From patchwork Mon Aug 22 19:15:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11713 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2542C3F6B0 for ; Mon, 22 Aug 2022 19:16:06 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web12.22383.1661195761058198803 for ; Mon, 22 Aug 2022 12:16:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=evT+pcFB; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5233a6570f=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27MDtcXh012721 for ; Mon, 22 Aug 2022 12:16:00 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=ZSVFaiPweuV4zN6ors5ekNIMvlOwkiLTSi37WmXR5jQ=; b=evT+pcFBHi/YF+/SuyfkUBbZFzXJzD4Q4N37DjUqOqlzg6J9Sxbwrzo1fUwpB5pHSYkG oRODdKmYG3d4LrRpnKcoVlDlGEOeQGvGmaqOjWen4gKqTzhFfY0+CnjA56bRq+7tQnJK NSVFCUVJrvxP2Y8Zhov1vRRVlRFl/y21ulPfYARD6EDIv5a8AhVJo//LgVrU9rBnzWXN d83slAhXrkIBBRc0oxRZUDWgpgKNCaecWmkKol4tv1Zcd1q2FSYvMRc31uAnHhc+46kK eDSqFaZ6bhjkURPvgCNzJNo4zVBQgl3oT9xdR7eKPXPZNMEj5xmH22vtKJV2vSzrqqhJ Zg== Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2171.outbound.protection.outlook.com [104.47.59.171]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3j2y4jj18h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Aug 2022 12:16:00 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TkPc9leR/GCkbUEKRfYHNs6DdQCidXZLIBHdRuOPU2EJ0h4KgrcvOPs3VUEx7CVI0Fkk4Lm/QJya2kg9bRx4s9cc2pb/TV1xWjnk4lgXVaWsYYT1OKxZvC2eaNEhfiJoaYFABIafm8hkmm/p4VOosRSiCDZ3NBnDkYAxKTdFZtJHj4dO64IuAq1MP8fLcEX4Csbe97Gua5mYXphptmjwKA1BALpyK+xeAhQG89OkWA0u3TxQ/7y9wVxdtzdmsZ6pk5HJrNCeSc3qvcIxR6dxrw8Jx/MXMNhiEmtnUeISvcsOUC5kX2COjVXe0IgFaT3YPkHymIQsM8gpfDbfnG9HMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZSVFaiPweuV4zN6ors5ekNIMvlOwkiLTSi37WmXR5jQ=; b=EGd1cxdh6OVUfM5K0Y0oP4+zeuXePPPrfLDGrD+xYBPl9q8mXqHArKvFI6UbA6dDreOr18K2BmYgQi8THj//3HqVwbzwR47B/W1UR+Vecj8wT3b5HiW2sWNqaJ7endmWjgZXYGwvLbQ6FkMlTLFeMBnBeUwiHkitcQxuOCjLp0+4c8NcAZki5yKGQGsidc/8WROLhvJrmNooH9kZQaS21gH0nUzD5HlHN/Ko7o9iEdkU9Hp2wVln2+Nz8YpEftN4QTwZattKZeqhl4F9vIkUsnLO62tkvIQ837Pwm1o0hIMwW4AVi47AMB/9XAvHoBK/MJV9PFtHKy4wok36U6ZRlA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by DM6PR11MB2970.namprd11.prod.outlook.com (2603:10b6:5:65::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5546.21; Mon, 22 Aug 2022 19:15:56 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3526:31b1:a7c:cd2]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3526:31b1:a7c:cd2%5]) with mapi id 15.20.5546.022; Mon, 22 Aug 2022 19:15:56 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/2] qemu: fix CVE-2021-3507 Date: Mon, 22 Aug 2022 15:15:36 -0400 Message-Id: <20220822191537.25682-1-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 X-ClientProxiedBy: YQBPR01CA0139.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:1::39) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: dc70420c-101a-4aed-a5da-08da8472bd6d X-MS-TrafficTypeDiagnostic: DM6PR11MB2970:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: B0RascKmNv1vQzoh/vhBtE1SYkEzhkzkmo40cDy+RO3ghrqyFzn3uccmzcXb/YLsKgH8n07dhCy75fhQ1tp2xMjg3PZ8jn99GZCQNr+sWbpqPj9pIeKaAinGHnpvs6rSmBE4dSJ5Os3YHHO7Qea4A/sZ+EZvYPy/fczocjYYF+/Sv089sYg9ZxomMJgA8KQPoj+oXrNPAtILSS58mshlCXboVijig8WDeddy5QPdgmTpjR1azrMnOgxc3XRiVPsTP7WX62yeDrJSJT+gT9dzJLrGxQ4me7hP2PAo0kZqT2PMnfky2+0LVviqCHDZUCe53SHfc+y0MjI21+/LkGEkwey0gH6HXCJdXuv2XUTxFFzHpXjIbe8LOQ8ZVxGUU3BluNk70sl4Nz2iq3fvSfit/gEZSQQadnbal8DWRnah4UOJCh/j0gML0zwiCc43QlxvNvmbeFeiwlNczsiogdT88YyBt6kcZrvZvMVJn1MXlbfp4bfP8OCeHI8aqXSDeOlVEU1hOx8LBNF9EneZqUQdsltgYsatqoy6swU6iw8LaLsO20NvPGeri1A6Nl7HfQlF1Y4EfcadZSnoXQ0w6dDp3e7xl+bNDEJlByF44hTeZYxP11ALvYSg1OO3uAouyVCEr85UvlalOFXqHByU2cdsKEzGTdOofL1kORBVjgUoldysti7aJYaQdNRNMKrnaRmwTbCd1y4TWgfpgeSyjbtujcWKwN0/jnj1gaB9NhyJU/v4uy8yoOHUQ2FeIU5HsrNdfe2hveu7RzKWlPOa3vdK/whIA+0+x9HqSpA8efDB4UXdVS8mKplUpLiqfhqG2kjVZAlxGywnvAux9hWkQ7pZcs4WTwxWGgo3Ypuy0a37TGw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(396003)(39850400004)(376002)(366004)(346002)(136003)(2906002)(52116002)(6506007)(86362001)(6512007)(26005)(6486002)(966005)(41300700001)(44832011)(478600001)(6666004)(5660300002)(8936002)(186003)(1076003)(83380400001)(38350700002)(2616005)(38100700002)(66946007)(316002)(6916009)(66556008)(8676002)(66476007)(36756003)(505234007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?K0+9TezFtl2wBgT1JTljf+jnowt2?= =?utf-8?q?dPZnQLIY3z2+BK9qfN5UTh8Re+6lHZLI2zqu3y9wQnTWJaCkA4C/mzpw1B0uQLhKd?= =?utf-8?q?mSQH6P5mcSzpYoHiwLR+1cah6JpbyZcycX1E/6Y+Xl7zng30d5KEZ52TcDDpn/A3K?= =?utf-8?q?ypFzI0r5LHrSxVsG6m+bOUAUv/qArpawI36kDeTxtsw27exUN15rEGfk+gmT8KMzG?= =?utf-8?q?15SMTlL45bCkSYb5UveJ4B22OIKjd0txyegBx7rtVldHzCzxQ4ro/NOVqzwJK1n4o?= =?utf-8?q?Z8P4A1wHKg4+KtklzCyDBMxPhsUfi5wkNbPEhKnv6sojUayjPfcRdC14zphJWQ4JK?= =?utf-8?q?/xzeu3661P+fS0tFMWh6oGz9X3xMoFaAiQ9J7cXgMShSExGHe3RoCQmb839byMVfc?= =?utf-8?q?AT9PPD9RzdnNe4B/2yGkLxwOnji3O/Y9UUHgH8uddABY5nF7C5itFVHRY/LEF1jvP?= =?utf-8?q?hZizzepRpY3zkfyw9LpR9A9Q6sfBFNaVHGEC5ZZT17IUdtPIgB0Lt9o37wsJXVwVk?= =?utf-8?q?MuSmT4vuDYlkTCliq9SVzGdFRqhby9vYlBvgTFZ9Lj9oZG/zCdHcf+WLzHQWhq/VW?= =?utf-8?q?Zdys8ONzhrynwX3PqJ9QsQv2SQcZsL2sOQ82rAE/NCV37MWCcKPSXcWhjQ/kogx8i?= =?utf-8?q?G5LHgtNFYzLWdRSQxJMuCf3ZfdQGLjSG1F3IjNWOFlzsH5ZbttH5R2YlkiRQewjTE?= =?utf-8?q?+Xvtt+R1l8X2jdi+2QDUFKuja18jllStiilMVBPP9yYCDecLtGV9cyv9kDBZBTqhm?= =?utf-8?q?6LsnS6QIIZ+J9gu3y/hBvPwHo7hhwWFn7tdv3+hax8XuPBm+yAq/YSu/m3OfKZ0Sw?= =?utf-8?q?s4Ake/sGBNfnSKAy7VHGeib7RkgsI6HX54fq3kryhbhNzRE1v3LFgKs7QH1eg7M9J?= =?utf-8?q?wsW5b4LSiXE/9oei2r1S/y1CpP9veuHfGaPIi3peOg0PWyg2dM2gHNgPEeOfjF716?= =?utf-8?q?vOgE67k2YBmUZFkyCGOYBIiFfBexFRC0yVInM1Xn7cZ6Swltb5SIK60OEg3PDzWwZ?= =?utf-8?q?bMYSx1JdmKC5Ie6rodkAbQTTiFUr+ACs2W4oGjUWkiqX6j7EK/s4OL9jdShSmJF46?= =?utf-8?q?dRUr/PzvhxUMLpefRmMfc+jBmUvJIXEPLAKkpNvnfEcKd0peav+L+07Ke4bupbtBo?= =?utf-8?q?4i3+xjaZT4VX0XmU5n40meKghYGJGwbqac8jQOCn6bG0TkXEHJ8PMXTbtPTCO6i38?= =?utf-8?q?Yi2ArgUZ4aJPmdHqPu2b1UlxVxmFDEcMwW6bboyG4BRmoBhnQ/1ESeBZElXCD9aAH?= =?utf-8?q?oftdxPrCe+ErG+oX0gKdIwjJaWlbxvkPFDLahse89spHn8YjMw8cTuzXVHfHfyjyw?= =?utf-8?q?qnCMOPap6yy6rcmreMYMJKjK4AcFUUH/4cwBXLGFVVmzWtZmj1TtwLBj+rOksxIvs?= =?utf-8?q?drFnB4wEf10fEaMT3dyKtEv5+ZrI+TIGvOi0cMVCenhPB/9B/Zb427PZX3Yruyt2a?= =?utf-8?q?n9ef1x42tV737ejeqXa9tF5cbsiyzoI68jJTqD116TchuGQ3WxIc3FVdN99YV0hwQ?= =?utf-8?q?gHAdfT/c8hCznIFO2DcSwOGkgdOvCIhA+A=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: dc70420c-101a-4aed-a5da-08da8472bd6d X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2022 19:15:56.8689 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0WiOAJNcr5X5+soT8aI1Q/SNBLzQY8D8pre6jg2n0KVeerwElbkSZGrRtBuzPNdI2HB6JNTjz97bjfyPVs1Ix4VoXkFvCHT9TvSSAbWY5+Q= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2970 X-Proofpoint-ORIG-GUID: kot5m87h7kaTkni0nxk4Q1iyDQsuJ0pm X-Proofpoint-GUID: kot5m87h7kaTkni0nxk4Q1iyDQsuJ0pm X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-22_12,2022-08-22_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 mlxlogscore=861 bulkscore=0 spamscore=0 adultscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208220079 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 27MDtcXh012721 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 22 Aug 2022 19:16:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169679 Backport required patches to fix CVE-2021-3507. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3507_1.patch | 92 ++++++++++++++ .../qemu/qemu/CVE-2021-3507_2.patch | 115 ++++++++++++++++++ 3 files changed, 209 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index bcaa56bbba..9fdb8c6428 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -29,6 +29,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \ file://qemu-7.0.0-glibc-2.36.patch \ file://CVE-2022-35414.patch \ + file://CVE-2021-3507_1.patch \ + file://CVE-2021-3507_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch new file mode 100644 index 0000000000..24fd2c5ed3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch @@ -0,0 +1,92 @@ +From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:32 +0100 +Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun + (CVE-2021-3507) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the 82078 datasheet, if the end-of-track (EOT byte in +the FIFO) is more than the number of sectors per side, the +command is terminated unsuccessfully: + +* 5.2.5 DATA TRANSFER TERMINATION + + The 82078 supports terminal count explicitly through + the TC pin and implicitly through the underrun/over- + run and end-of-track (EOT) functions. For full sector + transfers, the EOT parameter can define the last + sector to be transferred in a single or multisector + transfer. If the last sector to be transferred is a par- + tial sector, the host can stop transferring the data in + mid-sector, and the 82078 will continue to complete + the sector as if a hardware TC was received. The + only difference between these implicit functions and + TC is that they return "abnormal termination" result + status. Such status indications can be ignored if they + were expected. + +* 6.1.3 READ TRACK + + This command terminates when the EOT specified + number of sectors have been read. If the 82078 + does not find an I D Address Mark on the diskette + after the second· occurrence of a pulse on the + INDX# pin, then it sets the IC code in Status Regis- + ter 0 to "01" (Abnormal termination), sets the MA bit + in Status Register 1 to "1", and terminates the com- + mand. + +* 6.1.6 VERIFY + + Refer to Table 6-6 and Table 6-7 for information + concerning the values of MT and EC versus SC and + EOT value. + +* Table 6·6. Result Phase Table + +* Table 6-7. Verify Command Result Phase Table + +Fix by aborting the transfer when EOT > # Sectors Per Side. + +Cc: qemu-stable@nongnu.org +Cc: Hervé Poussineau +Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") +Reported-by: Alexander Bulekov +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211118115733.4038610-2-philmd@redhat.com> +Reviewed-by: Hanna Reitz +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] +CVE: CVE-2021-3507 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 347875a0c..57bb35579 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) + int tmp; + fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); + tmp = (fdctrl->fifo[6] - ks + 1); ++ if (tmp < 0) { ++ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); ++ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); ++ fdctrl->fifo[3] = kt; ++ fdctrl->fifo[4] = kh; ++ fdctrl->fifo[5] = ks; ++ return; ++ } + if (fdctrl->fifo[0] & 0x80) + tmp += fdctrl->fifo[6]; + fdctrl->data_len *= tmp; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch new file mode 100644 index 0000000000..acc93e897b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch @@ -0,0 +1,115 @@ +From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:33 +0100 +Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for + CVE-2021-3507 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 + +Without the previous commit, when running 'make check-qtest-i386' +with QEMU configured with '--enable-sanitizers' we get: + + ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 + READ of size 786432 at 0x619000062a00 thread T0 + #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) + #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 + #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 + #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 + #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 + #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 + #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 + #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 + #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 + #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 + #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 + #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 + #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 + + 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) + allocated by thread T0 here: + #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) + #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 + #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 + #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 + #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 + #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 + + SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy + Shadow bytes around the buggy address: + 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Heap left redzone: fa + Freed heap region: fd + ==4028352==ABORTING + +[ kwolf: Added snapshot=on to prevent write file lock failure ] + +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alexander Bulekov +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc] +CVE: CVE-2021-3507 + +Signed-off-by: Sakib Sajal +--- + tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c +index b0d40012e..1d4f85212 100644 +--- a/tests/qtest/fdc-test.c ++++ b/tests/qtest/fdc-test.c +@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) + qtest_quit(s); + } + ++static void test_cve_2021_3507(void) ++{ ++ QTestState *s; ++ ++ s = qtest_initf("-nographic -m 32M -nodefaults " ++ "-drive file=%s,format=raw,if=floppy,snapshot=on", ++ test_image); ++ qtest_outl(s, 0x9, 0x0a0206); ++ qtest_outw(s, 0x3f4, 0x1600); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0200); ++ qtest_outw(s, 0x3f4, 0x0200); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_quit(s); ++} ++ + int main(int argc, char **argv) + { + int fd; +@@ -614,6 +634,7 @@ int main(int argc, char **argv) + qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); + qtest_add_func("/fdc/fuzz-registers", fuzz_registers); + qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); ++ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); + + ret = g_test_run(); + +-- +2.33.0 +