From patchwork Fri Sep 9 11:25:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Purdie X-Patchwork-Id: 14287 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Richard Purdie" Subject: [PATCH 1/2] qemu: Upgrade 7.0.0 -> 7.1.0 Date: Fri, 9 Sep 2022 12:25:22 +0100 Message-Id: <20220909112523.648717-1-richard.purdie@linuxfoundation.org> MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org Drop CVE backports and backported patch for pvrdma which was also applied upstream. Refresh cross.patch. Drop vnc-png option removed upstream. Update ptest path manipulations for target. qmp now has consists of multiple files so install them all as a python module. The upgrade contains fixes for virtio block devices which we hope will address vda device tracebacks on the autobuilder from qemu. Signed-off-by: Richard Purdie --- meta/conf/distro/include/tcmode-default.inc | 2 +- ...u-native_7.0.0.bb => qemu-native_7.1.0.bb} | 0 ...e_7.0.0.bb => qemu-system-native_7.1.0.bb} | 3 +- meta/recipes-devtools/qemu/qemu.inc | 21 ++- ...t-against-buggy-or-malicious-guest-d.patch | 57 ------- .../qemu/qemu/CVE-2021-3507_1.patch | 92 ----------- .../qemu/qemu/CVE-2021-3507_2.patch | 115 -------------- .../qemu/qemu/CVE-2022-0216_1.patch | 42 ----- .../qemu/qemu/CVE-2022-0216_2.patch | 146 ------------------ .../qemu/qemu/CVE-2022-35414.patch | 53 ------- meta/recipes-devtools/qemu/qemu/cross.patch | 17 +- .../qemu/{qemu_7.0.0.bb => qemu_7.1.0.bb} | 0 12 files changed, 20 insertions(+), 528 deletions(-) rename meta/recipes-devtools/qemu/{qemu-native_7.0.0.bb => qemu-native_7.1.0.bb} (100%) rename meta/recipes-devtools/qemu/{qemu-system-native_7.0.0.bb => qemu-system-native_7.1.0.bb} (90%) delete mode 100644 meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch rename meta/recipes-devtools/qemu/{qemu_7.0.0.bb => qemu_7.1.0.bb} (100%) diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc index 9abd121e3a7..59b226e62fc 100644 --- a/meta/conf/distro/include/tcmode-default.inc +++ b/meta/conf/distro/include/tcmode-default.inc @@ -22,7 +22,7 @@ BINUVERSION ?= "2.39%" GDBVERSION ?= "12.%" GLIBCVERSION ?= "2.36" LINUXLIBCVERSION ?= "5.19%" -QEMUVERSION ?= "7.0%" +QEMUVERSION ?= "7.1%" GOVERSION ?= "1.19%" # This can not use wildcards like 8.0.% since it is also used in mesa to denote # llvm version being used, so always bump it with llvm recipe version bump diff --git a/meta/recipes-devtools/qemu/qemu-native_7.0.0.bb b/meta/recipes-devtools/qemu/qemu-native_7.1.0.bb similarity index 100% rename from meta/recipes-devtools/qemu/qemu-native_7.0.0.bb rename to meta/recipes-devtools/qemu/qemu-native_7.1.0.bb diff --git a/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb similarity index 90% rename from meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb rename to meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb index 5ccede5095c..04c7c2a6acf 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb @@ -28,5 +28,6 @@ do_install:append() { rm -rf ${D}${includedir}/qemu-plugin.h # Install qmp.py to be used with testimage - install -D ${S}/python/qemu/qmp/__init__.py ${D}${libdir}/qemu-python/qmp.py + install -d ${D}${libdir}/qemu-python/qmp/ + install -D ${S}/python/qemu/qmp/* ${D}${libdir}/qemu-python/qmp/ } diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 56fc7aaf55f..f22de74ea41 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -26,17 +26,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0007-qemu-Determinism-fixes.patch \ file://0008-tests-meson.build-use-relative-path-to-refer-to-file.patch \ file://0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \ - file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \ - file://qemu-7.0.0-glibc-2.36.patch \ - file://CVE-2022-35414.patch \ - file://CVE-2021-3507_1.patch \ - file://CVE-2021-3507_2.patch \ - file://CVE-2022-0216_1.patch \ - file://CVE-2022-0216_2.patch \ " +BAR = " file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" -SRC_URI[sha256sum] = "f6b375c7951f728402798b0baabb2d86478ca53d44cedbefabbe1c46bf46f839" +SRC_URI[sha256sum] = "a0634e536bded57cf38ec8a751adb124b89c776fe0846f21ab6c6728f1cbbbe6" SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" @@ -75,8 +69,14 @@ do_install_ptest() { # Strip the paths from the QEMU variable, we can use PATH sed -i -e "s#^QEMU=.*/qemu-#QEMU=qemu-#g" ${D}${PTEST_PATH}/tests/tcg/*.mak - # Strip compiler flags as they break reproducibility - sed -i -e "s,CROSS_CC_GUEST=.*,CROSS_CC_GUEST=," ${D}${PTEST_PATH}/tests/tcg/*.mak + # Strip compiler flags as they break reproducibility + sed -i -e "s,^CC=.*,CC=gcc," \ + -e "s,^CCAS=.*,CCAS=gcc," \ + -e "s,^LD=.*,LD=ld," ${D}${PTEST_PATH}/tests/tcg/*.mak + + # Update SRC_PATH variable to the right place on target + sed -i -e "s#^SRC_PATH=.*#SRC_PATH=${PTEST_PATH}#g" ${D}${PTEST_PATH}/tests/tcg/*.mak + } # QEMU_TARGETS is overridable variable @@ -151,7 +151,6 @@ PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburin PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," -PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl," PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss," PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses," diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch deleted file mode 100644 index 826d42fc203..00000000000 --- a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001 -From: Yuval Shaia -Date: Tue, 12 Apr 2022 11:01:51 +0100 -Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest - driver - -Guest driver might execute HW commands when shared buffers are not yet -allocated. -This might happen on purpose (malicious guest) or because some other -guest/host address mapping. -We need to protect againts such case. - -Reported-by: Mauro Matteo Cascella -Signed-off-by: Yuval Shaia - -CVE: CVE-2022-1050 -Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] - ---- - hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ - hw/rdma/vmw/pvrdma_main.c | 3 ++- - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c -index da7ddfa54..89db963c4 100644 ---- a/hw/rdma/vmw/pvrdma_cmd.c -+++ b/hw/rdma/vmw/pvrdma_cmd.c -@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) - - dsr_info = &dev->dsr_info; - -+ if (!dsr_info->dsr) { -+ /* Buggy or malicious guest driver */ -+ rdma_error_report("Exec command without dsr, req or rsp buffers"); -+ goto out; -+ } -+ - if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / - sizeof(struct cmd_handler)) { - rdma_error_report("Unsupported command"); -diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c -index 91206dbb8..0b7d908e2 100644 ---- a/hw/rdma/vmw/pvrdma_main.c -+++ b/hw/rdma/vmw/pvrdma_main.c -@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev) - { - struct pvrdma_device_shared_region *dsr; - -- if (dev->dsr_info.dsr == NULL) { -+ if (!dev->dsr_info.dsr) { -+ /* Buggy or malicious guest driver */ - rdma_error_report("Can't initialized DSR"); - return; - } --- -2.30.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch deleted file mode 100644 index 24fd2c5ed3e..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 18 Nov 2021 12:57:32 +0100 -Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun - (CVE-2021-3507) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Per the 82078 datasheet, if the end-of-track (EOT byte in -the FIFO) is more than the number of sectors per side, the -command is terminated unsuccessfully: - -* 5.2.5 DATA TRANSFER TERMINATION - - The 82078 supports terminal count explicitly through - the TC pin and implicitly through the underrun/over- - run and end-of-track (EOT) functions. For full sector - transfers, the EOT parameter can define the last - sector to be transferred in a single or multisector - transfer. If the last sector to be transferred is a par- - tial sector, the host can stop transferring the data in - mid-sector, and the 82078 will continue to complete - the sector as if a hardware TC was received. The - only difference between these implicit functions and - TC is that they return "abnormal termination" result - status. Such status indications can be ignored if they - were expected. - -* 6.1.3 READ TRACK - - This command terminates when the EOT specified - number of sectors have been read. If the 82078 - does not find an I D Address Mark on the diskette - after the second· occurrence of a pulse on the - INDX# pin, then it sets the IC code in Status Regis- - ter 0 to "01" (Abnormal termination), sets the MA bit - in Status Register 1 to "1", and terminates the com- - mand. - -* 6.1.6 VERIFY - - Refer to Table 6-6 and Table 6-7 for information - concerning the values of MT and EC versus SC and - EOT value. - -* Table 6·6. Result Phase Table - -* Table 6-7. Verify Command Result Phase Table - -Fix by aborting the transfer when EOT > # Sectors Per Side. - -Cc: qemu-stable@nongnu.org -Cc: Hervé Poussineau -Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") -Reported-by: Alexander Bulekov -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 -Signed-off-by: Philippe Mathieu-Daudé -Message-Id: <20211118115733.4038610-2-philmd@redhat.com> -Reviewed-by: Hanna Reitz -Signed-off-by: Kevin Wolf - -Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal ---- - hw/block/fdc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 347875a0c..57bb35579 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) - int tmp; - fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); - tmp = (fdctrl->fifo[6] - ks + 1); -+ if (tmp < 0) { -+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); -+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); -+ fdctrl->fifo[3] = kt; -+ fdctrl->fifo[4] = kh; -+ fdctrl->fifo[5] = ks; -+ return; -+ } - if (fdctrl->fifo[0] & 0x80) - tmp += fdctrl->fifo[6]; - fdctrl->data_len *= tmp; --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch deleted file mode 100644 index acc93e897b5..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 18 Nov 2021 12:57:33 +0100 -Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for - CVE-2021-3507 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 - -Without the previous commit, when running 'make check-qtest-i386' -with QEMU configured with '--enable-sanitizers' we get: - - ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 - READ of size 786432 at 0x619000062a00 thread T0 - #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) - #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 - #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 - #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 - #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 - #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 - #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 - #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 - #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 - #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 - #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 - #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 - #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 - - 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) - allocated by thread T0 here: - #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) - #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 - #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 - #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 - #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 - #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 - - SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy - Shadow bytes around the buggy address: - 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Heap left redzone: fa - Freed heap region: fd - ==4028352==ABORTING - -[ kwolf: Added snapshot=on to prevent write file lock failure ] - -Reported-by: Alexander Bulekov -Signed-off-by: Philippe Mathieu-Daudé -Reviewed-by: Alexander Bulekov -Signed-off-by: Kevin Wolf - -Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal ---- - tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c -index b0d40012e..1d4f85212 100644 ---- a/tests/qtest/fdc-test.c -+++ b/tests/qtest/fdc-test.c -@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) - qtest_quit(s); - } - -+static void test_cve_2021_3507(void) -+{ -+ QTestState *s; -+ -+ s = qtest_initf("-nographic -m 32M -nodefaults " -+ "-drive file=%s,format=raw,if=floppy,snapshot=on", -+ test_image); -+ qtest_outl(s, 0x9, 0x0a0206); -+ qtest_outw(s, 0x3f4, 0x1600); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_quit(s); -+} -+ - int main(int argc, char **argv) - { - int fd; -@@ -614,6 +634,7 @@ int main(int argc, char **argv) - qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); - qtest_add_func("/fdc/fuzz-registers", fuzz_registers); - qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); -+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); - - ret = g_test_run(); - --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch deleted file mode 100644 index 56fc34ce5af..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001 -From: Mauro Matteo Cascella -Date: Tue, 5 Jul 2022 22:05:43 +0200 -Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout - (CVE-2022-0216) - -Set current_req->req to NULL to prevent reusing a free'd buffer in case of -repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. - -Fixes: CVE-2022-0216 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 -Signed-off-by: Mauro Matteo Cascella -Reviewed-by: Thomas Huth -Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] -CVE: CVE-2022-0216 - -Signed-off-by: Sakib Sajal ---- - hw/scsi/lsi53c895a.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index c8773f73f..99ea42d49 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) - case 0x0d: - /* The ABORT TAG message clears the current I/O process only. */ - trace_lsi_do_msgout_abort(current_tag); -- if (current_req) { -+ if (current_req && current_req->req) { - scsi_req_cancel(current_req->req); -+ current_req->req = NULL; - } - lsi_disconnect(s); - break; --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch deleted file mode 100644 index f332154b6a9..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001 -From: Mauro Matteo Cascella -Date: Mon, 11 Jul 2022 14:33:16 +0200 -Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in - lsi_do_msgout (CVE-2022-0216) - -Set current_req to NULL, not current_req->req, to prevent reusing a free'd -buffer in case of repeated SCSI cancel requests. Also apply the fix to -CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel -the request. - -Thanks to Alexander Bulekov for providing a reproducer. - -Fixes: CVE-2022-0216 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 -Signed-off-by: Mauro Matteo Cascella -Tested-by: Alexander Bulekov -Message-Id: <20220711123316.421279-1-mcascell@redhat.com> -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac] -CVE: CVE-2022-0216 - -Signed-off-by: Sakib Sajal ---- - hw/scsi/lsi53c895a.c | 3 +- - tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++ - 2 files changed, 78 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index 99ea42d49..ad5f5e5f3 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) - trace_lsi_do_msgout_abort(current_tag); - if (current_req && current_req->req) { - scsi_req_cancel(current_req->req); -- current_req->req = NULL; -+ current_req = NULL; - } - lsi_disconnect(s); - break; -@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) - /* clear the current I/O process */ - if (s->current) { - scsi_req_cancel(s->current->req); -+ current_req = NULL; - } - - /* As the current implemented devices scsi_disk and scsi_generic -diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c -index ba5d46897..c1af0ab1c 100644 ---- a/tests/qtest/fuzz-lsi53c895a-test.c -+++ b/tests/qtest/fuzz-lsi53c895a-test.c -@@ -8,6 +8,79 @@ - #include "qemu/osdep.h" - #include "libqos/libqtest.h" - -+/* -+ * This used to trigger a UAF in lsi_do_msgout() -+ * https://gitlab.com/qemu-project/qemu/-/issues/972 -+ */ -+static void test_lsi_do_msgout_cancel_req(void) -+{ -+ QTestState *s; -+ -+ if (sizeof(void *) == 4) { -+ g_test_skip("memory size too big for 32-bit build"); -+ return; -+ } -+ -+ s = qtest_init("-M q35 -m 4G -display none -nodefaults " -+ "-device lsi53c895a,id=scsi " -+ "-device scsi-hd,drive=disk0 " -+ "-drive file=null-co://,id=disk0,if=none,format=raw"); -+ -+ qtest_outl(s, 0xcf8, 0x80000810); -+ qtest_outl(s, 0xcf8, 0xc000); -+ qtest_outl(s, 0xcf8, 0x80000810); -+ qtest_outw(s, 0xcfc, 0x7); -+ qtest_outl(s, 0xcf8, 0x80000810); -+ qtest_outl(s, 0xcfc, 0xc000); -+ qtest_outl(s, 0xcf8, 0x80000804); -+ qtest_outw(s, 0xcfc, 0x05); -+ qtest_writeb(s, 0x69736c10, 0x08); -+ qtest_writeb(s, 0x69736c13, 0x58); -+ qtest_writeb(s, 0x69736c1a, 0x01); -+ qtest_writeb(s, 0x69736c1b, 0x06); -+ qtest_writeb(s, 0x69736c22, 0x01); -+ qtest_writeb(s, 0x69736c23, 0x07); -+ qtest_writeb(s, 0x69736c2b, 0x02); -+ qtest_writeb(s, 0x69736c48, 0x08); -+ qtest_writeb(s, 0x69736c4b, 0x58); -+ qtest_writeb(s, 0x69736c52, 0x04); -+ qtest_writeb(s, 0x69736c53, 0x06); -+ qtest_writeb(s, 0x69736c5b, 0x02); -+ qtest_outl(s, 0xc02d, 0x697300); -+ qtest_writeb(s, 0x5a554662, 0x01); -+ qtest_writeb(s, 0x5a554663, 0x07); -+ qtest_writeb(s, 0x5a55466a, 0x10); -+ qtest_writeb(s, 0x5a55466b, 0x22); -+ qtest_writeb(s, 0x5a55466c, 0x5a); -+ qtest_writeb(s, 0x5a55466d, 0x5a); -+ qtest_writeb(s, 0x5a55466e, 0x34); -+ qtest_writeb(s, 0x5a55466f, 0x5a); -+ qtest_writeb(s, 0x5a345a5a, 0x77); -+ qtest_writeb(s, 0x5a345a5b, 0x55); -+ qtest_writeb(s, 0x5a345a5c, 0x51); -+ qtest_writeb(s, 0x5a345a5d, 0x27); -+ qtest_writeb(s, 0x27515577, 0x41); -+ qtest_outl(s, 0xc02d, 0x5a5500); -+ qtest_writeb(s, 0x364001d0, 0x08); -+ qtest_writeb(s, 0x364001d3, 0x58); -+ qtest_writeb(s, 0x364001da, 0x01); -+ qtest_writeb(s, 0x364001db, 0x26); -+ qtest_writeb(s, 0x364001dc, 0x0d); -+ qtest_writeb(s, 0x364001dd, 0xae); -+ qtest_writeb(s, 0x364001de, 0x41); -+ qtest_writeb(s, 0x364001df, 0x5a); -+ qtest_writeb(s, 0x5a41ae0d, 0xf8); -+ qtest_writeb(s, 0x5a41ae0e, 0x36); -+ qtest_writeb(s, 0x5a41ae0f, 0xd7); -+ qtest_writeb(s, 0x5a41ae10, 0x36); -+ qtest_writeb(s, 0x36d736f8, 0x0c); -+ qtest_writeb(s, 0x36d736f9, 0x80); -+ qtest_writeb(s, 0x36d736fa, 0x0d); -+ qtest_outl(s, 0xc02d, 0x364000); -+ -+ qtest_quit(s); -+} -+ - /* - * This used to trigger the assert in lsi_do_dma() - * https://bugs.launchpad.net/qemu/+bug/697510 -@@ -48,5 +121,8 @@ int main(int argc, char **argv) - test_lsi_do_dma_empty_queue); - } - -+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req", -+ test_lsi_do_msgout_cancel_req); -+ - return g_test_run(); - } --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch deleted file mode 100644 index fe79a749ae0..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001 -From: Hitendra Prajapati -Date: Wed, 3 Aug 2022 10:11:11 +0530 -Subject: [PATCH] CVE-2022-35414 - -Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] -CVE: CVE-2022-35414 -Signed-off-by: Hitendra Prajapati ---- - softmmu/physmem.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/softmmu/physmem.c b/softmmu/physmem.c -index 4e1b27a20..ad8a90dec 100644 ---- a/softmmu/physmem.c -+++ b/softmmu/physmem.c -@@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) - - /* Called from RCU critical section */ - MemoryRegionSection * --address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, -+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, - hwaddr *xlat, hwaddr *plen, - MemTxAttrs attrs, int *prot) - { -@@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, - IOMMUMemoryRegionClass *imrc; - IOMMUTLBEntry iotlb; - int iommu_idx; -+ hwaddr addr = orig_addr; - AddressSpaceDispatch *d = - qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); - -@@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, - return section; - - translate_fail: -+ /* -+ * We should be given a page-aligned address -- certainly -+ * tlb_set_page_with_attrs() does so. The page offset of xlat -+ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. -+ * The page portion of xlat will be logged by memory_region_access_valid() -+ * when this memory access is rejected, so use the original untranslated -+ * physical address. -+ */ -+ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); -+ *xlat = orig_addr; - return &d->map.sections[PHYS_SECTION_UNASSIGNED]; - } - --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch index d1256a12294..ca2ad361efc 100644 --- a/meta/recipes-devtools/qemu/qemu/cross.patch +++ b/meta/recipes-devtools/qemu/qemu/cross.patch @@ -14,19 +14,19 @@ Signed-off-by: Richard Purdie configure | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/configure b/configure -index 7c08c1835..0613279f9 100755 ---- a/configure -+++ b/configure -@@ -3118,7 +3118,6 @@ if test "$skip_meson" = no; then - fi +Index: qemu-7.1.0/configure +=================================================================== +--- qemu-7.1.0.orig/configure ++++ qemu-7.1.0/configure +@@ -2710,7 +2710,6 @@ if test "$skip_meson" = no; then echo "strip = [$(meson_quote $strip)]" >> $cross + echo "widl = [$(meson_quote $widl)]" >> $cross echo "windres = [$(meson_quote $windres)]" >> $cross - if test "$cross_compile" = "yes"; then cross_arg="--cross-file config-meson.cross" echo "[host_machine]" >> $cross echo "system = '$targetos'" >> $cross -@@ -3136,9 +3135,6 @@ if test "$skip_meson" = no; then +@@ -2728,9 +2727,6 @@ if test "$skip_meson" = no; then else echo "endian = 'little'" >> $cross fi @@ -36,6 +36,3 @@ index 7c08c1835..0613279f9 100755 mv $cross config-meson.cross rm -rf meson-private meson-info meson-logs --- -2.30.2 - diff --git a/meta/recipes-devtools/qemu/qemu_7.0.0.bb b/meta/recipes-devtools/qemu/qemu_7.1.0.bb similarity index 100% rename from meta/recipes-devtools/qemu/qemu_7.0.0.bb rename to meta/recipes-devtools/qemu/qemu_7.1.0.bb