diff --git a/qemu.spec b/qemu.spec index 71eb96891499643c468709201231b5d4f35ea48d..fc83804d99b5dfdcc2b6cb7162cd7c1226848dd1 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 6.2.0 -Release: 42 +Release: 43 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -282,6 +282,7 @@ Patch0268: tests-qtest-intel-hda-test-Add-reproducer-for-issue-.patch Patch0269: hw-nvme-fix-CVE-2021-3929.patch Patch0270: acpi-validate-hotplug-selector-on-access.patch Patch0271: virtiofsd-Drop-membership-of-all-supplementary-group.patch +Patch0272: softmmu-Always-initialize-xlat-in-address_space_tran.patch BuildRequires: flex BuildRequires: gcc @@ -784,6 +785,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Jul 13 2022 yinyongkang - 2:6.2.0-43 +- softmmu: Always initialize xlat in address_space_translate_for_iotlb + * Tue Jul 12 2022 liuxiangdong - 2:6.2.0-42 - acpi: validate hotplug selector on access - virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358) diff --git a/softmmu-Always-initialize-xlat-in-address_space_tran.patch b/softmmu-Always-initialize-xlat-in-address_space_tran.patch new file mode 100644 index 0000000000000000000000000000000000000000..a62a42caf1cfb76230810dbe796e57b541f0110d --- /dev/null +++ b/softmmu-Always-initialize-xlat-in-address_space_tran.patch @@ -0,0 +1,68 @@ +From c31f3264eabcf8987d56c1cd383aa11ce604b831 Mon Sep 17 00:00:00 2001 +From: yinyongkang +Date: Wed, 13 Jul 2022 11:13:40 +0800 +Subject: [PATCH] softmmu: Always initialize xlat in + address_space_translate_for_iotlb + +The bug is an uninitialized memory read, along the translate_fail +path, which results in garbage being read from iotlb_to_section, +which can lead to a crash in io_readx/io_writex. + +The bug may be fixed by writing any value with zero +in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using +the xlat'ed address returns io_mem_unassigned, as desired by the +translate_fail path. + +It is most useful to record the original physical page address, +which will eventually be logged by memory_region_access_valid +when the access is rejected by unassigned_mem_accepts. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065 +Signed-off-by: Richard Henderson +Reviewed-by: Peter Maydell +Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org> +--- + softmmu/physmem.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index ae26f7290..be39a49ce 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -668,7 +668,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) + + /* Called from RCU critical section */ + MemoryRegionSection * +-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, ++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, + hwaddr *xlat, hwaddr *plen, + MemTxAttrs attrs, int *prot) + { +@@ -677,6 +677,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + IOMMUMemoryRegionClass *imrc; + IOMMUTLBEntry iotlb; + int iommu_idx; ++ hwaddr addr = orig_addr; + AddressSpaceDispatch *d = + qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); + +@@ -721,6 +722,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + return section; + + translate_fail: ++ /* ++ * We should be given a page-aligned address -- certainly ++ * tlb_set_page_with_attrs() does so. The page offset of xlat ++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. ++ * The page portion of xlat will be logged by memory_region_access_valid() ++ * when this memory access is rejected, so use the original untranslated ++ * physical address. ++ */ ++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); ++ *xlat = orig_addr; + return &d->map.sections[PHYS_SECTION_UNASSIGNED]; + } + +-- +2.33.0 +