From patchwork Mon Feb 12 10:46:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Poonam Jadhav X-Patchwork-Id: 39183 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6395CC48297 for ; Mon, 12 Feb 2024 10:47:18 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.3957.1707734835167257998 for ; Mon, 12 Feb 2024 02:47:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PaUzInwI; spf=pass (domain: gmail.com, ip: 209.85.214.181, mailfrom: ppjadhav456@gmail.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1d76671e5a4so25038115ad.0 for ; Mon, 12 Feb 2024 02:47:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707734834; x=1708339634; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9xmfBw2zxluvWVmLe9XROWse0ks0Fo6vsX5K3UQY3Qk=; b=PaUzInwI5gCsnOKtYwI3BYtS2evIrJNMwQ4li638RXPJbcINwHMutfukQTBSpBz+6t s9pRmZ2Bztcy+GicVPzGrmRelSiqlsoecS07CQqCL3WIotCSL922hPT+FhKAHj9KZCET liKazpy8Y+4B3JUXBs11JMNOZ96VDet4QGT692haqDlKW7mZjNtKW66KTAlVW+oeHA8q Ahb04VwHKZU4ZejxSmiOgSemOj2mmEFXHhMvTQf0NGG+Mp838kHYcVyJoKkI/rAdmPsh BhFs+C4PH95Fv6xVZ6iIoZ0gJardAfXimgCC2H0XqY6XEhkwN8ZbBBnkwHk76PRjwBgv XjnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707734834; x=1708339634; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9xmfBw2zxluvWVmLe9XROWse0ks0Fo6vsX5K3UQY3Qk=; b=nwXY5maIjRwUcw8A0wZ/ILHltiSbJI/9oAptRXhMkeAilR4QTAillk2nwmzheLGXbf WqCTywR3jp/KdxvZZbQsAF9m8+nKBkImyl9y9XhFfDOUMmvA+JqzfLYU7P7L4EBAXPUR AtFiOT1dqKAA07UU6XZ53U7prJ8X+w3mnM/obWN8DYtCHXripxj3g56ynqO5O+jHxu44 HveCTyB1LbbTyXgreuMRLsVkRGNCOy07sz59naXfkY3VYS77wfh2afTh5LcaYjezDk1S M8zhgG1o+cArIO1wri0/6cVMfQFe9Uq9MTVMgGIAQ8wXJOusMquN1kBImpAYQZltX1K0 mILA== X-Gm-Message-State: AOJu0YySEG1/dUildM9nG7xtlK/U1opcUw2BtYtsufiZ5dNhPtIRshMr Y3igatuKm4bgupmfRcS8oCcRQbG0qycF3MF3rksBdJZ+/deqP8Nu//Z2qn0I X-Google-Smtp-Source: AGHT+IEJh9N4CYJ4yeyAAdorBRGblu6IvbkG9oERUkhXtzDz2BPx1S6mHQUb0aa8TVjGvt3YjTZ8tA== X-Received: by 2002:a17:902:b589:b0:1da:1daa:e2bd with SMTP id a9-20020a170902b58900b001da1daae2bdmr6560056pls.19.1707734834245; Mon, 12 Feb 2024 02:47:14 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCXkQKnzzAMtalndqeR0QTAx/OnZe84D7R+OP4hy3J5xGxMivWKGyzQdTWXWWdhtGZ1ioCPjLmqZR+/J9cKpRalTmnJhu8Mx Received: from L-14805.kpit.com ([43.231.237.204]) by smtp.gmail.com with ESMTPSA id iw11-20020a170903044b00b001d986ce6893sm95746plb.198.2024.02.12.02.47.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 02:47:13 -0800 (PST) From: Poonam Jadhav To: openembedded-core@lists.openembedded.org, poonam.jadhav@kpit.com Cc: virendra.thakur@kpit.com Subject: [OE-core][kirkstone][PATCH 1/3] scsi-disk: allow MODE SELECT block descriptor to set the block size Date: Mon, 12 Feb 2024 16:16:45 +0530 Message-Id: <20240212104647.376386-1-ppjadhav456@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 10:47:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195307 From: Poonam Jadhav The MODE SELECT command can contain an optional block descriptor that can be used to set the device block size. If the block descriptor is present then update the block size on the SCSI device accordingly. This allows CDROMs to be used with A/UX which requires a CDROM drive which is capable of switching from a 2048 byte sector size to a 512 byte sector size. Link: https://github.com/qemu/qemu/commit/356c4c441ec01910314c5867c680bef80d1dd373 Signed-off-by: Poonam Jadhav --- meta/recipes-devtools/qemu/qemu.inc | 1 + ...lock-desriptor-to-set-the-block-size.patch | 54 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c5fb9b1eab..13355238e8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -103,6 +103,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3638.patch \ file://CVE-2023-1544.patch \ file://CVE-2023-5088.patch \ + file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch b/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch new file mode 100644 index 0000000000..d8e48d07dd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch @@ -0,0 +1,54 @@ +From 356c4c441ec01910314c5867c680bef80d1dd373 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Wed, 22 Jun 2022 11:53:12 +0100 +Subject: [PATCH] scsi-disk: allow MODE SELECT block descriptor to set the + block size + +The MODE SELECT command can contain an optional block descriptor that can be used +to set the device block size. If the block descriptor is present then update the +block size on the SCSI device accordingly. + +This allows CDROMs to be used with A/UX which requires a CDROM drive which is +capable of switching from a 2048 byte sector size to a 512 byte sector size. + +Signed-off-by: Mark Cave-Ayland +Message-Id: <20220622105314.802852-13-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini + +Comment: Patch is refreshed +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/356c4c441ec01910314c5867c680bef80d1dd373] +Signed-off-by: Poonam Jadhav +--- + hw/scsi/scsi-disk.c | 6 ++++++ + hw/scsi/trace-events | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index db27e834dae3..f5cdb9ad4b54 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1616,6 +1616,12 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + goto invalid_param; + } + ++ /* Allow changing the block size */ ++ if (bd_len && p[6] != (s->qdev.blocksize >> 8)) { ++ s->qdev.blocksize = p[6] << 8; ++ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ } ++ + len -= bd_len; + p += bd_len; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 8e927ff62de1..ab238293f0da 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -338,6 +338,7 @@scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 ", count %u)" + scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)" + scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s" + scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd=0x%x (sector %" PRId64 ", count %d) timeout=%u" ++scsi_disk_mode_select_set_blocksize(int blocksize) "set block size to %d" + + # scsi-generic.c + scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d" From patchwork Mon Feb 12 10:46:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Poonam Jadhav X-Patchwork-Id: 39184 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D24AC48297 for ; Mon, 12 Feb 2024 10:47:28 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web10.3916.1707734845101902766 for ; Mon, 12 Feb 2024 02:47:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FtqHjwWm; spf=pass (domain: gmail.com, ip: 209.85.215.172, mailfrom: ppjadhav456@gmail.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5d42e7ab8a9so1886967a12.3 for ; Mon, 12 Feb 2024 02:47:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707734844; x=1708339644; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Xj9/jkILHRllV9hYClPte7TKLFoWeIJB3UENS5CtcJ4=; b=FtqHjwWmWM6iFjTXnso5/hZIchcTN89aSg5IzhCr2VVwJDH0+FeeT5YZr8vqozvHnY 9eGpSsBXPjNU7SD+bUhnl6u24yDws/T0rfIvTpcQ95bDeNzmaDXsWwIFqz3MaZPbStoP QIQAxGepI6CzDYIT/eSa6w0Co1Qud0oM27bXu5T0lyQ2HPjMXqDcQfoi/6rYRGjpvY9s jQK94wvYGHkZX1PYRYrBHNkLk6/PXYmLM5+3ky0PPIAn12IFbqcO2gfz5NPYT6FN1gs8 Wip4dz/vOzakg+7L0AVkhvbIGJEguOzQF3L1yz6D8d4FECi+DinTyfVcBjTZLrVDmhnv D/SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707734844; x=1708339644; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xj9/jkILHRllV9hYClPte7TKLFoWeIJB3UENS5CtcJ4=; b=Z3y/7Z35N4dQXXRggvha4xbD9kFGjGBuFB6MYwD2pRM+vOqOV9USkf01p7fvvKIY7o Jbvvg28kUMYTCzqzzYRwXqhyEzuxvg7GljpSk9eD7bdoBPaiGdR55SnznNhnnELB+pXf IMNWGta6GXZROvf3M2PHXIWkkBJJnQpDXmUx3lC7qyD863WHbKT2jQSf9Bk8UqzEv2AO FZunTG2FMkt6zpC9S+FU7zvdwwswSgP9h82kNcRdyqzcHd+F31RUTzcMfgGsbLIJMwML vwYLET0sqhGxd20Ehy1eVU0pOnKBJEULD0QM4+SsrJn1XMi5PKqyc5OLlZjZswea11be khww== X-Gm-Message-State: AOJu0YxSvPjvoLXAQG1iCalU8xTQ3sUhXoQvIu9JTgshY8eOVkS3KhLb 3UKkm/ASMJvYtw0PCMiMLv9YzyGyBPMyS05j5H7AAAZ2MnIvpq2MRTJBsQN8 X-Google-Smtp-Source: AGHT+IH6JI7vSkxx4qx9KsiQzRd9o3w+7pD9ChN2XUjKWmf1Z7LBypU8KtENREBEUJGF3P2NUaT1fw== X-Received: by 2002:a05:6a20:9f98:b0:19c:9d37:ec59 with SMTP id mm24-20020a056a209f9800b0019c9d37ec59mr5489180pzb.28.1707734844222; Mon, 12 Feb 2024 02:47:24 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCW2OShqC1LpD9IA+bS+fF73M8QYuu+oM4LpamJiM/mBFxiaDzxeFMWa0AKA1pFCswO+0WktUPi+083TVW9IG+cvodCQA31f Received: from L-14805.kpit.com ([43.231.237.204]) by smtp.gmail.com with ESMTPSA id iw11-20020a170903044b00b001d986ce6893sm95746plb.198.2024.02.12.02.47.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 02:47:23 -0800 (PST) From: Poonam Jadhav To: openembedded-core@lists.openembedded.org, poonam.jadhav@kpit.com Cc: virendra.thakur@kpit.com Subject: [OE-core][kirkstone][PATCH 2/3] scsi-disk: ensure block size is non-zero and changes limited to bits 8-15 Date: Mon, 12 Feb 2024 16:16:46 +0530 Message-Id: <20240212104647.376386-2-ppjadhav456@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240212104647.376386-1-ppjadhav456@gmail.com> References: <20240212104647.376386-1-ppjadhav456@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 10:47:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195308 From: Poonam Jadhav The existing code assumes that the block size can be generated from p[1] << 8 in multiple places which ignores the top and bottom 8 bits. If the block size is allowed to be set to an arbitrary value then this causes a mismatch between the value written by the guest in the block descriptor and the value subsequently read back using READ CAPACITY causing the guest to generate requests that can crash QEMU. For now restrict block size changes to bits 8-15 and also ignore requests to set the block size to 0 which causes the SCSI emulation to crash in at least one place with a divide by zero error. Link: https://github.com/qemu/qemu/commit/55794c904df723109b228da28b5db778e0df3110 Signed-off-by: Poonam Jadhav --- meta/recipes-devtools/qemu/qemu.inc | 1 + ...ero-and-changes-limited-to-bits-8-15.patch | 67 +++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 13355238e8..9f85aa846c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -104,6 +104,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2023-1544.patch \ file://CVE-2023-5088.patch \ file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ + file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch b/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch new file mode 100644 index 0000000000..1e1be683fc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch @@ -0,0 +1,67 @@ +From 55794c904df723109b228da28b5db778e0df3110 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Sat, 30 Jul 2022 13:26:56 +0100 +Subject: [PATCH] scsi-disk: ensure block size is non-zero and changes limited + to bits 8-15 + +The existing code assumes that the block size can be generated from p[1] << 8 +in multiple places which ignores the top and bottom 8 bits. If the block size +is allowed to be set to an arbitrary value then this causes a mismatch +between the value written by the guest in the block descriptor and the value +subsequently read back using READ CAPACITY causing the guest to generate +requests that can crash QEMU. + +For now restrict block size changes to bits 8-15 and also ignore requests to +set the block size to 0 which causes the SCSI emulation to crash in at least +one place with a divide by zero error. + +Fixes: 356c4c441e ("scsi-disk: allow MODE SELECT block descriptor to set the block size") +Closes: https://gitlab.com/qemu-project/qemu/-/issues/1112 +Signed-off-by: Mark Cave-Ayland +Message-Id: <20220730122656.253448-3-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini + +Comment: Patch is refreshed +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/55794c904df723109b228da28b5db778e0df3110] +Signed-off-by: Poonam Jadhav +--- + hw/scsi/scsi-disk.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index 3027ac3b1ed6..efee6739f9ad 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1532,7 +1532,7 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + int cmd = r->req.cmd.buf[0]; + int len = r->req.cmd.xfer; + int hdr_len = (cmd == MODE_SELECT ? 4 : 8); +- int bd_len; ++ int bd_len, bs; + int pass; + + /* We only support PF=1, SP=0. */ +@@ -1617,9 +1617,19 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + } + + /* Allow changing the block size */ +- if (bd_len && p[6] != (s->qdev.blocksize >> 8)) { +- s->qdev.blocksize = p[6] << 8; +- trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ if (bd_len) { ++ bs = p[5] << 16 | p[6] << 8 | p[7]; ++ ++ /* ++ * Since the existing code only checks/updates bits 8-15 of the block ++ * size, restrict ourselves to the same requirement for now to ensure ++ * that a block size set by a block descriptor and then read back by ++ * a subsequent SCSI command will be the same ++ */ ++ if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ s->qdev.blocksize = bs; ++ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ } + } + + len -= bd_len; + From patchwork Mon Feb 12 10:46:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Poonam Jadhav X-Patchwork-Id: 39185 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D1EFC4829B for ; Mon, 12 Feb 2024 10:47:38 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.3963.1707734850293355505 for ; Mon, 12 Feb 2024 02:47:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dB8CQW9U; spf=pass (domain: gmail.com, ip: 209.85.214.182, mailfrom: ppjadhav456@gmail.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1d95d67ff45so21340025ad.2 for ; Mon, 12 Feb 2024 02:47:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707734849; x=1708339649; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RCyitrHlZwujh7JpOUjcG9GqBQhvaKF43hRl9QIShfQ=; b=dB8CQW9UgR75+1oMos4f5l0Pf6VoAKa1U4Z8WSapiLAwXslS1cgEKQiLRlwBXcK/he miL+PxqTx9SEptwQkjdBN7pRd4O/YJysi+Ifh5K7uoa4i799WbcnUdtKIA13P60HedF3 G++a0n458OaOTOq+QSVpkJ5EH2H8s2JCXs37jmu6MyUQLzUURZmJ/XvSXBzWlNiSl2JK i13ktuyZlYXtnJOFX4vV6nVRV46vf84MZQmr3HRLVIEPpdzYITrAa3qxECXnazFT2z7K +GqJ09mg+7O8SamKw19DR/4upTr0l4N2khm8AZetIzEkBoZXlcnUhz+feZ+PfPauKY3T xtpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707734849; x=1708339649; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RCyitrHlZwujh7JpOUjcG9GqBQhvaKF43hRl9QIShfQ=; b=o/bxpPo9i6/Tk4sEukAzSwbz1lD+gQ+rVToQQO4AmoRBnez7dXPWh3N2nhLRpduApZ cNtpvV1yfhYevkwngReDJ4KsSAe9WuniWN3/7pxMho6YF1BgyK/q001XCOblAGaYQvvO EU8V1gC01TylkbpzFW3Pl9JUGOZtVCBQiyG7n4AAJ2ZH4Vm5bgNFK8g+rtGrUGy2uqWx NxSDcQteMrqTwjvMSE44T2MHg35tj50drpXqPOpUUdu7uBYBi71NYJHVnTb/thD/6VV5 kFmC6RJfCqsVrB/0BVjJZViWzhRQvyrOFm9P8nRciplOs2ZgIgbFHvnSkTtT0SMDSmtA DOzQ== X-Gm-Message-State: AOJu0Yz0ICedG+BfsfeggxfhoNwn3SzG4DEBvasKzzTx2sy+fPc7Dc3K DrH4EqJN2Ec8DQLzkhj+cdnZ7H979C9GYoIvtZXQyusnWSgsWGbC+jdlBDX8 X-Google-Smtp-Source: AGHT+IFF3637iWISlzKZ6Bj070GHZiyWsq7Aky/+CdNgHJOL2ccByvEcvEd+jasjPoimpahA4OQOCQ== X-Received: by 2002:a17:903:22ca:b0:1d9:d8d2:eabb with SMTP id y10-20020a17090322ca00b001d9d8d2eabbmr5991514plg.46.1707734849467; Mon, 12 Feb 2024 02:47:29 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCX82Oetx+UUUvE6etFPiI0tmxWrOiDncIZHyXy4aZnwsNQtt0W/BI+DnszqVj2ffvb+G5UwaHcOSCKPbplFT8qgMaqb3gTp Received: from L-14805.kpit.com ([43.231.237.204]) by smtp.gmail.com with ESMTPSA id iw11-20020a170903044b00b001d986ce6893sm95746plb.198.2024.02.12.02.47.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 02:47:29 -0800 (PST) From: Poonam Jadhav To: openembedded-core@lists.openembedded.org, poonam.jadhav@kpit.com Cc: virendra.thakur@kpit.com Subject: [OE-core][kirkstone][PATCH 3/3] qemu: Fix CVE-2023-42467 Disallow block sizes smaller than 512 Date: Mon, 12 Feb 2024 16:16:47 +0530 Message-Id: <20240212104647.376386-3-ppjadhav456@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240212104647.376386-1-ppjadhav456@gmail.com> References: <20240212104647.376386-1-ppjadhav456@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 10:47:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195309 From: Poonam Jadhav We are doing things like nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes with a division by 0 exception. Thus disallow block sizes of 256 bytes to avoid this situation. Link: https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c Signed-off-by: Poonam Jadhav --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-42467.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 9f85aa846c..f97dcf289e 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -105,6 +105,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2023-5088.patch \ file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ + file://CVE-2023-42467.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch new file mode 100644 index 0000000000..d53683faa7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch @@ -0,0 +1,46 @@ +From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Mon, 25 Sep 2023 11:18:54 +0200 +Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 + [CVE-2023-42467] + +We are doing things like + + nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); + +in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if +the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes +with a division by 0 exception. Thus disallow block sizes of 256 +bytes to avoid this situation. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 +CVE: 2023-42467 +Signed-off-by: Thomas Huth +Message-ID: <20230925091854.49198-1-thuth@redhat.com> +Signed-off-by: Paolo Bonzini + +CVE: CVE-2023-42467 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c] +Signed-off-by: Poonam Jadhav +--- + hw/scsi/scsi-disk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e0d79c7966c..477ee2bcd47 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + * Since the existing code only checks/updates bits 8-15 of the block + * size, restrict ourselves to the same requirement for now to ensure + * that a block size set by a block descriptor and then read back by +- * a subsequent SCSI command will be the same ++ * a subsequent SCSI command will be the same. Also disallow a block ++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. + */ +- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { + s->qdev.blocksize = bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } +--