diff --git a/qemu.spec b/qemu.spec index c50be29e0dff3cdb84d2908de22b6a8625c6ac17..175295fcb33d72ef33ff180ab0ad7f2e471c4481 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 66 +Release: 67 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -336,6 +336,7 @@ Patch0323: curses-Fixes-curses-compiling-errors.patch Patch0324: net-dump.c-Suppress-spurious-compiler-warning.patch Patch0325: tests-Replace-deprecated-ASN1-code.patch Patch0326: hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch +Patch0327: softmmu-Always-initialize-xlat-in-address_space_tran.patch BuildRequires: flex BuildRequires: bison @@ -733,6 +734,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Jul 19 2022 yezengruan +- softmmu: Always initialize xlat in address_space_translate_for_iotlb (CVE-2022-35414) + * Thu Jun 02 2022 yezengruan - hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) diff --git a/softmmu-Always-initialize-xlat-in-address_space_tran.patch b/softmmu-Always-initialize-xlat-in-address_space_tran.patch new file mode 100644 index 0000000000000000000000000000000000000000..75f86387c9ee1c3a87d128ef963d7880c272e20a --- /dev/null +++ b/softmmu-Always-initialize-xlat-in-address_space_tran.patch @@ -0,0 +1,68 @@ +From f9b1194f6cf3c0b916e01cc6e76f2e6226cf11c5 Mon Sep 17 00:00:00 2001 +From: yinyongkang +Date: Fri, 15 Jul 2022 10:49:38 +0800 +Subject: [PATCH] softmmu: Always initialize xlat in + address_space_translate_for_iotlb + +The bug is an uninitialized memory read, along the translate_fail +path, which results in garbage being read from iotlb_to_section, +which can lead to a crash in io_readx/io_writex. + +The bug may be fixed by writing any value with zero +in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using +the xlat'ed address returns io_mem_unassigned, as desired by the +translate_fail path. + +It is most useful to record the original physical page address, +which will eventually be logged by memory_region_access_valid +when the access is rejected by unassigned_mem_accepts. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065 +Signed-off-by: Richard Henderson +Reviewed-by: Peter Maydell +Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org> +--- + exec.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 8822c241d8..e785178d73 100644 +--- a/exec.c ++++ b/exec.c +@@ -719,7 +719,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu) + + /* Called from RCU critical section */ + MemoryRegionSection * +-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, ++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, + hwaddr *xlat, hwaddr *plen, + MemTxAttrs attrs, int *prot) + { +@@ -728,6 +728,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + IOMMUMemoryRegionClass *imrc; + IOMMUTLBEntry iotlb; + int iommu_idx; ++ hwaddr addr = orig_addr; + AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); + + for (;;) { +@@ -771,6 +772,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + return section; + + translate_fail: ++ /* ++ * We should be given a page-aligned address -- certainly ++ * tlb_set_page_with_attrs() does so. The page offset of xlat ++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. ++ * The page portion of xlat will be logged by memory_region_access_valid() ++ * when this memory access is rejected, so use the original untranslated ++ * physical address. ++ */ ++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); ++ *xlat = orig_addr; + return &d->map.sections[PHYS_SECTION_UNASSIGNED]; + } + #endif +-- +2.27.0 +