From f3a0b45e183456a0d422676079b69a9d15dd7eab Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH 01/16] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). Fixes: CVE-2021-3930 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") Fixes: #546 Reported-by: Qiuhao Li Signed-off-by: Mauro Matteo Cascella Signed-off-by: Paolo Bonzini cherry-pick from: b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Signed-off-by: AlexChen --- ...i-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 432e6cc..ae5ed7a 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,4 +1,4 @@ -From 08438d7975713bbeed2dff8467bd4656b34221ad Mon Sep 17 00:00:00 2001 +From b1f0a316a30eb5c1ba87391af284ad926afa2c3c Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT @@ -22,21 +22,21 @@ Signed-off-by: AlexChen 1 file changed, 6 insertions(+) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index cd90cd780e..297efd5a72 100644 +index 93fdd913fe..9a67fc7dc6 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c -@@ -1082,6 +1082,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, +@@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; } -@@ -1423,6 +1424,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, +@@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index cd90cd780e..297efd5a72 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 -- Gitee From 9053c5a6ad0ba6bcb33b5d0dbcbc9b0cd25bb3d0 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:28 +0800 Subject: [PATCH 02/16] spec: Update patch and changelog with !268 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands !268 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index f25072b..800352d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -355,6 +355,7 @@ Patch0342: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch BuildRequires: flex BuildRequires: bison @@ -752,6 +753,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Tue May 10 2022 yezengruan - hw/block/fdc: Extract blk_create_empty_drive() - hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 -- Gitee From a55b02fff1b81b959778e0a951ea9710d6e5e791 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: [PATCH 03/16] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Reviewed-by: Prasad J Pandit Signed-off-by: Marcel Apfelbaum cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4 Signed-off-by: yezengruan --- hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee3..48d2fd9 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. -- Gitee From 75d5b7d0b8b942d19c23b30b341dd3f37107c606 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: [PATCH 04/16] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534 Signed-off-by: yezengruan --- pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be3129..81c8278 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. -- Gitee From 0ea0fe0f85ae51509c864ae8a241c9ec9950f422 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: [PATCH 05/16] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630115246.2178219-1-marcel@redhat.com> Tested-by: Yuval Shaia Reviewed-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Marcel Apfelbaum cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3 Signed-off-by: yezengruan --- pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b..e1de794 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From a233fcfae3a1ab23004610268e615cd410c812a9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:36 +0800 Subject: [PATCH 06/16] spec: Update patch and changelog with !277 Fixes: CVE-2021-3582/CVE-2021-3607/CVE-2021-3608 !277 hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) pvrdma: Ensure correct input on ring init (CVE-2021-3607) pvrdma: Fix the ring init error flow (CVE-2021-3608) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index 800352d..3b268c3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -356,6 +356,9 @@ Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0347: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -753,6 +756,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + * Mon May 16 2022 Chen Qun - hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands -- Gitee From 84e71715b11e5305977308a19eeffb495eb20010 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 28 Feb 2022 10:50:58 +0100 Subject: [PATCH 07/16] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to detach it from the virtqueue before freeing its memory. Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") Fixes: CVE-2022-26354 Cc: qemu-stable@nongnu.org Reported-by: VictorV Signed-off-by: Stefano Garzarella Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch index 8cde941..97d32c6 100644 --- a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +++ b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -1,7 +1,7 @@ From 1f20e48288a39d9ea92e743707fd08de77bfe584 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Mon, 28 Feb 2022 10:50:58 +0100 -Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error +Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to -- Gitee From f6fbf6e12ede3bd6ae9e083396706c36c3888f3d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 8 Mar 2022 10:42:51 +0800 Subject: [PATCH 08/16] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Fixing this by detaching the cached elements on error. This addresses CVE-2022-26353. Reported-by: Victor Tom Cc: qemu-stable@nongnu.org Fixes: CVE-2022-26353 Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") Reviewed-by: Michael S. Tsirkin Signed-off-by: Jason Wang --- virtio-net-fix-map-leaking-on-error-during-receive.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virtio-net-fix-map-leaking-on-error-during-receive.patch b/virtio-net-fix-map-leaking-on-error-during-receive.patch index 9477045..90d6096 100644 --- a/virtio-net-fix-map-leaking-on-error-during-receive.patch +++ b/virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -1,7 +1,7 @@ From 72f59cd8d3c2a7a1f4a64cdfafd6c333d5bf4ad3 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Tue, 8 Mar 2022 10:42:51 +0800 -Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive +Subject: [PATCH] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue -- Gitee From ce81d32127b2fb405e3f3fba7c9966a7a328434d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:40 +0800 Subject: [PATCH 09/16] spec: Update patch and changelog with !280 fix CVE-2022-26354 and CVE-2022-26353 !280 vhost-vsock: detach the virqueue element in case of error virtio-net: fix map leaking on error during receive Signed-off-by: Chen Qun --- qemu.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qemu.spec b/qemu.spec index 3b268c3..a751ca5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -359,6 +359,8 @@ Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0347: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0350: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +Patch0351: virtio-net-fix-map-leaking-on-error-during-receive.patch BuildRequires: flex BuildRequires: bison @@ -756,6 +758,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- vhost-vsock: detach the virqueue element in case of error +- virtio-net: fix map leaking on error during receive + * Mon May 16 2022 Chen Qun - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607) -- Gitee From bd336e8831b5833011cfeed1d752babcee23fb1e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:34 +0100 Subject: [PATCH 10/16] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are going to re-use this code in the next commit, so extract it as a new blk_create_empty_drive() function. Inspired-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-2-philmd@redhat.com Signed-off-by: John Snow --- hw-block-fdc-Extract-blk_create_empty_drive.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw-block-fdc-Extract-blk_create_empty_drive.patch b/hw-block-fdc-Extract-blk_create_empty_drive.patch index 23b3ab3..61e1235 100644 --- a/hw-block-fdc-Extract-blk_create_empty_drive.patch +++ b/hw-block-fdc-Extract-blk_create_empty_drive.patch @@ -1,7 +1,7 @@ From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:34 +0100 -Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive() +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 6ad6a98f0dc149e2c524c6f796fcef255fee4dbf Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:35 +0100 Subject: [PATCH 11/16] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guest might select another drive on the bus by setting the DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). The current controller model doesn't expect a BlockBackend to be NULL. A simple way to fix CVE-2021-20196 is to create an empty BlockBackend when it is missing. All further accesses will be safely handled, and the controller state machines keep behaving correctly. Cc: qemu-stable@nongnu.org Fixes: CVE-2021-20196 Reported-by: Gaoning Pan (Ant Security Light-Year Lab) Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-3-philmd@redhat.com BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: John Snow --- hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch index 2c9c180..ba7df94 100644 --- a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +++ b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch @@ -1,7 +1,7 @@ From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:35 +0100 -Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix +Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From 1a3b2224e1d18050a92d68d4ae971c6283a3cc9d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:36 +0100 Subject: [PATCH 12/16] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without the previous commit, when running 'make check-qtest-i386' with QEMU configured with '--enable-sanitizers' we get: AddressSanitizer:DEADLYSIGNAL ================================================================= ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344 ==287878==The signal is caused by a WRITE memory access. ==287878==Hint: address points to the zero page. #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5 #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5 #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11 #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17 #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9 #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9 Add the reproducer for CVE-2021-20196. Suggested-by: Alexander Bulekov Reviewed-by: Darren Kenny Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-4-philmd@redhat.com Signed-off-by: John Snow --- tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch index 56aac5a..11d8134 100644 --- a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +++ b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch @@ -1,7 +1,7 @@ From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:36 +0100 -Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196 +Subject: [PATCH] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 8377e0efd67d6f03f55d40250e4dfb004eb9f3ca Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 7 Apr 2022 10:11:06 +0200 Subject: [PATCH 13/16] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid fetching 'width' and 'height' a second time to prevent possible race condition. Refer to security advisory https://starlabs.sg/advisories/22-4207/ for more information. Fixes: CVE-2021-4207 Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Message-Id: <20220407081106.343235-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- display-qxl-render-fix-race-condition-in-qxl_cursor-.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch index 7fbd127..64d0d77 100644 --- a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +++ b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -1,7 +1,7 @@ From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:11:06 +0200 -Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From db23996ff8b3766496c4e0fe18d2efa247112383 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 7 Apr 2022 10:17:12 +0200 Subject: [PATCH 14/16] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent potential integer overflow by limiting 'width' and 'height' to 512x512. Also change 'datasize' type to size_t. Refer to security advisory https://starlabs.sg/advisories/22-4206/ for more information. Fixes: CVE-2021-4206 Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Message-Id: <20220407081712.345609-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch index 48e1bf5..cfd13f3 100644 --- a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +++ b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -1,7 +1,7 @@ From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:17:12 +0200 -Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From 3840fc62f42f6e21681d61040db2a642f4513318 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:47 +0800 Subject: [PATCH 15/16] spec: Update patch and changelog with !286 fix CVE-2021-20196/CVE-2021-4207/CVE-2021-4206 !286 hw/block/fdc: Extract blk_create_empty_drive() hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 tests/fdc-test: Add a regression test for CVE-2021-20196 display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Chen Qun --- qemu.spec | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/qemu.spec b/qemu.spec index a751ca5..c326f4e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -361,6 +361,11 @@ Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0350: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch Patch0351: virtio-net-fix-map-leaking-on-error-during-receive.patch +Patch0352: hw-block-fdc-Extract-blk_create_empty_drive.patch +Patch0353: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +Patch0354: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +Patch0355: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +Patch0356: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch BuildRequires: flex BuildRequires: bison @@ -758,6 +763,13 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/block/fdc: Extract blk_create_empty_drive() +- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 +- tests/fdc-test: Add a regression test for CVE-2021-20196 +- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + * Mon May 16 2022 Chen Qun - vhost-vsock: detach the virqueue element in case of error - virtio-net: fix map leaking on error during receive -- Gitee From cc33e9dd51a1e35ade35170392a311e942e1d5dd Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:28:03 +0800 Subject: [PATCH 16/16] spec: Update release version with !268 !277 !280 !286 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index c326f4e..8a05d1f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 67 +Release: 68 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee