From 40b9b28df1cdf2801c1a49816d660fe35a9bbc71 Mon Sep 17 00:00:00 2001 From: bobychen Date: Tue, 10 May 2022 16:27:03 +0800 Subject: [PATCH] fix CVE-2021-20196/CVE-2021-4207/CVE-2021-4206 (openeuler !286) hw/block/fdc: Extract blk_create_empty_drive() hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 tests/fdc-test: Add a regression test for CVE-2021-20196 display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: yezengruan Signed-off-by: bobychen --- ...er-fix-race-condition-in-qxl_cursor-.patch | 38 +++++++ ...k-fdc-Extract-blk_create_empty_drive.patch | 49 +++++++++ ...dge-missing-floppy-drive-to-fix-CVE-.patch | 62 +++++++++++ qemu.spec | 14 ++- ...dd-a-regression-test-for-CVE-2021-20.patch | 100 ++++++++++++++++++ ...teger-overflow-in-cursor_alloc-CVE-2.patch | 84 +++++++++++++++ 6 files changed, 346 insertions(+), 1 deletion(-) create mode 100644 display-qxl-render-fix-race-condition-in-qxl_cursor-.patch create mode 100644 hw-block-fdc-Extract-blk_create_empty_drive.patch create mode 100644 hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch create mode 100644 tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch create mode 100644 ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch diff --git a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch new file mode 100644 index 0000000..7fbd127 --- /dev/null +++ b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -0,0 +1,38 @@ +From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 14ad2b352d..4a63c382f6 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -259,7 +259,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +2.27.0 + diff --git a/hw-block-fdc-Extract-blk_create_empty_drive.patch b/hw-block-fdc-Extract-blk_create_empty_drive.patch new file mode 100644 index 0000000..23b3ab3 --- /dev/null +++ b/hw-block-fdc-Extract-blk_create_empty_drive.patch @@ -0,0 +1,49 @@ +From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-2-philmd@redhat.com +Signed-off-by: John Snow +--- + hw/block/fdc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 9b24cb9b85..deea339d70 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -56,6 +56,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ + /********************************************************/ + /* qdev floppy bus */ + +@@ -539,8 +545,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp) + } + + if (!dev->conf.blk) { +- /* Anonymous BlockBackend for an empty drive */ +- dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++ dev->conf.blk = blk_create_empty_drive(); + ret = blk_attach_dev(dev->conf.blk, qdev); + assert(ret == 0); + +-- +2.27.0 + diff --git a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch new file mode 100644 index 0000000..2c9c180 --- /dev/null +++ b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch @@ -0,0 +1,62 @@ +From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guest might select another drive on the bus by setting the +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). +The current controller model doesn't expect a BlockBackend +to be NULL. A simple way to fix CVE-2021-20196 is to create +an empty BlockBackend when it is missing. All further +accesses will be safely handled, and the controller state +machines keep behaving correctly. + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20196 +Reported-by: Gaoning Pan (Ant Security Light-Year Lab) +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-3-philmd@redhat.com +BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 +Reviewed-by: Darren Kenny +Reviewed-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: John Snow +--- + hw/block/fdc.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index deea339d70..47b6939d44 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1358,7 +1358,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +- return get_drv(fdctrl, fdctrl->cur_drv); ++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); ++ ++ if (!cur_drv->blk) { ++ /* ++ * Kludge: empty drive line selected. Create an anonymous ++ * BlockBackend to avoid NULL deref with various BlockBackend ++ * API calls within this model (CVE-2021-20196). ++ * Due to the controller QOM model limitations, we don't ++ * attach the created to the controller device. ++ */ ++ cur_drv->blk = blk_create_empty_drive(); ++ } ++ return cur_drv; + } + + /* Status A register : 0x00 (read-only) */ +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 6f6d999..eaaeb70 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 66 +Release: 67 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -350,6 +350,11 @@ Patch0337: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0338: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0339: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch Patch0340: virtio-net-fix-map-leaking-on-error-during-receive.patch +Patch0341: hw-block-fdc-Extract-blk_create_empty_drive.patch +Patch0342: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch BuildRequires: flex BuildRequires: bison @@ -746,6 +751,13 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue May 10 2022 yezengruan +- hw/block/fdc: Extract blk_create_empty_drive() +- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 +- tests/fdc-test: Add a regression test for CVE-2021-20196 +- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + * Fri Apr 15 2022 yezengruan - vhost-vsock: detach the virqueue element in case of error (CVE-2022-26354) - virtio-net: fix map leaking on error during receive (CVE-2022-26353) diff --git a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch new file mode 100644 index 0000000..56aac5a --- /dev/null +++ b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch @@ -0,0 +1,100 @@ +From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:36 +0100 +Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without the previous commit, when running 'make check-qtest-i386' +with QEMU configured with '--enable-sanitizers' we get: + + AddressSanitizer:DEADLYSIGNAL + ================================================================= + ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344 + ==287878==The signal is caused by a WRITE memory access. + ==287878==Hint: address points to the zero page. + #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5 + #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5 + #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11 + #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17 + #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9 + #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9 + +Add the reproducer for CVE-2021-20196. + +Suggested-by: Alexander Bulekov +Reviewed-by: Darren Kenny +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-4-philmd@redhat.com +Signed-off-by: John Snow +--- + tests/fdc-test.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/tests/fdc-test.c b/tests/fdc-test.c +index 31cd3295c1..644cafc060 100644 +--- a/tests/fdc-test.c ++++ b/tests/fdc-test.c +@@ -32,6 +32,9 @@ + /* TODO actually test the results and get rid of this */ + #define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__)) + ++#define DRIVE_FLOPPY_BLANK \ ++ "-drive if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k" ++ + #define TEST_IMAGE_SIZE 1440 * 1024 + + #define FLOPPY_BASE 0x3f0 +@@ -546,6 +549,40 @@ static void fuzz_registers(void) + } + } + ++static bool qtest_check_clang_sanitizer(void) ++{ ++#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer) ++ return true; ++#else ++ g_test_skip("QEMU not configured using --enable-sanitizers"); ++ return false; ++#endif ++} ++static void test_cve_2021_20196(void) ++{ ++ QTestState *s; ++ ++ if (!qtest_check_clang_sanitizer()) { ++ return; ++ } ++ ++ s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK); ++ ++ qtest_outw(s, 0x3f4, 0x0500); ++ qtest_outb(s, 0x3f5, 0x00); ++ qtest_outb(s, 0x3f5, 0x00); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outb(s, 0x3f5, 0x00); ++ qtest_outw(s, 0x3f1, 0x0400); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outb(s, 0x3f5, 0x00); ++ qtest_outb(s, 0x3f5, 0x01); ++ qtest_outw(s, 0x3f1, 0x0500); ++ qtest_outb(s, 0x3f5, 0x00); ++ qtest_quit(s); ++} ++ + int main(int argc, char **argv) + { + int fd; +@@ -576,6 +613,7 @@ int main(int argc, char **argv) + qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18); + qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); + qtest_add_func("/fdc/fuzz-registers", fuzz_registers); ++ qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); + + ret = g_test_run(); + +-- +2.27.0 + diff --git a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch new file mode 100644 index 0000000..48e1bf5 --- /dev/null +++ b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -0,0 +1,84 @@ +From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 4a63c382f6..bcef2a5fb0 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -240,6 +240,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 249a179bf6..1c977cedf7 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -507,6 +507,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +2.27.0 + -- Gitee