diff --git a/hw-scsi-lsi53c895a-Do-not-abort-when-DMA-requested-a.patch b/hw-scsi-lsi53c895a-Do-not-abort-when-DMA-requested-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..3dab50d3530034dcb4d7a371c4ad28cedbaf4625 --- /dev/null +++ b/hw-scsi-lsi53c895a-Do-not-abort-when-DMA-requested-a.patch @@ -0,0 +1,71 @@ +From 35ddae3c3a4231d33f162c67efbcbf0cb57892ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Tue, 23 Nov 2021 12:17:31 +0100 +Subject: [PATCH 1/3] hw/scsi/lsi53c895a: Do not abort when DMA requested and + no data queued +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If asked for DMA request and no data is available, simply wait +for data to be queued, do not abort. This fixes: + + $ cat << EOF | \ + qemu-system-i386 -nographic -M q35,accel=qtest -serial none \ + -monitor none -qtest stdio -trace lsi* \ + -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \ + -device lsi53c895a,id=scsi0 -device scsi-hd,drive=drive0,bus=scsi0.0,channel=0,scsi-id=0,lun=0 + lsi_reset Reset + lsi_reg_write Write reg DSP2 0x2e = 0xff + lsi_reg_write Write reg DSP3 0x2f = 0xff + lsi_execute_script SCRIPTS dsp=0xffff0000 opcode 0x184a3900 arg 0x4a8b2d75 + qemu-system-i386: hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed. + + (gdb) bt + #5 0x00007ffff4e8a3a6 in __GI___assert_fail + (assertion=0x5555560accbc "s->current", file=0x5555560acc28 "hw/scsi/lsi53c895a.c", line=624, function=0x5555560adb18 "lsi_do_dma") at assert.c:101 + #6 0x0000555555aa33b9 in lsi_do_dma (s=0x555557805ac0, out=1) at hw/scsi/lsi53c895a.c:624 + #7 0x0000555555aa5042 in lsi_execute_script (s=0x555557805ac0) at hw/scsi/lsi53c895a.c:1250 + #8 0x0000555555aa757a in lsi_reg_writeb (s=0x555557805ac0, offset=47, val=255 '\377') at hw/scsi/lsi53c895a.c:1984 + #9 0x0000555555aa875b in lsi_mmio_write (opaque=0x555557805ac0, addr=47, val=255, size=1) at hw/scsi/lsi53c895a.c:2095 + +Cc: qemu-stable@nongnu.org +Cc: Gerd Hoffmann +Cc: Vadim Rozenfeld +Cc: Stefan Hajnoczi +Reported-by: Jérôme Poulin +Reported-by: Ruhr-University +Reported-by: Gaoning Pan +Reported-by: Cheolwoo Myung +Fixes: b96a0da06bd ("lsi: move dma_len+dma_buf into lsi_request") +BugLink: https://bugs.launchpad.net/qemu/+bug/697510 +BugLink: https://bugs.launchpad.net/qemu/+bug/1905521 +BugLink: https://bugs.launchpad.net/qemu/+bug/1908515 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/84 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/305 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/552 +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Laurent Vivier +Message-Id: <20211123111732.83137-2-philmd@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/lsi53c895a.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 72f7b59ab5..7bbaefaba0 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -620,8 +620,7 @@ static void lsi_do_dma(LSIState *s, int out) + dma_addr_t addr; + SCSIDevice *dev; + +- assert(s->current); +- if (!s->current->dma_len) { ++ if (!s->current || !s->current->dma_len) { + /* Wait until data is available. */ + trace_lsi_do_dma_unavailable(); + return; +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 4833fcaded4b28b828ed8388e1b72c2d5ff90a02..170c4fd02ea3e4609773024b561ced8d57722d14 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 72 +Release: 73 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -372,6 +372,9 @@ Patch0359: net-dump.c-Suppress-spurious-compiler-warning.patch Patch0360: tests-Replace-deprecated-ASN1-code.patch Patch0361: hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch Patch0362: softmmu-Always-initialize-xlat-in-address_space_tran.patch +Patch0363: hw-scsi-lsi53c895a-Do-not-abort-when-DMA-requested-a.patch +Patch0364: scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout-.patch +Patch0365: scsi-lsi53c895a-really-fix-use-after-free-in-lsi_do_.patch BuildRequires: flex BuildRequires: bison @@ -772,6 +775,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Aug 30 2022 yezengruan +- hw/scsi/lsi53c895a: Do not abort when DMA requested and no data queued +- scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) +- scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout (CVE-2022-0216) + * Thu Aug 25 2022 yezengruan - Provides qemu-kvm for upgrade diff --git a/scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout-.patch b/scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout-.patch new file mode 100644 index 0000000000000000000000000000000000000000..d4529ce51f484ebfa5353cc78dd28bb6723e248f --- /dev/null +++ b/scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout-.patch @@ -0,0 +1,37 @@ +From 5588ea3eb3d82faa4a99a7328252aa2bb406af28 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH 2/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 7bbaefaba0..16c4726dcc 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1027,8 +1027,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +2.27.0 + diff --git a/scsi-lsi53c895a-really-fix-use-after-free-in-lsi_do_.patch b/scsi-lsi53c895a-really-fix-use-after-free-in-lsi_do_.patch new file mode 100644 index 0000000000000000000000000000000000000000..79294c30cc6a459427ccae308e718754e5de7e3a --- /dev/null +++ b/scsi-lsi53c895a-really-fix-use-after-free-in-lsi_do_.patch @@ -0,0 +1,47 @@ +From 13136d9656dd738b6e555cad696e4a058f8f0a2b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in + lsi_do_msgout (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 16c4726dcc..88bccf2b4c 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1029,7 +1029,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1055,6 +1055,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +2.27.0 +