From 63c3424617b8ac2d7f5dadf42720dbcc8c985a61 Mon Sep 17 00:00:00 2001 From: Sun Dongxu Date: Sat, 28 May 2022 15:36:32 +0800 Subject: [PATCH] fix CVE-2021-20257/CVE-2020-13253 and fix gcc 10.3.1 compile error openeuler !302!305 e1000-fail-early-for-evil-descriptor.patch e1000-fix-tx-re-entrancy-problem.patch hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch hw-sd-sdcard-Simplify-realize-a-bit.patch hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch curses-Fixes-curses-compiling-errors.patch net-dump.c-Suppress-spurious-compiler-warning.patch tests-Replace-deprecated-ASN1-code.patch --- curses-Fixes-curses-compiling-errors.patch | 60 ++++++++ e1000-fail-early-for-evil-descriptor.patch | 50 +++++++ e1000-fix-tx-re-entrancy-problem.patch | 58 ++++++++ ...d-Do-not-allow-invalid-SD-card-sizes.patch | 105 ++++++++++++++ ...not-switch-to-ReceivingData-if-addre.patch | 131 ++++++++++++++++++ ...trict-Class-6-commands-to-SCSD-cards.patch | 48 +++++++ hw-sd-sdcard-Simplify-realize-a-bit.patch | 43 ++++++ ...ate-coding-style-to-make-checkpatch..patch | 87 ++++++++++++ ...c-Suppress-spurious-compiler-warning.patch | 51 +++++++ qemu.spec | 26 +++- ...per-Fix-out-of-bounds-access-to-trnp.patch | 95 +++++++++++++ tests-Replace-deprecated-ASN1-code.patch | 98 +++++++++++++ 12 files changed, 851 insertions(+), 1 deletion(-) create mode 100644 curses-Fixes-curses-compiling-errors.patch create mode 100644 e1000-fail-early-for-evil-descriptor.patch create mode 100644 e1000-fix-tx-re-entrancy-problem.patch create mode 100644 hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch create mode 100644 hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch create mode 100644 hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch create mode 100644 hw-sd-sdcard-Simplify-realize-a-bit.patch create mode 100644 hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch create mode 100644 net-dump.c-Suppress-spurious-compiler-warning.patch create mode 100644 scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch create mode 100644 tests-Replace-deprecated-ASN1-code.patch diff --git a/curses-Fixes-curses-compiling-errors.patch b/curses-Fixes-curses-compiling-errors.patch new file mode 100644 index 0000000..8e53980 --- /dev/null +++ b/curses-Fixes-curses-compiling-errors.patch @@ -0,0 +1,60 @@ +From a90cb5bc6accc02d155d74f08e630a26f252f435 Mon Sep 17 00:00:00 2001 +From: Yonggang Luo +Date: Tue, 13 Oct 2020 07:43:46 +0800 +Subject: [PATCH 2/4] curses: Fixes curses compiling errors. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is the compiling error: +../ui/curses.c: In function 'curses_refresh': +../ui/curses.c:256:5: error: 'next_maybe_keycode' may be used uninitialized in this function [-Werror=maybe-uninitialized] + 256 | curses2foo(_curses2keycode, _curseskey2keycode, chr, maybe_keycode) + | ^~~~~~~~~~ +../ui/curses.c:302:32: note: 'next_maybe_keycode' was declared here + 302 | enum maybe_keycode next_maybe_keycode; + | ^~~~~~~~~~~~~~~~~~ +../ui/curses.c:256:5: error: 'maybe_keycode' may be used uninitialized in this function [-Werror=maybe-uninitialized] + 256 | curses2foo(_curses2keycode, _curseskey2keycode, chr, maybe_keycode) + | ^~~~~~~~~~ +../ui/curses.c:265:24: note: 'maybe_keycode' was declared here + 265 | enum maybe_keycode maybe_keycode; + | ^~~~~~~~~~~~~ +cc1.exe: all warnings being treated as errors + +gcc version 10.2.0 (Rev1, Built by MSYS2 project) + +Signed-off-by: Yonggang Luo +Reviewed-by: Gerd Hoffmann +Reviewed-by: Daniel P. Berrangé +Message-id: 20201012234348.1427-4-luoyonggang@gmail.com +Signed-off-by: Gerd Hoffmann +--- + ui/curses.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ui/curses.c b/ui/curses.c +index a6e260eb96..18fcfe82d8 100644 +--- a/ui/curses.c ++++ b/ui/curses.c +@@ -259,7 +259,7 @@ static int curses2foo(const int _curses2foo[], const int _curseskey2foo[], + static void curses_refresh(DisplayChangeListener *dcl) + { + int chr, keysym, keycode, keycode_alt; +- enum maybe_keycode maybe_keycode; ++ enum maybe_keycode maybe_keycode = CURSES_KEYCODE; + + curses_winch_check(); + +@@ -296,7 +296,7 @@ static void curses_refresh(DisplayChangeListener *dcl) + + /* alt or esc key */ + if (keycode == 1) { +- enum maybe_keycode next_maybe_keycode; ++ enum maybe_keycode next_maybe_keycode = CURSES_KEYCODE; + int nextchr = console_getch(&next_maybe_keycode); + + if (nextchr != -1) { +-- +2.17.1 + diff --git a/e1000-fail-early-for-evil-descriptor.patch b/e1000-fail-early-for-evil-descriptor.patch new file mode 100644 index 0000000..60eb78a --- /dev/null +++ b/e1000-fail-early-for-evil-descriptor.patch @@ -0,0 +1,50 @@ +From d9f04ba174842bfdbcdcec2c90a2a726b914b9fd Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 24 Feb 2021 13:45:28 +0800 +Subject: [PATCH 1/7] e1000: fail early for evil descriptor + +During procss_tx_desc(), driver can try to chain data descriptor with +legacy descriptor, when will lead underflow for the following +calculation in process_tx_desc() for bytes: + + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +This will lead a infinite loop. So check and fail early if tp->size if +greater or equal to msh. + +Reported-by: Alexander Bulekov +Reported-by: Cheolwoo Myung +Reported-by: Ruhr-University Bochum +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang +--- + hw/net/e1000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index a99aa3ccc3..f0219d363c 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + msh = tp->tso_props.hdr_len + tp->tso_props.mss; + do { + bytes = split_size; ++ if (tp->size >= msh) { ++ goto eop; ++ } + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + tp->size += split_size; + } + ++eop: + if (!(txd_lower & E1000_TXD_CMD_EOP)) + return; + if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { +-- +2.17.1 + diff --git a/e1000-fix-tx-re-entrancy-problem.patch b/e1000-fix-tx-re-entrancy-problem.patch new file mode 100644 index 0000000..ca66d02 --- /dev/null +++ b/e1000-fix-tx-re-entrancy-problem.patch @@ -0,0 +1,58 @@ +From c28382f7ef531e10a45d240cdb29145f8638232e Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Thu, 21 Oct 2021 12:10:47 -0400 +Subject: [PATCH 2/7] e1000: fix tx re-entrancy problem + +The fact that the MMIO handler is not re-entrant causes an infinite +loop under certain conditions: + +Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX + +We now eliminate the effect of this problem locally in e1000, by adding +a boolean in struct E1000State indicating when the TX side is busy. This +will cause any entering new call to return early instead of interfering +with the ongoing work, and eliminates any risk of looping. + +This is intended to address CVE-2021-20257. + +Signed-off-by: Jon Maloy +Signed-off-by: Jason Wang +--- + hw/net/e1000.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index f0219d363c..a41b5b116d 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -104,6 +104,7 @@ typedef struct E1000State_st { + e1000x_txd_props props; + e1000x_txd_props tso_props; + uint16_t tso_frames; ++ bool busy; + } tx; + + struct { +@@ -748,6 +749,11 @@ start_xmit(E1000State *s) + return; + } + ++ if (s->tx.busy) { ++ return; ++ } ++ s->tx.busy = true; ++ + while (s->mac_reg[TDH] != s->mac_reg[TDT]) { + base = tx_desc_base(s) + + sizeof(struct e1000_tx_desc) * s->mac_reg[TDH]; +@@ -774,6 +780,7 @@ start_xmit(E1000State *s) + break; + } + } ++ s->tx.busy = false; + set_ics(s, 0, cause); + } + +-- +2.17.1 + diff --git a/hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch b/hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch new file mode 100644 index 0000000..07e194f --- /dev/null +++ b/hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch @@ -0,0 +1,105 @@ +From ee7165e6dd077ebbe25f79b45fe0094a6c6779ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Tue, 7 Jul 2020 13:02:34 +0200 +Subject: [PATCH 5/7] hw/sd/sdcard: Do not allow invalid SD card sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +QEMU allows to create SD card with unrealistic sizes. This could +work, but some guests (at least Linux) consider sizes that are not +a power of 2 as a firmware bug and fix the card size to the next +power of 2. + +While the possibility to use small SD card images has been seen as +a feature, it became a bug with CVE-2020-13253, where the guest is +able to do OOB read/write accesses past the image size end. + +In a pair of commits we will fix CVE-2020-13253 as: + + Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + + Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + + WP_VIOLATION errors are not modified: the error bit is set, we + stay in receive-data state, wait for a stop command. All further + data transfer is ignored. See the check on sd->card_status at the + beginning of sd_read_data() and sd_write_data(). + +While this is the correct behavior, in case QEMU create smaller SD +cards, guests still try to access past the image size end, and QEMU +considers this is an invalid address, thus "all further data transfer +is ignored". This is wrong and make the guest looping until +eventually timeouts. + +Fix by not allowing invalid SD card sizes (suggesting the expected +size as a hint): + + $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw + qemu-system-arm: Invalid SD card size: 60 MiB + SD card size has to be a power of 2, e.g. 64 MiB. + You can resize disk images with 'qemu-img resize ' + (note that this will lose data if you make the image smaller than it currently is). + +Cc: qemu-stable@nongnu.org +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Reviewed-by: Peter Maydell +Message-Id: <20200713183209.26308-8-f4bug@amsat.org> +--- + hw/sd/sd.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index caac17e71b..263072a353 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -32,6 +32,7 @@ + + #include "qemu/osdep.h" + #include "qemu/units.h" ++#include "qemu-common.h" + #include "hw/qdev.h" + #include "hw/hw.h" + #include "hw/registerfields.h" +@@ -2091,11 +2092,35 @@ static void sd_realize(DeviceState *dev, Error **errp) + } + + if (sd->blk) { ++ int64_t blk_size; ++ + if (blk_is_read_only(sd->blk)) { + error_setg(errp, "Cannot use read-only drive as SD card"); + return; + } + ++ blk_size = blk_getlength(sd->blk); ++ if (blk_size > 0 && !is_power_of_2(blk_size)) { ++ int64_t blk_size_aligned = pow2ceil(blk_size); ++ char *blk_size_str; ++ ++ blk_size_str = size_to_str(blk_size); ++ error_setg(errp, "Invalid SD card size: %s", blk_size_str); ++ g_free(blk_size_str); ++ ++ blk_size_str = size_to_str(blk_size_aligned); ++ error_append_hint(errp, ++ "SD card size has to be a power of 2, e.g. %s.\n" ++ "You can resize disk images with" ++ " 'qemu-img resize '\n" ++ "(note that this will lose data if you make the" ++ " image smaller than it currently is).\n", ++ blk_size_str); ++ g_free(blk_size_str); ++ ++ return; ++ } ++ + ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, + BLK_PERM_ALL, errp); + if (ret < 0) { +-- +2.17.1 + diff --git a/hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch b/hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch new file mode 100644 index 0000000..70e73e2 --- /dev/null +++ b/hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch @@ -0,0 +1,131 @@ +From 8d920e44e5bd5e719aca03887e9bcc5a02787a2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 4 Jun 2020 19:22:29 +0200 +Subject: [PATCH 7/7] hw/sd/sdcard: Do not switch to ReceivingData if address + is invalid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only move the state machine to ReceivingData if there is no +pending error. This avoids later OOB access while processing +commands queued. + + "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" + + 4.3.3 Data Read + + Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + + 4.3.4 Data Write + + Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR + occurred and no data transfer is performed. + +WP_VIOLATION errors are not modified: the error bit is set, we +stay in receive-data state, wait for a stop command. All further +data transfer is ignored. See the check on sd->card_status at the +beginning of sd_read_data() and sd_write_data(). + +Fixes: CVE-2020-13253 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov +Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 +Reviewed-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Message-Id: <20200630133912.9428-6-f4bug@amsat.org> +--- + hw/sd/sd.c | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index ed796fb41f..79d5f1a5b9 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -1156,13 +1156,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + case 17: /* CMD17: READ_SINGLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: +- sd->state = sd_sendingdata_state; +- sd->data_start = addr; +- sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { ++ if (addr + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; + } ++ ++ sd->state = sd_sendingdata_state; ++ sd->data_start = addr; ++ sd->data_offset = 0; + return sd_r1; + + default: +@@ -1173,13 +1175,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + case 18: /* CMD18: READ_MULTIPLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: +- sd->state = sd_sendingdata_state; +- sd->data_start = addr; +- sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { ++ if (addr + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; + } ++ ++ sd->state = sd_sendingdata_state; ++ sd->data_start = addr; ++ sd->data_offset = 0; + return sd_r1; + + default: +@@ -1219,14 +1223,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++ if (addr + sd->blk_len > sd->size) { ++ sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; ++ } ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { +- sd->card_status |= ADDRESS_ERROR; +- } + if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; + } +@@ -1246,14 +1253,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++ if (addr + sd->blk_len > sd->size) { ++ sd->card_status |= ADDRESS_ERROR; ++ return sd_r1; ++ } ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) { +- sd->card_status |= ADDRESS_ERROR; +- } + if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; + } +-- +2.17.1 + diff --git a/hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch b/hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch new file mode 100644 index 0000000..b48954a --- /dev/null +++ b/hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch @@ -0,0 +1,48 @@ +From 3fb16cbd24233829b3696e06abb12db317d68aac Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 3 Jun 2020 19:59:16 +0200 +Subject: [PATCH 3/7] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only SCSD cards support Class 6 (Block Oriented Write Protection) +commands. + + "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" + + 4.3.14 Command Functional Difference in Card Capacity Types + + * Write Protected Group + + SDHC and SDXC do not support write-protected groups. Issuing + CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Message-Id: <20200630133912.9428-7-f4bug@amsat.org> +--- + hw/sd/sd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index 917195a65b..ed3eae930b 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -905,6 +905,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + sd->multi_blk_cnt = 0; + } + ++ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { ++ /* Only Standard Capacity cards support class 6 commands */ ++ return sd_illegal; ++ } ++ + switch (req.cmd) { + /* Basic commands (Class 0 and Class 1) */ + case 0: /* CMD0: GO_IDLE_STATE */ +-- +2.17.1 + diff --git a/hw-sd-sdcard-Simplify-realize-a-bit.patch b/hw-sd-sdcard-Simplify-realize-a-bit.patch new file mode 100644 index 0000000..973a0b4 --- /dev/null +++ b/hw-sd-sdcard-Simplify-realize-a-bit.patch @@ -0,0 +1,43 @@ +From 3b8e4bca9d5d51219778950456d52226a9caffdf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Tue, 5 Jun 2018 22:28:51 -0300 +Subject: [PATCH 4/7] hw/sd/sdcard: Simplify realize() a bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We don't need to check if sd->blk is set twice. + +Reviewed-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Message-Id: <20200630133912.9428-18-f4bug@amsat.org> +--- + hw/sd/sd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index ed3eae930b..caac17e71b 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -2090,12 +2090,12 @@ static void sd_realize(DeviceState *dev, Error **errp) + return; + } + +- if (sd->blk && blk_is_read_only(sd->blk)) { +- error_setg(errp, "Cannot use read-only drive as SD card"); +- return; +- } +- + if (sd->blk) { ++ if (blk_is_read_only(sd->blk)) { ++ error_setg(errp, "Cannot use read-only drive as SD card"); ++ return; ++ } ++ + ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, + BLK_PERM_ALL, errp); + if (ret < 0) { +-- +2.17.1 + diff --git a/hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch b/hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch new file mode 100644 index 0000000..95b3843 --- /dev/null +++ b/hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch @@ -0,0 +1,87 @@ +From 29a65998b9c0e22983d6861efabae88106af591b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 13 Jul 2020 09:27:35 +0200 +Subject: [PATCH 6/7] hw/sd/sdcard: Update coding style to make checkpatch.pl + happy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To make the next commit easier to review, clean this code first. + +Reviewed-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Reviewed-by: Alexander Bulekov +Message-Id: <20200630133912.9428-3-f4bug@amsat.org> +--- + hw/sd/sd.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/hw/sd/sd.c b/hw/sd/sd.c +index 263072a353..ed796fb41f 100644 +--- a/hw/sd/sd.c ++++ b/hw/sd/sd.c +@@ -1160,8 +1160,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + sd->data_start = addr; + sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ } + return sd_r1; + + default: +@@ -1176,8 +1177,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + sd->data_start = addr; + sd->data_offset = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; ++ } + return sd_r1; + + default: +@@ -1222,12 +1224,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; +- if (sd_wp_addr(sd, sd->data_start)) ++ } ++ if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; +- if (sd->csd[14] & 0x30) ++ } ++ if (sd->csd[14] & 0x30) { + sd->card_status |= WP_VIOLATION; ++ } + return sd_r1; + + default: +@@ -1246,12 +1251,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) + sd->data_offset = 0; + sd->blk_written = 0; + +- if (sd->data_start + sd->blk_len > sd->size) ++ if (sd->data_start + sd->blk_len > sd->size) { + sd->card_status |= ADDRESS_ERROR; +- if (sd_wp_addr(sd, sd->data_start)) ++ } ++ if (sd_wp_addr(sd, sd->data_start)) { + sd->card_status |= WP_VIOLATION; +- if (sd->csd[14] & 0x30) ++ } ++ if (sd->csd[14] & 0x30) { + sd->card_status |= WP_VIOLATION; ++ } + return sd_r1; + + default: +-- +2.17.1 + diff --git a/net-dump.c-Suppress-spurious-compiler-warning.patch b/net-dump.c-Suppress-spurious-compiler-warning.patch new file mode 100644 index 0000000..cad2123 --- /dev/null +++ b/net-dump.c-Suppress-spurious-compiler-warning.patch @@ -0,0 +1,51 @@ +From 55dee3d51d658d72edecd28168be69f822bff970 Mon Sep 17 00:00:00 2001 +From: liuxiangdong +Date: Tue, 8 Feb 2022 15:10:25 +0800 +Subject: [PATCH 3/4] net/dump.c: Suppress spurious compiler warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Compiling with gcc version 11.2.0 (Ubuntu 11.2.0-13ubuntu1) results in +a (spurious) warning: + + In function ‘dump_receive_iov’, + inlined from ‘filter_dump_receive_iov’ at ../net/dump.c:157:5: + ../net/dump.c:89:9: error: ‘writev’ specified size 18446744073709551600 +exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=] + 89 | if (writev(s->fd, dumpiov, cnt + 1) != sizeof(hdr) + caplen) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from /home/ptomsich/qemu/include/qemu/osdep.h:108, + from ../net/dump.c:25: + ../net/dump.c: In function ‘filter_dump_receive_iov’: + /usr/include/x86_64-linux-gnu/sys/uio.h:52:16: note: in a call to function +‘writev’ declared with attribute ‘read_only (2, 3)’ + 52 | extern ssize_t writev (int __fd, const struct iovec *__iovec, int +__count) + | ^~~~~~ + cc1: all warnings being treated as errors + +This change helps that version of GCC to understand what is going on +and suppresses this warning. + +Signed-off-by: Philipp Tomsich +--- + net/dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dump.c b/net/dump.c +index 23b3628dde..3cf9fe869d 100644 +--- a/net/dump.c ++++ b/net/dump.c +@@ -86,7 +86,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt) + dumpiov[0].iov_len = sizeof(hdr); + cnt = iov_copy(&dumpiov[1], cnt, iov, cnt, 0, caplen); + +- if (writev(s->fd, dumpiov, cnt + 1) != sizeof(hdr) + caplen) { ++ if (writev(s->fd, &dumpiov[0], cnt + 1) != sizeof(hdr) + caplen) { + error_report("network dump write error - stopping dump"); + close(s->fd); + s->fd = -1; +-- +2.17.1 + diff --git a/qemu.spec b/qemu.spec index e5c7198..36fb29a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 68 +Release: 69 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -359,6 +359,17 @@ Patch0346: hw-intc-arm_gicv3_dist-Rename-64-bit-accessors-with-.patch Patch0347: hw-intc-arm_gicv3-Replace-mis-used-MEMTX_-constants-.patch Patch0348: hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch Patch0349: net-colo-compare.c-Check-that-colo-compare-is-active.patch +Patch0350: e1000-fail-early-for-evil-descriptor.patch +Patch0351: e1000-fix-tx-re-entrancy-problem.patch +Patch0352: hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch +Patch0353: hw-sd-sdcard-Simplify-realize-a-bit.patch +Patch0354: hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch +Patch0355: hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch +Patch0356: hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch +Patch0357: scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch +Patch0358: curses-Fixes-curses-compiling-errors.patch +Patch0359: net-dump.c-Suppress-spurious-compiler-warning.patch +Patch0360: tests-Replace-deprecated-ASN1-code.patch BuildRequires: flex BuildRequires: bison @@ -755,6 +766,19 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 30 2022 sundongxu +- e1000: fail early for evil descriptor +- e1000: fix tx re-entrancy problem +- hw/sd/sdcard: Do not allow invalid SD card sizes +- hw/sd/sdcard: Do not switch to ReceivingData if address is invalid +- hw/sd/sdcard: Restrict Class 6 commands to SCSD cards +- hw/sd/sdcard: Simplify realize() a bit +- hw/sd/sdcard: Update coding style to make checkpatch.pl happy +- scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] +- curses: Fixes curses compiling errors. +- net/dump.c: Suppress spurious compiler warning +- tests: Replace deprecated ASN1 code + * Sat May 21 2022 yezengruan - hw/intc/arm_gicv3_dist: Rename 64-bit accessors with 'q' suffix - hw/intc/arm_gicv3: Replace mis-used MEMTX_* constants by booleans diff --git a/scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch b/scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch new file mode 100644 index 0000000..687c9f0 --- /dev/null +++ b/scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch @@ -0,0 +1,95 @@ +From 36a343cbba2752fab2995fd0d9848c192f0c9579 Mon Sep 17 00:00:00 2001 +From: Christophe de Dinechin +Date: Fri, 28 Feb 2020 16:00:59 +0100 +Subject: [PATCH 1/4] scsi/qemu-pr-helper: Fix out-of-bounds access to + trnptid_list[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Compile error reported by gcc 10.0.1: + +scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: +scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] + 523 | paramp.trnptid_list[paramp.num_transportid++] = id; + | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from scsi/qemu-pr-helper.c:36: +/usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ + 168 | struct transportid *trnptid_list[]; + | ^~~~~~~~~~~~ +scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ + 424 | struct prout_param_descriptor paramp; + | ^~~~~~ + +This highlights an actual implementation issue in function multipath_pr_out. +The variable paramp is declared with type `struct prout_param_descriptor`, +which is a struct terminated by an empty array in mpath_persist.h: + + struct transportid *trnptid_list[]; + +That empty array was filled with code that looked like that: + + trnptid_list[paramp.descr.num_transportid++] = id; + +This is an actual out-of-bounds access. + +The fix is to malloc `paramp`. + +Signed-off-by: Christophe de Dinechin +Signed-off-by: Paolo Bonzini +--- + scsi/qemu-pr-helper.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c +index a256ce490b..aa135df1f9 100644 +--- a/scsi/qemu-pr-helper.c ++++ b/scsi/qemu-pr-helper.c +@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + int rq_servact = cdb[1]; + int rq_scope = cdb[2] >> 4; + int rq_type = cdb[2] & 0xf; +- struct prout_param_descriptor paramp; ++ g_autofree struct prout_param_descriptor *paramp = NULL; + char transportids[PR_HELPER_DATA_SIZE]; + int r; + ++ paramp = g_malloc0(sizeof(struct prout_param_descriptor) ++ + sizeof(struct transportid *) * MPATH_MX_TIDS); ++ + if (sz < PR_OUT_FIXED_PARAM_SIZE) { + /* Illegal request, Parameter list length error. This isn't fatal; + * we have read the data, send an error without closing the socket. +@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + * used by libmpathpersist (which, of course, will immediately + * do the opposite). + */ +- memset(¶mp, 0, sizeof(paramp)); +- memcpy(¶mp.key, ¶m[0], 8); +- memcpy(¶mp.sa_key, ¶m[8], 8); +- paramp.sa_flags = param[20]; ++ memcpy(¶mp->key, ¶m[0], 8); ++ memcpy(¶mp->sa_key, ¶m[8], 8); ++ paramp->sa_flags = param[20]; + if (sz > PR_OUT_FIXED_PARAM_SIZE) { + size_t transportid_len; + int i, j; +@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + return CHECK_CONDITION; + } + +- paramp.trnptid_list[paramp.num_transportid++] = id; ++ assert(paramp->num_transportid < MPATH_MX_TIDS); ++ paramp->trnptid_list[paramp->num_transportid++] = id; + } + } + + r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, +- ¶mp, noisy, verbose); ++ paramp, noisy, verbose); + return mpath_reconstruct_sense(fd, r, sense); + } + #endif +-- +2.17.1 + diff --git a/tests-Replace-deprecated-ASN1-code.patch b/tests-Replace-deprecated-ASN1-code.patch new file mode 100644 index 0000000..65c8a6c --- /dev/null +++ b/tests-Replace-deprecated-ASN1-code.patch @@ -0,0 +1,98 @@ +From d3918f6f22ad23b18f83eb446ee787d41ffd4631 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Thu, 28 Jan 2021 18:15:23 +0100 +Subject: [PATCH 4/4] tests: Replace deprecated ASN1 code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes several compiler warnings on MacOS with Homebrew. The +git development branch for forthcoming libtasn1 4.17.0 has introduced +deprecation warnings for several macros/types that we use. + +Signed-off-by: Stefan Weil +Signed-off-by: Daniel P. Berrangé +--- + tests/crypto-tls-x509-helpers.c | 10 +++++----- + tests/crypto-tls-x509-helpers.h | 2 +- + tests/pkix_asn1_tab.c | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c +index 9b669c2a4b..5471434ca2 100644 +--- a/tests/crypto-tls-x509-helpers.c ++++ b/tests/crypto-tls-x509-helpers.c +@@ -30,7 +30,7 @@ + * This stores some static data that is needed when + * encoding extensions in the x509 certs + */ +-ASN1_TYPE pkix_asn1; ++asn1_node pkix_asn1; + + /* + * To avoid consuming random entropy to generate keys, +@@ -118,7 +118,7 @@ void test_tls_cleanup(const char *keyfile) + /* + * Turns an ASN1 object into a DER encoded byte array + */ +-static void test_tls_der_encode(ASN1_TYPE src, ++static void test_tls_der_encode(asn1_node src, + const char *src_name, + gnutls_datum_t *res) + { +@@ -296,7 +296,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, + * the 'critical' field which we want control over + */ + if (req->basicConstraintsEnable) { +- ASN1_TYPE ext = ASN1_TYPE_EMPTY; ++ asn1_node ext = NULL; + + asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext); + asn1_write_value(ext, "cA", +@@ -323,7 +323,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, + * to be 'critical' + */ + if (req->keyUsageEnable) { +- ASN1_TYPE ext = ASN1_TYPE_EMPTY; ++ asn1_node ext = NULL; + char str[2]; + + str[0] = req->keyUsageValue & 0xff; +@@ -353,7 +353,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, + * set this the hard way building up ASN1 data ourselves + */ + if (req->keyPurposeEnable) { +- ASN1_TYPE ext = ASN1_TYPE_EMPTY; ++ asn1_node ext = NULL; + + asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext); + if (req->keyPurposeOID1) { +diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h +index 08efba4e19..8fcd7785ab 100644 +--- a/tests/crypto-tls-x509-helpers.h ++++ b/tests/crypto-tls-x509-helpers.h +@@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile); + }; \ + test_tls_generate_cert(&varname, NULL) + +-extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; ++extern const asn1_static_node pkix_asn1_tab[]; + + #endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */ + +diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c +index f15fc515cb..4aaf736d3f 100644 +--- a/tests/pkix_asn1_tab.c ++++ b/tests/pkix_asn1_tab.c +@@ -8,7 +8,7 @@ + + #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT + +-const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { ++const asn1_static_node pkix_asn1_tab[] = { + {"PKIX1", 536875024, 0}, + {0, 1073741836, 0}, + {"id-ce", 1879048204, 0}, +-- +2.17.1 + -- Gitee