From ead5bd844fb014f71a1aa1057065b8db4d757411 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH 01/16] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). Fixes: CVE-2021-3930 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") Fixes: #546 Reported-by: Qiuhao Li Signed-off-by: Mauro Matteo Cascella Signed-off-by: Paolo Bonzini cherry-pick from: b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Signed-off-by: AlexChen --- ...-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 1b0c29a..ed880aa 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,8 +1,8 @@ From ea914867ecf5d342a7919abeff4b73c4a6f26e03 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 -Subject: [PATCH 2/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE - SELECT commands +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). @@ -28,7 +28,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; @@ -36,7 +36,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index 93fdd913fe..9a67fc7dc6 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 -- Gitee From 7523a481135caa3073d6c730fab6f4bdbda293d6 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:31 +0800 Subject: [PATCH 02/16] spec: Update patch and changelog with !269 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands !269 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 7cf8d72..3413ace 100644 --- a/qemu.spec +++ b/qemu.spec @@ -320,6 +320,7 @@ Patch0342: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch BuildRequires: flex BuildRequires: bison @@ -717,6 +718,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Tue May 10 2022 yezengruan - hw/block/fdc: Extract blk_create_empty_drive() - hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 -- Gitee From a60c576a0d58432e1956aa1f0432bdf1d6c2b008 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: [PATCH 03/16] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Reviewed-by: Prasad J Pandit Signed-off-by: Marcel Apfelbaum cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4 Signed-off-by: yezengruan --- hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee3..52746db 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ -From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 +From b5d95cb90dba247a0a9ca3bc77b23d78632085ee Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. -- Gitee From bf6a78a68656de8d52d1d83aebcf3fe0f9390b47 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: [PATCH 04/16] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534 Signed-off-by: yezengruan --- pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be3129..d7a451a 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ -From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 +From f393d5e5c1d54ff82eac24076f5a2f6f9412871f Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. -- Gitee From 5f5b73cb28928f2e869e8fe87fd4fc71a49c6e25 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: [PATCH 05/16] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630115246.2178219-1-marcel@redhat.com> Tested-by: Yuval Shaia Reviewed-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Marcel Apfelbaum cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3 Signed-off-by: yezengruan --- pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b..0ea6a49 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ -From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 +From c07792a3e5decb249a952c5a4658f7cd23699eb2 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 5a10b6142c6cd5e3eaff7d27bf9117665c156c8a Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:33 +0800 Subject: [PATCH 06/16] spec: Update patch and changelog with !276 Fixes: CVE-2021-3582/CVE-2021-3607/CVE-2021-3608 !276 hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) pvrdma: Ensure correct input on ring init (CVE-2021-3607) pvrdma: Fix the ring init error flow (CVE-2021-3608) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index 3413ace..821d5c9 100644 --- a/qemu.spec +++ b/qemu.spec @@ -321,6 +321,9 @@ Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0347: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -718,6 +721,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + * Mon May 16 2022 Chen Qun - hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands -- Gitee From 4fe4a0aa71af14969bd563f53aa83e7da016ecd2 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 28 Feb 2022 10:50:58 +0100 Subject: [PATCH 07/16] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to detach it from the virtqueue before freeing its memory. Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") Fixes: CVE-2022-26354 Cc: qemu-stable@nongnu.org Reported-by: VictorV Signed-off-by: Stefano Garzarella Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch index ec6f073..e027cf1 100644 --- a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +++ b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -1,7 +1,7 @@ From 24181e4b219d3206ff105ca727f8d566c8ae8db3 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Mon, 28 Feb 2022 10:50:58 +0100 -Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error +Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to -- Gitee From 7f5641e6b54a39ea3ecc1a54eb1608baca6c8c31 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 8 Mar 2022 10:42:51 +0800 Subject: [PATCH 08/16] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Fixing this by detaching the cached elements on error. This addresses CVE-2022-26353. Reported-by: Victor Tom Cc: qemu-stable@nongnu.org Fixes: CVE-2022-26353 Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") Reviewed-by: Michael S. Tsirkin Signed-off-by: Jason Wang --- virtio-net-fix-map-leaking-on-error-during-receive.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virtio-net-fix-map-leaking-on-error-during-receive.patch b/virtio-net-fix-map-leaking-on-error-during-receive.patch index b580389..ec5806f 100644 --- a/virtio-net-fix-map-leaking-on-error-during-receive.patch +++ b/virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -1,7 +1,7 @@ From c1e83833ebd3d02faa9e2cc666a06c1754038d14 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Tue, 8 Mar 2022 10:42:51 +0800 -Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive +Subject: [PATCH] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue -- Gitee From 81068eef62362c45e206644d46d33ac03e3368c0 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:44 +0800 Subject: [PATCH 09/16] spec: Update patch and changelog with !279 fix CVE-2022-26354 and CVE-2022-26353 !279 vhost-vsock: detach the virqueue element in case of error virtio-net: fix map leaking on error during receive Signed-off-by: Chen Qun --- qemu.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qemu.spec b/qemu.spec index 821d5c9..46da489 100644 --- a/qemu.spec +++ b/qemu.spec @@ -324,6 +324,8 @@ Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0347: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0350: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +Patch0351: virtio-net-fix-map-leaking-on-error-during-receive.patch BuildRequires: flex BuildRequires: bison @@ -721,6 +723,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- vhost-vsock: detach the virqueue element in case of error +- virtio-net: fix map leaking on error during receive + * Mon May 16 2022 Chen Qun - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607) -- Gitee From aa34623f77b86951037d2f590f7b5b3a405f74cf Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:34 +0100 Subject: [PATCH 10/16] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are going to re-use this code in the next commit, so extract it as a new blk_create_empty_drive() function. Inspired-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-2-philmd@redhat.com Signed-off-by: John Snow --- hw-block-fdc-Extract-blk_create_empty_drive.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw-block-fdc-Extract-blk_create_empty_drive.patch b/hw-block-fdc-Extract-blk_create_empty_drive.patch index 23b3ab3..c3e00fb 100644 --- a/hw-block-fdc-Extract-blk_create_empty_drive.patch +++ b/hw-block-fdc-Extract-blk_create_empty_drive.patch @@ -1,7 +1,7 @@ -From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001 +From 6a1ed848361ae21f40bd584dc670a0f581b8919f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:34 +0100 -Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive() +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 504f691e5720fcb1406c527a93e2d89e93e5b94d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:35 +0100 Subject: [PATCH 11/16] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guest might select another drive on the bus by setting the DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). The current controller model doesn't expect a BlockBackend to be NULL. A simple way to fix CVE-2021-20196 is to create an empty BlockBackend when it is missing. All further accesses will be safely handled, and the controller state machines keep behaving correctly. Cc: qemu-stable@nongnu.org Fixes: CVE-2021-20196 Reported-by: Gaoning Pan (Ant Security Light-Year Lab) Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-3-philmd@redhat.com BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: John Snow --- hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch index 2c9c180..2723170 100644 --- a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +++ b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch @@ -1,7 +1,7 @@ -From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001 +From 2e518af44f7c5f49822a06d38b51d2d0034c15e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:35 +0100 -Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix +Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From 835ec1135be10fcea832c888807f9963bfeefcc0 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:36 +0100 Subject: [PATCH 12/16] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without the previous commit, when running 'make check-qtest-i386' with QEMU configured with '--enable-sanitizers' we get: AddressSanitizer:DEADLYSIGNAL ================================================================= ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344 ==287878==The signal is caused by a WRITE memory access. ==287878==Hint: address points to the zero page. #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5 #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5 #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11 #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17 #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9 #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9 Add the reproducer for CVE-2021-20196. Suggested-by: Alexander Bulekov Reviewed-by: Darren Kenny Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-4-philmd@redhat.com Signed-off-by: John Snow --- tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch index 56aac5a..01bd3eb 100644 --- a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +++ b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch @@ -1,7 +1,7 @@ -From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001 +From d7339498ecc6b88211209ca69dbcd26a78890178 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:36 +0100 -Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196 +Subject: [PATCH] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From d40fb53bb1c8199628056ac2064239d8ff062d19 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 7 Apr 2022 10:11:06 +0200 Subject: [PATCH 13/16] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid fetching 'width' and 'height' a second time to prevent possible race condition. Refer to security advisory https://starlabs.sg/advisories/22-4207/ for more information. Fixes: CVE-2021-4207 Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Message-Id: <20220407081106.343235-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- display-qxl-render-fix-race-condition-in-qxl_cursor-.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch index 7fbd127..af02647 100644 --- a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +++ b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -1,7 +1,7 @@ -From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001 +From 5442c1af059f303cf3b7d5f35997dc9378677f78 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:11:06 +0200 -Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From 4e1dcb6f1074d7d9a6dfeedebae89b74765d512b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 7 Apr 2022 10:17:12 +0200 Subject: [PATCH 14/16] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent potential integer overflow by limiting 'width' and 'height' to 512x512. Also change 'datasize' type to size_t. Refer to security advisory https://starlabs.sg/advisories/22-4206/ for more information. Fixes: CVE-2021-4206 Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Message-Id: <20220407081712.345609-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch index 48e1bf5..70b60fb 100644 --- a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +++ b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -1,7 +1,7 @@ -From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001 +From 6cb2defe67fa628c6274ed59cc737bfdd75948e8 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:17:12 +0200 -Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From a830559db47eec0e976863a311df5240388ab212 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:50 +0800 Subject: [PATCH 15/16] spec: Update patch and changelog with !288 fix CVE-2021-20196/CVE-2021-4207/CVE-2021-4206 !288 hw/block/fdc: Extract blk_create_empty_drive() hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 tests/fdc-test: Add a regression test for CVE-2021-20196 display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Chen Qun --- qemu.spec | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/qemu.spec b/qemu.spec index 46da489..391c19d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -326,6 +326,11 @@ Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0350: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch Patch0351: virtio-net-fix-map-leaking-on-error-during-receive.patch +Patch0352: hw-block-fdc-Extract-blk_create_empty_drive.patch +Patch0353: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +Patch0354: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +Patch0355: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +Patch0356: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch BuildRequires: flex BuildRequires: bison @@ -723,6 +728,13 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/block/fdc: Extract blk_create_empty_drive() +- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 +- tests/fdc-test: Add a regression test for CVE-2021-20196 +- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + * Mon May 16 2022 Chen Qun - vhost-vsock: detach the virqueue element in case of error - virtio-net: fix map leaking on error during receive -- Gitee From 4de723cd3921a06468730a365a7810339361dc3c Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:28:12 +0800 Subject: [PATCH 16/16] spec: Update release version with !269 !276 !279 !288 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 391c19d..8ccad70 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 63 +Release: 64 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee