bulekov's avatarAlexander Bulekov Signed-off-by: Philippe Mathieu-Daudé's avatarPhilippe Mathieu-Daudé Message-id: 20210131103401.217160-1-f4bug@amsat.org Reviewed-by: Peter Maydell's avatarPeter Maydell Signed-off-by: Peter Maydell's avatarPeter Maydell Signed-off-by: Jiajie Li --- ...Fix-interrupt-ID-in-GICD_SGIR-regist.patch | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch diff --git a/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch b/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch new file mode 100644 index 0000000..7e8a18b --- /dev/null +++ b/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch @@ -0,0 +1,70 @@ +From eb88bb891b386535deb9ad8f440922ee74827d28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 21 Jun 2021 10:12:41 +0800 +Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-20221 + +Per the ARM Generic Interrupt Controller Architecture specification +(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, +not 10: + + - 4.3 Distributor register descriptions + - 4.3.15 Software Generated Interrupt Register, GICD_SG + + - Table 4-21 GICD_SGIR bit assignments + + The Interrupt ID of the SGI to forward to the specified CPU + interfaces. The value of this field is the Interrupt ID, in + the range 0-15, for example a value of 0b0011 specifies + Interrupt ID 3. + +Correct the irq mask to fix an undefined behavior (which eventually +lead to a heap-buffer-overflow, see [Buglink]): + + $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio + [I 1612088147.116987] OPENED + [R +0.278293] writel 0x8000f00 0xff4affb0 + ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 + +This fixes a security issue when running with KVM on Arm with +kernel-irqchip=off. (The default is kernel-irqchip=on, which is +unaffected, and which is also the correct choice for performance.) + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20221 +Fixes: 9ee6e8bb ("ARMv7 support.") +Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 + +Reported-by: Alexander Bulekov's avatarAlexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé's avatarPhilippe Mathieu-Daudé +Message-id: 20210131103401.217160-1-f4bug@amsat.org +Reviewed-by: Peter Maydell's avatarPeter Maydell +Signed-off-by: Peter Maydell's avatarPeter Maydell + +Signed-off-by: Jiajie Li +--- + hw/intc/arm_gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c +index 77427a4188..492dabaa1c 100644 +--- a/hw/intc/arm_gic.c ++++ b/hw/intc/arm_gic.c +@@ -1454,7 +1454,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, + int target_cpu; + + cpu = gic_get_current_cpu(s); +- irq = value & 0x3ff; ++ irq = value & 0xf; + switch ((value >> 24) & 3) { + case 0: + mask = (value >> 16) & ALL_CPU_MASK; +-- +2.27.0 + -- Gitee From f4a9c2bf03faac4dba8a03d22b1d474b39dfec95 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 10:19:58 +0800 Subject: [PATCH 3/5] usb: limit combined packets to 1 MiB (CVE-2021-3527) Fix CVE-2021-3527 usb-host and usb-redirect try to batch bulk transfers by combining many small usb packets into a single, large transfer request, to reduce the overhead and improve performance. This patch adds a size limit of 1 MiB for those combined packets to restrict the host resources the guest can bind that way. Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> Signed-off-by: Jiajie Li --- ...bined-packets-to-1-MiB-CVE-2021-3527.patch | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch diff --git a/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch b/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch new file mode 100644 index 0000000..7434d7c --- /dev/null +++ b/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch @@ -0,0 +1,39 @@ +From d52c31d263f2fdc2c0565f0b8f48586069078ede Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 21 Jun 2021 10:19:58 +0800 +Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) + +Fix CVE-2021-3527 + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann +Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> + +Signed-off-by: Jiajie Li +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dc..e56802f89a 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +2.27.0 + -- Gitee From b1f45487a0ac894629b7dd7817948b97ce59d60d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 21:27:30 +0800 Subject: [PATCH 4/5] spec: Update patch and changelog with !148 fix CVE-2021-3527 #I3U9T9 && CVE-2019-12067#I3VG5H && CVE-2021-20221 #I3UFOP !148 ide: ahci: add check to avoid null dereference (CVE-2019-12067) hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register usb: limit combined packets to 1 MiB (CVE-2021-3527) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index 6733e2c..311b9db 100644 --- a/qemu.spec +++ b/qemu.spec @@ -333,6 +333,9 @@ Patch0320: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch Patch0321: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch Patch0322: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch Patch0323: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch +Patch0324: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch +Patch0325: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch +Patch0326: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch BuildRequires: flex BuildRequires: bison @@ -726,6 +729,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Jun 21 2021 Chen Qun +- ide: ahci: add check to avoid null dereference (CVE-2019-12067) +- hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +- usb: limit combined packets to 1 MiB (CVE-2021-3527) + * Thu Jun 17 2021 Chen Qun - vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) - vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) -- Gitee From f02085327de3fea6f27a34eb869a2b79f3c571e1 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 21:27:32 +0800 Subject: [PATCH 5/5] spec: Update release version with !148 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 311b9db..c4cab3d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 56 +Release: 57 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee