diff mbox series

[dunfell,v2] qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead to guest crash

Message ID 20221117122122.257937-1-vkumbhar@mvista.com
State New, archived
Headers show
Series [dunfell,v2] qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead to guest crash | expand

Commit Message

Vivek Kumbhar Nov. 17, 2022, 12:21 p.m. UTC 
From: Vivek Kumbhar <vkumbhar@mvista.com>

Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2021-20196.patch            | 50 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch

Comments

Steve Sakoman Nov. 17, 2022, 5:40 p.m. UTC | #1 
This patch breaks the qemu build:

https://errors.yoctoproject.org/Errors/Details/677989/

TLDR:

TOPDIR/tmp/work/i686-nativesdk-pokysdk-linux/nativesdk-qemu/4.2.0-r0/recipe-sysroot-native/usr/bin/i686-pokysdk-linux/../../libexec/i686-pokysdk-linux/gcc/i686-pokysdk-linux/9.5.0/ld:
../hw/block/fdc.o: in function `get_cur_drv':
/usr/src/debug/nativesdk-qemu/4.2.0-r0/qemu-4.2.0/hw/block/fdc.c:1369:
undefined reference to `blk_create_empty_drive'
collect2: error: ld returned 1 exit status

Steve

On Thu, Nov 17, 2022 at 2:21 AM vkumbhar <vkumbhar@mvista.com> wrote:
>
> From: Vivek Kumbhar <vkumbhar@mvista.com>
>
> Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
>
> Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> ---
>  meta/recipes-devtools/qemu/qemu.inc           |  1 +
>  .../qemu/qemu/CVE-2021-20196.patch            | 50 +++++++++++++++++++
>  2 files changed, 51 insertions(+)
>  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 28caefef07..e601cee890 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -112,6 +112,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>             file://CVE-2022-0216-1.patch \
>             file://CVE-2022-0216-2.patch \
>             file://CVE-2021-3750.patch \
> +          file://CVE-2021-20196.patch \
>             "
>  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
> new file mode 100644
> index 0000000000..3d65c1b2f1
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
> @@ -0,0 +1,50 @@
> +From b983146dcebd7dee9a727f3b83ad86361ef58637 Mon Sep 17 00:00:00 2001
> +From: Vivek Kumbhar <vkumbhar@mvista.com>
> +Date: Thu, 17 Nov 2022 17:37:08 +0530
> +Subject: [PATCH] CVE-2021-20196
> +
> +Upstream-Status: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
> +CVE: CVE-2021-20196
> +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> +
> +hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
> +
> +Guest might select another drive on the bus by setting the
> +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
> +The current controller model doesn't expect a BlockBackend
> +to be NULL. A simple way to fix CVE-2021-20196 is to create
> +an empty BlockBackend when it is missing. All further
> +accesses will be safely handled, and the controller state
> +machines keep behaving correctly.
> +---
> + hw/block/fdc.c | 14 +++++++++++++-
> + 1 file changed, 13 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/block/fdc.c b/hw/block/fdc.c
> +index ac5d31e8..a887369c 100644
> +--- a/hw/block/fdc.c
> ++++ b/hw/block/fdc.c
> +@@ -1356,7 +1356,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
> +
> + static FDrive *get_cur_drv(FDCtrl *fdctrl)
> + {
> +-    return get_drv(fdctrl, fdctrl->cur_drv);
> ++    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
> ++
> ++    if (!cur_drv->blk) {
> ++        /*
> ++         * Kludge: empty drive line selected. Create an anonymous
> ++         * BlockBackend to avoid NULL deref with various BlockBackend
> ++         * API calls within this model (CVE-2021-20196).
> ++         * Due to the controller QOM model limitations, we don't
> ++         * attach the created to the controller device.
> ++         */
> ++        cur_drv->blk = blk_create_empty_drive();
> ++    }
> ++    return cur_drv;
> + }
> +
> + /* Status A register : 0x00 (read-only) */
> +--
> +2.25.1
> +
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173419): https://lists.openembedded.org/g/openembedded-core/message/173419
> Mute This Topic: https://lists.openembedded.org/mt/95088297/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 28caefef07..e601cee890 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -112,6 +112,7 @@  SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2022-0216-1.patch \
            file://CVE-2022-0216-2.patch \
            file://CVE-2021-3750.patch \
+	   file://CVE-2021-20196.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
new file mode 100644
index 0000000000..3d65c1b2f1
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
@@ -0,0 +1,50 @@ 
+From b983146dcebd7dee9a727f3b83ad86361ef58637 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Thu, 17 Nov 2022 17:37:08 +0530
+Subject: [PATCH] CVE-2021-20196
+
+Upstream-Status: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
+CVE: CVE-2021-20196
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
+
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index ac5d31e8..a887369c 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1356,7 +1356,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+ 
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+-    return get_drv(fdctrl, fdctrl->cur_drv);
++    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++    if (!cur_drv->blk) {
++        /*
++         * Kludge: empty drive line selected. Create an anonymous
++         * BlockBackend to avoid NULL deref with various BlockBackend
++         * API calls within this model (CVE-2021-20196).
++         * Due to the controller QOM model limitations, we don't
++         * attach the created to the controller device.
++         */
++        cur_drv->blk = blk_create_empty_drive();
++    }
++    return cur_drv;
+ }
+ 
+ /* Status A register : 0x00 (read-only) */
+-- 
+2.25.1
+