From patchwork Wed Aug 10 14:11:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAEDBC19F2A for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web08.6270.1660140748404108474 for ; Wed, 10 Aug 2022 07:12:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=jgM9pLN0; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdG006366 for ; Wed, 10 Aug 2022 07:12:28 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=ooJKs6CRSPu0hORkwi4vTwjE2GHGIqP32yYfLDuVBdE=; b=jgM9pLN0KUIWnxs9qiWCjJPHhEQSHm8p2Jw+CALWMv+DtiY4DhrtAOsxm140zbxCKzZ/ HPK4kCpCoSUP9wX13/5zbZZuSvTMaULfgFtPb0mQx5tzfUoOOP1C4wOrQWc+6R81L/zC nwInPWfXmDoDKpyKxxUnAjFiu73OOO5KqZrc7smkQ8EDIl6y/KmDDsDvA1Fsi/QFoVhe OzSZssnzXsEclL2DvzZ1tjzUAshQks/U3YWjrrATeamTwdFLmwY4ETcst2ISLz31pjRx ptXirkxeHGJmu6/5838gtyT23C+cw3C5HGLoU6vgYjTAn33uGrpNz66tKVc7uuIMKcXG Yw== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:28 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LFMuZ90kNds5O6DNdWkNR/0dfLfmcnqDwVwAaxOc19jeNVPkMkEQ5qN1W5JzVP0n7+EFWLFz+lRjsMQpvDYg8aP128d2QNLK7WCmfGlZFM3uUjR9ZxZ635P47fckzsdZM38H689UBeSa0XSCB8bTK5L+NGpyersjuqoMfVIeu41Z/7HsAYohREu8jlSReIrhS4ry+ARwaJovIkzq2oUkEcs6wNzJkZcGd4Dy0XXxjChNbsVE4vSGdcHslx62t0QUUXF8bv9ayV0qzknmsuJRUk4zwcNB1QkANAv1eWD3WoirM9s3o7SMbactSySIKHg7b3UiihQXfmMY523vq3HbxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ooJKs6CRSPu0hORkwi4vTwjE2GHGIqP32yYfLDuVBdE=; b=dw8+RSLewx5VyjgXFqHVanfa9FikkYH16L91tytFxUrciu+Ed0vsugBDy6+msWFHopYDihRtlfCl371rbzuzYq7PUqB5WoBe3+Yho1AaiP8acio0anE0f8LUvy4QhUS8iYBWXZZzcwgLXAHdRgQyEWnPP7mmDu3misKiXcvIGry1uF4+JsC9jGSJzfl/3N2FdsHs15+yUYifnqINYPqJlAI9Jo+bdlMWGr226kDrWjTjpAKlLi+2PcyUtCv0i5lHvbvhFzg16Fv1XAFuJp5X8JGgsz6G2f9Z0XVJkX1dGtjKe5syYV4fxPcKbK/FzjvKOH5eWotF7ymitCoNvaBYHg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:25 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:25 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 3/5] qemu: fix CVE-2021-4158 Date: Wed, 10 Aug 2022 10:11:57 -0400 Message-Id: <20220810141159.21182-3-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220810141159.21182-1-sakib.sajal@windriver.com> References: <20220810141159.21182-1-sakib.sajal@windriver.com> X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e21eb52d-5927-4823-02bc-08da7ada590e X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: h5j9PBBoJ6Jgi8QZLq5UGW1aYnl+t+aOEXntw1UALsiMtSNtYiaZKjnCSHkZExlxydEhp3OXkvmqLC/k+B6GFbD/keujy5BA/tEa3/5r2Ixc/MdjCtmhnAV4ZogeYntrowgrKg2DsBXe1kCONKGm3KLxjYAPNnQlmYNmDrTYq7GQ4vPOFrPObZ6Mjx0ynObyquoYoKK1iGvrtlw8xRDE9EUCKZnhhfOaaow9BeChkrGCzHcpToSl08QjIaXNox6ZE1xarvmniFbSgvE0QBQDkIGm3WP+X3BGjFYsPPlcDoLwgWQf++/L3gX02X9cDGW/kmdBzmqhngcDaugtDA9Cc+of1dx7uKq9v/UW1xqJ6QyI05mni0outYJjkSAP19cMD7+aN2a03kC9SL3AB58F8KMMwlQEP+jXmJLwuI8O6s9gYJ1iTR9tTn95EQHQugLk2k4iDxioNB72HbZHmXk7RafESnGOHLvEhiXwBTAGi2WdQa3mlz7fhdEsqufeUoMNoO7sRAbujhpmUBLG96FRmCCQVAZBggNFcuMUW3jgX3H5DqKWc33jmuWX5uUEe0hID2gDZcBzfKlrgrLkyIsB+rH2IAXaIm2G/d4pidnGDSI238qYM5votLHcGZi844944F/QdB0XpCkOr5MQ0EDG0DUWT3UTul7BnX21z7vrTvcdNmUZtJxYY/ogpSDQG+G57yLn8A4v3DI9jG7m+u6Yf7LqnqRNqucRaUcrRWxofmTyYZU9pzR0/vHw8b+nsxSXuRAYLiAHBMbpPlrY7/kPy5aSpdBApzCrZ8YkxZhem9ebtqqOsYTmiQ/NFJxl1tyL X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(86362001)(966005)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?jo9DQ9MpOgEGsFG+t0mqBpRYFzTL?= =?utf-8?q?R5yO3dPRxF4sOIy0i0fb8ezZZ5vMLMx6NGkl7SZpG1TgAqskQ5klAixRKhkyzOdxC?= =?utf-8?q?2mw/NLk3XGrygEiPhYZIq8O3P8UzFWcDBbL6ocdRHS2aYaNU+hs0mbMGL9+kiAGQY?= =?utf-8?q?F4PXSiEhAw0c6vtfFQlCa/aFU+4W1pwK5M/oZnEhPBsVmUtovUE4Y8Pzt5Wqw+A43?= =?utf-8?q?xMAfjaSHrrg15DrLIvPWtMniNLNKP1imo7rC+HEeTXUVAb/B87soysp18tGcoEcIJ?= =?utf-8?q?/b8nhJn92fot4N+gMUl1XHKfn+M+1Ye46ts7TY0FiKTjh42r4aUTIg1XLP9DOGflk?= =?utf-8?q?1WYPyV0oZ/AIcAdGphfiFha7YYnI/98L/U81JL5EYu9B2PuxjIQgkX9rSLA/opjeQ?= =?utf-8?q?H9HIiOOmnmom1kijiC21wU8PoF5Hs1y1xa2z37O2SSj4JAeBki0M1TsJEz9S59hoy?= =?utf-8?q?oBRFJsxC2Cf3+/lSxhJSg7C+tY6q9istqnGK5NdeMDwNMQ9X4oHdzS1sw+5gaDwdu?= =?utf-8?q?Ndm5zljRFrobIjrzU/jeSCPlv53r8nQblFwzRiuedTgLk1kD7qfmALGlqCrtsOH4q?= =?utf-8?q?GirxEv6Z7FRbzqwohUoyD9G8Et9w/6ExT9XHDWcno4+ie9BPCyC13UL9A2VguE3BX?= =?utf-8?q?KuKS71l8qN79+GSpFqbl4l9SJoMdSQwN7w4UaOu1H5eUxUJtZoLx43y3qoppFHxv1?= =?utf-8?q?+2N4KX6OFducrsDr0UYv/gYwjqQFnGwKc+XO6AbeCOCk59IoUT0MLkWiCeR2bTL1o?= =?utf-8?q?coUXxL08mx8X11o+U6zY/WuQfI1u0C2B9Y7lyMvOwVH9dBUlRX3vyTl79/B2mzVom?= =?utf-8?q?uA8j6rs7ULS0H4+P7Ah687bmgdgFL7yQCIBCpnV33v4K/Fy49ILm/G1KT3BREG6qc?= =?utf-8?q?jVq7pNM+f7hX5elL34kWJt8GuBQ28rQPATVUfGI8qR0hYghmjChb2pL246OpU9ysR?= =?utf-8?q?TtL2Pya2h1lu832r+oKX2uOUCmY2L3aYNmY1EYM9MxZO6fIjHoWfMtIEoSKd7/ldW?= =?utf-8?q?wOt0D7xr9CEbu4ldqwfBgcqPvojtKW4y6xn2z2EvIPsbMgJwkcJvpRA6E4OaNbH34?= =?utf-8?q?tlXbNYV2bVguGnqhaJ6ZFQDPoz7YO5wzwt+DjaSNmOQ7z6qdtnRlQGxuux5iSiFfw?= =?utf-8?q?tEkgAwXKocoELygoqXYYPYSk08gfMabhx5S7iO1E8u6uQRopCBceniUtdSXF4jDyC?= =?utf-8?q?tYITtq04mKY8kq5Rb7Ka869G46JnLGwAh0gsbTx3m2dgds2+BfKnLUt/Hj0HRO4bu?= =?utf-8?q?bLjxKHRMFQHtSNlfJbtkodEaqfoEwQ1KS//CBi/PsuMoiHtaPWA2eD3HgZJG7ax31?= =?utf-8?q?qA9G6nCBUdfuP5KCyYUzFChis2hfbTQqNH/da40OrWY3tYo4fyo4PZZBU7qAt1npm?= =?utf-8?q?D88t3d33CTeP2ElWavYgdKiEW9lbIcmpx9fUE0EhWpv0vQbfDE51upG01PC8jHBux?= =?utf-8?q?TmUsKjrCi4Jav6NnLMmMFUkheFDNYZgTftGJAHWOWLfRubvR8AF1DnyTJGag05cWf?= =?utf-8?q?RFHY4xv9yRcW15mcbpBsJv+UqjGB6Hk86w=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: e21eb52d-5927-4823-02bc-08da7ada590e X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:24.2989 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6G6TojpbT+d6BpdG7a91cjY3+wubDazxFaHBVyoC0wCd0hITKl/bOfYH21XkWPlrzUtzb2OyyvSlnoCzKhgwuNXHLl2Da2oWhKythGiCBDw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: m-YFcJioLwi7qLFmCHsWpLGbNmGc31vB X-Proofpoint-ORIG-GUID: m-YFcJioLwi7qLFmCHsWpLGbNmGc31vB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=525 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 27ACdJdG006366 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169193 Backport patch to fix CVE-2021-4158. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4158.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 53bad5c453..1d04ad3c67 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ + file://CVE-2021-4158.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch new file mode 100644 index 0000000000..f6de53244f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch @@ -0,0 +1,46 @@ +From a0b64c6d078acb9bcfae600e22bf99a9a7deca7c Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 21 Dec 2021 09:45:44 -0500 +Subject: [PATCH] acpi: validate hotplug selector on access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bus is looked up on a pci write, we didn't +validate that the lookup succeeded. +Fuzzers thus can trigger QEMU crash by dereferencing the NULL +bus pointer. + +Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device") +Fixes: CVE-2021-4158 +Cc: "Igor Mammedov" +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Ani Sinha + +Upstream-Status: Backport [9bd6565ccee68f72d5012e24646e12a1c662827e] +CVE: CVE-2021-4158 + +Signed-off-by: Sakib Sajal +--- + hw/acpi/pcihp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +index 30405b511..a5e182dd3 100644 +--- a/hw/acpi/pcihp.c ++++ b/hw/acpi/pcihp.c +@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data, + } + + bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); ++ if (!bus) { ++ break; ++ } + QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) { + Object *o = OBJECT(kid->child); + PCIDevice *dev = PCI_DEVICE(o); +-- +2.33.0 +