From patchwork Wed Aug 10 14:11:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11239 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEAC4C25B0D for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web08.6271.1660140748875168063 for ; Wed, 10 Aug 2022 07:12:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=dSFmCG52; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdH006366 for ; Wed, 10 Aug 2022 07:12:28 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=rdVklx3E/m9oDFG3jBm+qCY71Zt2cfEJykpXiN/FoT0=; b=dSFmCG52yXfpA4rnDHf0XlpM9SxSEmgA6gW2MKG/68AgyuYfI6s9tO3zbR6D5h9rPP3v IAGqzOh5OQyVdhUGS6jYrRNVq0VrCF3M5QJ81ZEaYGDUJRIn0Rv6aGnWNHHv1V9VtM5m YQeaMZxiGCgvUyOWkkaGFjv0x9Nkfc7zjyCV7isGvJXmqY/3tcxgG2yLbRairRcSDmCz DhLXEk9706hmDEIz6H00DhLR9oRxvNGyxvWOnKPGwoHuoP+5M+ab/gY221RCsHY25uNs 8TKTZ6h7qi5aF65bB27yH8ARSmJYz0uQvot3fjhfUuWo44LPaoFHDcLdqRaR3clUfozd gA== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:28 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=chIFlWvIhTASCOlqSgMHNO19D7hRLihSaYioZf9KhnWgNXDa8tsBOqGorRmauXXskEpHLnrStbyH82eostBcTbE/TwsZ1A0vJnIjyWkwK7LwzUCKyrdpdjlJ/uU8TL17v9gljyS9jqNsEAGodn2D2L0j3dBOrn+qGUxQva+U8XIYLmU+0+0QM8XoZ2yUYmJG4W/Cxnj//MFM7d/S13kl63yZVNNKj2Oh2WMl6ll9M/sZa3uO9Qo1Upt98d1QOVgqVugLW9R86VyZKHR1wbUPj3b3TmCF5rIeGlYl5wKbE7BZbZWmN5xSX5cyzetMYPu2fA3LpOGMqYP7tUaEwj/2gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rdVklx3E/m9oDFG3jBm+qCY71Zt2cfEJykpXiN/FoT0=; b=JWZkywA/B6z6yjttw9R9LJwI0WnppSBGRVoT2v7UPxE15vBDYMgBhFM67bQN2dLsLSfvlJt0if/uoEnZ2w+gIpeTLKwzWUnWDsIiH/l8Z/7OJk+g/fQuPJaWPz3JKOaBmf9I/ODKaxO8xUmb84v/wwLqt5OFbujfCW5jzRM349Z9Soc7f3hOIhdsMxgdoEMmE6Ulo8xg59aO7L759nheDyuztdH1M/5ADTIS2vbhwuAPY2xlK4AXRbhfxNWPHnwae0gTjvC+ilWXnuEq/2WXYQylUlpqyRFXdQT1qJ/eKsedefOH/lQDKAvIQQUjMamt0fUfrPr9ktHUo+ieoEzU7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:23 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:23 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 1/5] qemu: fix CVE-2021-3507 Date: Wed, 10 Aug 2022 10:11:55 -0400 Message-Id: <20220810141159.21182-1-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b95e3ae0-8a50-4dfb-a874-08da7ada588f X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9+xgAeB6lX3tCE7PeFRGKrz93w2Rc2GPK7Ir7RrcpAPtPC7SlmVGCBz9jt0UAiSYEIRowXJW8f0C/3lLzLoiMwy79qPkLRTUc9Fp6fEV55sdjkV1ga5KwtlV34mBNy93f2EkiuoAA2DGIaRGMDNAr9cxz/Ktg/xrBR3n1wnmMm0wc6Gtu+QZf3AneeBDOC17COejdgRH/2mPrNRXTD4PCW6RVqJzTsnLdaPWiFZ8baWPCcRYYnK/PhBKCL+8CJRGN5AwnxzNjd3hCk2vy/A8/nQgJS/djsND54jNvDoueQpUl/TZ78in6/gG56VEyts+NehCrdKNkMfvmspNzc4mpKUbQaxb916FXhhfiMWvVYPC0elz8cD6TpSDMKzYxuQgKWBXl81lmZ2Pi5wGh2zmz9ZPdn0Hj4yA5g/uGQNkihByv/u81TQhFBeB4Et36hoKyFCDVbxToCxmDYbh/zMK9NS9ixGzdbbAt7bn2sWa/wLN6yB61VVVyb85wu4OkaAzM/z1QGjfDLHIls0/fFDmlq/RJaBoRJKrJ/6uva/fFjark3cy4s+viGyZg4ntTyUI0Qh44eLOsY8SoCRT8SqYociH82KRDg8kVpfEK+jWDUZFsRTzLRqYBoHjxmftyW9nHTOPAXAGBdvXYkvN7wOj6P5WLyKFnw/Y31EcQUyYnr74krx/ccnspfS6MvCfIQXQwoHUS+5fKi0E4oyK7u1kk7d8qRTQHx/v34OPCWnxW91cFNtFwSduvh52p4DIYc0IYsTfflhJHRVze0Xm+4kuFu8omJerqPiT9Q4Yd7riUhfhuPLBsMcl2zfXh4xPIrDRCTLtiw2yfkCX33gwVX6j7RubNdjgxKrJ6CZtn6/f+Go= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(86362001)(966005)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002)(505234007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?54hxHbVGBDwlr89bkKxgkgsAHX7C?= =?utf-8?q?ePEkYKQ1weCG6yi5RTM2R+4E6fjfTbWTL5Z+1MfjzBlOwSGKbBRMzXnJEcc5hTD8E?= =?utf-8?q?oXFxh3iQtwOP0G4H0/y9IvK+/BAC9R2v0PhQRZiHphpPaILaeWZ5dRj/3Fmk5Xwjp?= =?utf-8?q?bEuJ8PRypb7fs9s3DIKTH7vNgZ7UihRGz0vdMyjqoafvPTj8IL5+ldnjUzROx8Bh2?= =?utf-8?q?Tzz+yC8cvckZT/MBDcXIAXiZJEMtM+eJNE6074zvMtrCvmw/g2ayQTv6EE28fntW3?= =?utf-8?q?vJ/6D2LAXr3ZvRZIUKymOlZf1MD2XCNHvY/XsKUpwyvEilPjZ5bcI92MrCNDEvjh5?= =?utf-8?q?qGRyfL4/T6yS9iNQ0Rkh521tdV+ugSzw54skkF4JCu2977dgLz5uoczMAFsBMSAQJ?= =?utf-8?q?aGPQ3bm/v6tf9hqCWv/h6NjejGcszJHv7AWv188e7Dc3Y3Q8I8vLSz+phG67+/i0M?= =?utf-8?q?ppGm7ukHrd/NonTE4r3b17H6JgiO+jUv6t/H1+t0fGNeuNhIN9SdQ7BoSBQHae0Oj?= =?utf-8?q?la3i59srJwa3WG5MX/AoF9m4BEjtk+LiKvrHic3B9oVBq0qKGo3qYUANlavPtA1Jv?= =?utf-8?q?+13XSQH2xaYiRPcHoqCMZOK/95Q1GZO21aqhjgql20TYmAx+EJqETvl5h/bmwOOJj?= =?utf-8?q?iUwbbI/XkZE9sCnJl3qnScfFGj+3nsm0p6EHJPanKY1XX/4+FFjqEU7zEIJFhFrI8?= =?utf-8?q?6/B6dOWgDy+3IOuxCtRS3vNeLLLYTJN0Jvo+zTl9emPDqU3/qy60EHQwNUyEbRCHC?= =?utf-8?q?Vnuwas7uovPlLkZe/uJ/Z7Go3ws9NES64bu/HMwCLgZohabV4UVQkNo7hqtRmO/wT?= =?utf-8?q?q7Jc2nkq02VFPmxFss6BzILVcd8KgBccAm7An4DZMBVYpNgH3XgOS+x+IJnGprLaL?= =?utf-8?q?nyqWY44gV9b22augTHMgDHKoEZ+xH4vr8FdTHUdgLstbxjDKOja4a+mWJ0qu1Wabc?= =?utf-8?q?qdPpGR0xXRd0IgfYmbayVAI1P49o3JegQiwxoIwtzkpjrRKqlxMGtXLhpTxwxA0Dj?= =?utf-8?q?ceLWe/M+ZU/5h94qAk/MFa4D8CKWl0GodluOxXziljn52M6JLRnJCnZuOUJrBDzPa?= =?utf-8?q?LrsGhHotIFqgHsS8p7eEw4M/b6UoFwEjEg8ErgV15J8IEQPW+0FC3m/wgb4xbrWNT?= =?utf-8?q?F4XJR6CKeH0VROeJnwZXed3ONMi4zAnQofMlwCL2Fvi4Fnm59klnUUvIhgIcaK06y?= =?utf-8?q?s1lX5DoOtiDbGx4kv/MEKj/a0gxZtXdTXYriuoUj7rSgM8IjZ2rr1tvAbBjVlOD5Q?= =?utf-8?q?09Kzn6QTuPu0N8+dZotvfnq7PE2BBdRzkvkFzf+KirywMo4ujSUxV3yWWxb86dIoJ?= =?utf-8?q?ucQ+vK4P5csmZLYCCYlXd5V/+qWxUqXy0QMrMU3xbmlN39ysM4z8aORoXcHFrWNU3?= =?utf-8?q?3kckxTfj+gwqwWwconkk6fOFaoDK2PHjcUyXrAH8Yop7Y1i/aEgGS/Y8RlIYBZDq4?= =?utf-8?q?NA5XqGHHFbSWqqOmaM7O39rSgpjnd0idsCxLbJ2bpayClYaOAqz8fWVJitzfopMAc?= =?utf-8?q?sM1mgsL7RfyeGSFo1Ay4FqVGsmCUW+TT+g=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: b95e3ae0-8a50-4dfb-a874-08da7ada588f X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:23.5334 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4N3vhZttkkkR7QdmArB8GWMeKAMK2URktgU0hffHeXkGVyINegp3wWTzyBNHiLxzZygfXYw4GCUoRQDoRJ1mi5PPJqhWkxNEEhrGCML4RSY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: vg-232LvTm-l3V0kpSc4WO29ZtAt_oIs X-Proofpoint-ORIG-GUID: vg-232LvTm-l3V0kpSc4WO29ZtAt_oIs X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=741 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 27ACdJdH006366 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169194 Backport relevant patches to fix CVE-2021-3507. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3507_1.patch | 92 ++++++++++++++ .../qemu/qemu/CVE-2021-3507_2.patch | 115 ++++++++++++++++++ 3 files changed, 209 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 54a68e1730..dd30313fdd 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -36,6 +36,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-4206.patch \ file://CVE-2021-4207.patch \ file://CVE-2022-35414.patch \ + file://CVE-2021-3507_1.patch \ + file://CVE-2021-3507_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch new file mode 100644 index 0000000000..4201610f4d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch @@ -0,0 +1,92 @@ +From 963ac2cd5186b28fbfdecd15ac43afe1dbaf871a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:32 +0100 +Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun + (CVE-2021-3507) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the 82078 datasheet, if the end-of-track (EOT byte in +the FIFO) is more than the number of sectors per side, the +command is terminated unsuccessfully: + +* 5.2.5 DATA TRANSFER TERMINATION + + The 82078 supports terminal count explicitly through + the TC pin and implicitly through the underrun/over- + run and end-of-track (EOT) functions. For full sector + transfers, the EOT parameter can define the last + sector to be transferred in a single or multisector + transfer. If the last sector to be transferred is a par- + tial sector, the host can stop transferring the data in + mid-sector, and the 82078 will continue to complete + the sector as if a hardware TC was received. The + only difference between these implicit functions and + TC is that they return "abnormal termination" result + status. Such status indications can be ignored if they + were expected. + +* 6.1.3 READ TRACK + + This command terminates when the EOT specified + number of sectors have been read. If the 82078 + does not find an I D Address Mark on the diskette + after the second· occurrence of a pulse on the + INDX# pin, then it sets the IC code in Status Regis- + ter 0 to "01" (Abnormal termination), sets the MA bit + in Status Register 1 to "1", and terminates the com- + mand. + +* 6.1.6 VERIFY + + Refer to Table 6-6 and Table 6-7 for information + concerning the values of MT and EC versus SC and + EOT value. + +* Table 6·6. Result Phase Table + +* Table 6-7. Verify Command Result Phase Table + +Fix by aborting the transfer when EOT > # Sectors Per Side. + +Cc: qemu-stable@nongnu.org +Cc: Hervé Poussineau +Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") +Reported-by: Alexander Bulekov +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211118115733.4038610-2-philmd@redhat.com> +Reviewed-by: Hanna Reitz +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] +CVE: CVE-2021-3507 + +Signed-off-by: Sakib Sajal +--- + hw/block/fdc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 21d18ac2e..24b05406e 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1529,6 +1529,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) + int tmp; + fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); + tmp = (fdctrl->fifo[6] - ks + 1); ++ if (tmp < 0) { ++ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); ++ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); ++ fdctrl->fifo[3] = kt; ++ fdctrl->fifo[4] = kh; ++ fdctrl->fifo[5] = ks; ++ return; ++ } + if (fdctrl->fifo[0] & 0x80) + tmp += fdctrl->fifo[6]; + fdctrl->data_len *= tmp; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch new file mode 100644 index 0000000000..9f00d9c0d0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch @@ -0,0 +1,115 @@ +From ec5725982f811d9728ad1f9940df0e9349397e67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 18 Nov 2021 12:57:33 +0100 +Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for + CVE-2021-3507 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 + +Without the previous commit, when running 'make check-qtest-i386' +with QEMU configured with '--enable-sanitizers' we get: + + ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 + READ of size 786432 at 0x619000062a00 thread T0 + #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) + #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 + #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 + #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 + #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 + #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 + #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 + #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 + #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 + #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 + #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 + #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 + #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 + + 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) + allocated by thread T0 here: + #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) + #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 + #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 + #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 + #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 + #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 + + SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy + Shadow bytes around the buggy address: + 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Heap left redzone: fa + Freed heap region: fd + ==4028352==ABORTING + +[ kwolf: Added snapshot=on to prevent write file lock failure ] + +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Alexander Bulekov +Signed-off-by: Kevin Wolf + +Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc] +CVE: CVE-2021-3507 + +Signed-off-by: Sakib Sajal +--- + tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c +index 8f6eee84a..6f5850354 100644 +--- a/tests/qtest/fdc-test.c ++++ b/tests/qtest/fdc-test.c +@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) + qtest_quit(s); + } + ++static void test_cve_2021_3507(void) ++{ ++ QTestState *s; ++ ++ s = qtest_initf("-nographic -m 32M -nodefaults " ++ "-drive file=%s,format=raw,if=floppy,snapshot=on", ++ test_image); ++ qtest_outl(s, 0x9, 0x0a0206); ++ qtest_outw(s, 0x3f4, 0x1600); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0200); ++ qtest_outw(s, 0x3f4, 0x0200); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_outw(s, 0x3f4, 0x0000); ++ qtest_quit(s); ++} ++ + int main(int argc, char **argv) + { + int fd; +@@ -614,6 +634,7 @@ int main(int argc, char **argv) + qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); + qtest_add_func("/fdc/fuzz-registers", fuzz_registers); + qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); ++ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); + + ret = g_test_run(); + +-- +2.33.0 + From patchwork Wed Aug 10 14:11:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11236 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5FFAC00140 for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web09.6308.1660140748211111611 for ; Wed, 10 Aug 2022 07:12:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=UQDtOhDJ; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdF006366 for ; Wed, 10 Aug 2022 07:12:27 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=zMlHjrdWv5Grv+LQ4YnwvU+xejbp79BbnBUfiLOXFSs=; b=UQDtOhDJzlKrlJWKiLTy+tC+5i+2A+dD4GYYAUXsrpKh83jeny+E/EExcJKogWDPK7ND WjXHENOeeDNHCjX8ySYfrMdAH/KWutUQrQM+Ecam0DGRoLkF822Gd2Y4cWuuMfQBIJno CTZQjVm18Tnk9GkCmBEB8WFSPxEjDcnPLZm9X9h3FIJ56I7wXMIhCHdP1flIq+BRagG7 xqw0RTF0BdAWYE5gNV2A1jdDjxTcnG29GRDDbnQx2+djqX58llc+wg5Kp9BzcaJGf0jJ 8gdDn6xWSOUxdrOKB18/R5nP34TIbTsHnu468t1CTrGI31zI71qTY51gAsyfZX2OUvYL zQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:27 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VQmldeaIWV+Y7ymDQTLPJsO06Gq+IudGzwJ8fkxZDgeiA6uw+36YXer+eBIRebpvoV8iqNu0AuNk/7pHsTeIpAJJGBjB3wE5qGc2zL2siltQj51eGXA1+10HED8z4QFKeohpB71iZrlvb62ZhItFippZ3S0yZCezfThBZ/gv5D2yP2+bZCl1tARy0V1TmAf/qY+Lan8S5DopreJuXtAjEhKxquw48j3+TN5lXP7tyb/q9MNuLTw3fOtxdP0rUyxLQv9yDBIe6IU7QbbCvI+B+wd+sOOeAL9ljbpmdVppVdMU6PmgSqdJTZoJpnvFYkLOI4DK0/+cFziF35dgUrbidw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zMlHjrdWv5Grv+LQ4YnwvU+xejbp79BbnBUfiLOXFSs=; b=LQWdPEJV2eD60BN5gZx6TvFpj46mHy/3pdRpmFutLO7o3zD6qEACZI9ZtRAU93KcN/oufZWCaUY1ICHxpJc99Vl8wkxVe0LKkYZaqhN+q29l968y90XzMLmbp7aClEoJHt+WFm7ZoDa+wiy2IkNIK2xO3Q5Waz31KzVpZOaOd2gz+VrRX0PXhUAr8tvA+qPTyJjWqVGTPoEDx6I2yRseXxNIekfgaTLiWsPyq/BWtXzA2rMFlNu3zcFR8XmMFHxC0heGmie702M84pnLjP2YHOAleVOcZiM37QcPvvUyEWywU5iMsZ+dNgda1gNIXKiInLOHu6hzn00aWTW9WyePLw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:24 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:24 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 2/5] qemu: fix CVE-2021-3929 Date: Wed, 10 Aug 2022 10:11:56 -0400 Message-Id: <20220810141159.21182-2-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220810141159.21182-1-sakib.sajal@windriver.com> References: <20220810141159.21182-1-sakib.sajal@windriver.com> X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9a9481cc-5a65-4835-2da9-08da7ada58d7 X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xu+TmkihkyhQ78b+H1e9OLNIVcCvby0vNLFeuD7+VSgKj9iVK90EDzWOgZDdJ5q+3vyG05zddgUbZGvPTTSjrAp1StvF6X5xp/S4tYR/IIYaJtF3MnHVqCxU/vRHDipDSJMD2rFYcc1llet3sZb7aVQkrkuwaNP82YaxpMQ4WHI0Sg7h2nuAQSPyV0pcT0+OPo7cphNm0+mxJRVEe9tPcbamIikX6a8E5jJuHvUXglSwWu8JJIAAJ4r/V//l/xfMuIzvu34sL8uterzTuJnaq1UTDAfJUzb7nd73Q+0JyjMs9Nkt9ZfhR8tkRPFuHboR8vHQz683X1BLssdL2Bsmo4BdWYI8pFcNhrqzXD1Hdgd7Fp1RbxZYf/RdREnIVraXKwiLeoh+iE74Ojp4g5OKE/Y2nde95EipQBBq+3H0DiuGxTEjO0DpHh+C6GRnxH5RglXAKiz2SP7G8BLdihyg2gk1VCGvUc4QjQxCDVRqv53TYjTtQNoFb1Ra9BQjGM2LEVS/nmW+LFyZr/5vj3sQt7PmVA3NswHKCeKE5XzI+LRtLhfo1PhuYwu4jByzn0OaXfDyNX/kV8Bw2tWU7a9WSkzj07+NzNmAQMnMMPKLP6ZNbPKlPznyV34pTihe3xQFOU3TAX5hexcKs9vWq5qZB11TDpd5GnnRx/2MFUy3SUNnU1UtottYtIvnjnBKq0ht4VIPANNfsS+gxDLCBDsthAiPkRjn/8LkAe79do/3C49rNP4BUk5MqTVbxm35RMjy4YjmIkRqsFzqaVLmIMa1Ql/Ev8unFE8LeZr0NclKYW8rORFIFTDzBWPjAtwl8kPT349Wd1BQphoAEVVN8dv7cQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(45080400002)(86362001)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?XBheJAqoiK1/LEFs5kl7dDBwGlAv?= =?utf-8?q?dHdKFsB25RH7+3llTnqGa59nlqstUWYr3Kdiz52MQlry3/uc8DdSni1GDjOHr59b2?= =?utf-8?q?sj+ZNiqrcBcfd8xIvWKbiC1WY6hFCr7aqIu/WqoyhxAHjLHsFMvbahJuA0kKDIowq?= =?utf-8?q?QAZnG/5Id113sRsw+RJ/8SJq4Xb2XFhhR47E53PwzUKE1g2nNBN3Csc6kZj8zHNrQ?= =?utf-8?q?OTUcQXHtlv877C/bF44JKwg+bmWaZBHIZavYuWR0NeRoC5O4qOW5k3W3jiG0hWZ18?= =?utf-8?q?cWGjWehN9gK/5uGKT0/EHuRNzDQMyGvqPHWjo8gAYUuOTC3Gv1uleAHdRRWW5H1KH?= =?utf-8?q?kWFS36obglf1Vw2VJuGtGVLm70Loi8awdTmVTj83BhRcrEyngwvvQYTYzvxBpOydc?= =?utf-8?q?J3uJsR8krn8Xhqw9iYDy8r2Q9dORD4P17MjUJxhewxkkQFN981lkUqvmsAQ9xtx3P?= =?utf-8?q?2YYLEOJnFCk1uSd7sejWr3iBz6FHW1MJ2xQfA/UrbrL8uFoMbVExtUS4ZFZdKz83z?= =?utf-8?q?tPCe8onp+2RDrgkVzM6ADeD2No3uhWhV1cOhnDzTKkh8XZJLgeLWy+AOuzAtZ9/9p?= =?utf-8?q?X7mIOlRaKBy7jWXmkVkacTdkt9QSE2YdaiJEsLGucmuU9ZiSt8JpHyLfirDpbpNIm?= =?utf-8?q?yZKzCmwxppHXdcnvP1TnjpuPpUieHhMNwjupOFqsFgItD4fftishjR1DBN12l/Tgr?= =?utf-8?q?CB/+fsvlByT6NmLnNwGg+JCAAL9/jiDQcr5n+fCycns7DSCkCYOJdYlNgJe/Zo/ON?= =?utf-8?q?zxNf/LJYgKilHCcSsomMIeoz+AKMK1XVjf8FvddvAG3RF1CPrkpFIAkSQ+y990R6s?= =?utf-8?q?Z7uFnFlkBmjrRfupdkPLmMPwP+x3M0VP1wgcPeWEyolfvUX44XBqyCeYjFagBekcL?= =?utf-8?q?HcBVDjsDYYMaIsxqwfP2lL+F3ZaktBMnTwfxoKowwbpRZlAsMeiWD8N8GQbUtQtcx?= =?utf-8?q?u54GGEjFGlryc4H1Jj4UQ+yfBGWBqdNvL/qbNVwzFXzUD4y1UamC6mubh6nYMiEoj?= =?utf-8?q?Werm2M4vDMHT3dAY5C4UP+PsP5Vh5MiP+fPGnj0huJFKpRYiTumCiXIaNuI7SfU3J?= =?utf-8?q?/OjkT+YeT1ANnqxq/8H2TsZS3m6BzEecK4ZHhgf1Jqqn0nPJUCe/YkuJ+Uw+ouMTs?= =?utf-8?q?zQeIMo8qKHohgoRXV1LE5iXOdRmy8VxeEqT+aDnaTCFaqZxBoahUx8ehGaTRWzcDr?= =?utf-8?q?AWg4V8HjM+xB5ICdGgSRd2g8UUkeGSy2IIldSwzASrdsew6gMPWPNo1np0xX7WHTM?= =?utf-8?q?UxgAkgxQ03OeZxTLp5sq/jDO+3GCXO0HzTPByTH7rRaGOyAKTVoOJf9ux1xC6JZZr?= =?utf-8?q?S2Wo3gQoUV1lP+GSeP3ACSiMS55Au15/XPS0LjgV/o2F1qkierSX88n6z1qqfKVJv?= =?utf-8?q?TbHw0M6yK/hZUPal8rAwvxYya6IcNWmD3QtOvC3j1ojnVySxOSb0gjNeq63uc+GVu?= =?utf-8?q?r+k9wZ6hqeN8nZWSDr7TgnbYeffo1Sgj7rgAUB1UjKOP1Hyp90YoQqdfGd42UHq+K?= =?utf-8?q?U1e4OttYOnMHRYy00gwpYRaPmMpkJJlAjQ=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9a9481cc-5a65-4835-2da9-08da7ada58d7 X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:23.9396 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: V5UEdYVE82vp2xOHn3n+6/X2b26O6u5XP7LicP2nTI3cHSq6oME0WHqJ0tF12H/ePk/+sdI0JwBWrIgEHb3uHqRS7Qy/l1hJtOedGQ4WLaI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: kjV8vgI0C-pWt9ddTmzX0gKYsd2aGMMG X-Proofpoint-ORIG-GUID: kjV8vgI0C-pWt9ddTmzX0gKYsd2aGMMG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=577 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 27ACdJdF006366 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169192 Backport patch to fix CVE-2021-3929. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3929.patch | 70 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index dd30313fdd..53bad5c453 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2022-35414.patch \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ + file://CVE-2021-3929.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..7555e5bc40 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch @@ -0,0 +1,70 @@ +From 12daeafc9868c1ebe482d580494f9e6d3d5c260f Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Fri, 17 Dec 2021 10:44:01 +0100 +Subject: [PATCH] hw/nvme: fix CVE-2021-3929 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the +device itself. This still allows DMA to MMIO regions of other devices +(e.g. doing P2P DMA to the controller memory buffer of another NVMe +device). + +Fixes: CVE-2021-3929 +Reported-by: Qiuhao Li +Reviewed-by: Keith Busch +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Klaus Jensen + +Upstream-Status: Backport [736b01642d85be832385063f278fe7cd4ffb5221] +CVE: CVE-2021-3929 + +Signed-off-by: Sakib Sajal +--- + hw/nvme/ctrl.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c417..eda52c6ac 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) + return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba); + } + ++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr hi, lo; ++ ++ /* ++ * The purpose of this check is to guard against invalid "local" access to ++ * the iomem (i.e. controller registers). Thus, we check against the range ++ * covered by the 'bar0' MemoryRegion since that is currently composed of ++ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, ++ * that if the device model is ever changed to allow the CMB to be located ++ * in BAR0 as well, then this must be changed. ++ */ ++ lo = n->bar0.addr; ++ hi = lo + int128_get64(n->bar0.size); ++ ++ return addr >= lo && addr < hi; ++} ++ + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + hwaddr hi = addr + size - 1; +@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) + + trace_pci_nvme_map_addr(addr, len); + ++ if (nvme_addr_is_iomem(n, addr)) { ++ return NVME_DATA_TRAS_ERROR; ++ } ++ + if (nvme_addr_is_cmb(n, addr)) { + cmb = true; + } else if (nvme_addr_is_pmr(n, addr)) { +-- +2.33.0 + From patchwork Wed Aug 10 14:11:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAEDBC19F2A for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web08.6270.1660140748404108474 for ; Wed, 10 Aug 2022 07:12:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=jgM9pLN0; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdG006366 for ; Wed, 10 Aug 2022 07:12:28 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=ooJKs6CRSPu0hORkwi4vTwjE2GHGIqP32yYfLDuVBdE=; b=jgM9pLN0KUIWnxs9qiWCjJPHhEQSHm8p2Jw+CALWMv+DtiY4DhrtAOsxm140zbxCKzZ/ HPK4kCpCoSUP9wX13/5zbZZuSvTMaULfgFtPb0mQx5tzfUoOOP1C4wOrQWc+6R81L/zC nwInPWfXmDoDKpyKxxUnAjFiu73OOO5KqZrc7smkQ8EDIl6y/KmDDsDvA1Fsi/QFoVhe OzSZssnzXsEclL2DvzZ1tjzUAshQks/U3YWjrrATeamTwdFLmwY4ETcst2ISLz31pjRx ptXirkxeHGJmu6/5838gtyT23C+cw3C5HGLoU6vgYjTAn33uGrpNz66tKVc7uuIMKcXG Yw== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:28 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LFMuZ90kNds5O6DNdWkNR/0dfLfmcnqDwVwAaxOc19jeNVPkMkEQ5qN1W5JzVP0n7+EFWLFz+lRjsMQpvDYg8aP128d2QNLK7WCmfGlZFM3uUjR9ZxZ635P47fckzsdZM38H689UBeSa0XSCB8bTK5L+NGpyersjuqoMfVIeu41Z/7HsAYohREu8jlSReIrhS4ry+ARwaJovIkzq2oUkEcs6wNzJkZcGd4Dy0XXxjChNbsVE4vSGdcHslx62t0QUUXF8bv9ayV0qzknmsuJRUk4zwcNB1QkANAv1eWD3WoirM9s3o7SMbactSySIKHg7b3UiihQXfmMY523vq3HbxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ooJKs6CRSPu0hORkwi4vTwjE2GHGIqP32yYfLDuVBdE=; b=dw8+RSLewx5VyjgXFqHVanfa9FikkYH16L91tytFxUrciu+Ed0vsugBDy6+msWFHopYDihRtlfCl371rbzuzYq7PUqB5WoBe3+Yho1AaiP8acio0anE0f8LUvy4QhUS8iYBWXZZzcwgLXAHdRgQyEWnPP7mmDu3misKiXcvIGry1uF4+JsC9jGSJzfl/3N2FdsHs15+yUYifnqINYPqJlAI9Jo+bdlMWGr226kDrWjTjpAKlLi+2PcyUtCv0i5lHvbvhFzg16Fv1XAFuJp5X8JGgsz6G2f9Z0XVJkX1dGtjKe5syYV4fxPcKbK/FzjvKOH5eWotF7ymitCoNvaBYHg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:25 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:25 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 3/5] qemu: fix CVE-2021-4158 Date: Wed, 10 Aug 2022 10:11:57 -0400 Message-Id: <20220810141159.21182-3-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220810141159.21182-1-sakib.sajal@windriver.com> References: <20220810141159.21182-1-sakib.sajal@windriver.com> X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e21eb52d-5927-4823-02bc-08da7ada590e X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: h5j9PBBoJ6Jgi8QZLq5UGW1aYnl+t+aOEXntw1UALsiMtSNtYiaZKjnCSHkZExlxydEhp3OXkvmqLC/k+B6GFbD/keujy5BA/tEa3/5r2Ixc/MdjCtmhnAV4ZogeYntrowgrKg2DsBXe1kCONKGm3KLxjYAPNnQlmYNmDrTYq7GQ4vPOFrPObZ6Mjx0ynObyquoYoKK1iGvrtlw8xRDE9EUCKZnhhfOaaow9BeChkrGCzHcpToSl08QjIaXNox6ZE1xarvmniFbSgvE0QBQDkIGm3WP+X3BGjFYsPPlcDoLwgWQf++/L3gX02X9cDGW/kmdBzmqhngcDaugtDA9Cc+of1dx7uKq9v/UW1xqJ6QyI05mni0outYJjkSAP19cMD7+aN2a03kC9SL3AB58F8KMMwlQEP+jXmJLwuI8O6s9gYJ1iTR9tTn95EQHQugLk2k4iDxioNB72HbZHmXk7RafESnGOHLvEhiXwBTAGi2WdQa3mlz7fhdEsqufeUoMNoO7sRAbujhpmUBLG96FRmCCQVAZBggNFcuMUW3jgX3H5DqKWc33jmuWX5uUEe0hID2gDZcBzfKlrgrLkyIsB+rH2IAXaIm2G/d4pidnGDSI238qYM5votLHcGZi844944F/QdB0XpCkOr5MQ0EDG0DUWT3UTul7BnX21z7vrTvcdNmUZtJxYY/ogpSDQG+G57yLn8A4v3DI9jG7m+u6Yf7LqnqRNqucRaUcrRWxofmTyYZU9pzR0/vHw8b+nsxSXuRAYLiAHBMbpPlrY7/kPy5aSpdBApzCrZ8YkxZhem9ebtqqOsYTmiQ/NFJxl1tyL X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(86362001)(966005)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?jo9DQ9MpOgEGsFG+t0mqBpRYFzTL?= =?utf-8?q?R5yO3dPRxF4sOIy0i0fb8ezZZ5vMLMx6NGkl7SZpG1TgAqskQ5klAixRKhkyzOdxC?= =?utf-8?q?2mw/NLk3XGrygEiPhYZIq8O3P8UzFWcDBbL6ocdRHS2aYaNU+hs0mbMGL9+kiAGQY?= =?utf-8?q?F4PXSiEhAw0c6vtfFQlCa/aFU+4W1pwK5M/oZnEhPBsVmUtovUE4Y8Pzt5Wqw+A43?= =?utf-8?q?xMAfjaSHrrg15DrLIvPWtMniNLNKP1imo7rC+HEeTXUVAb/B87soysp18tGcoEcIJ?= =?utf-8?q?/b8nhJn92fot4N+gMUl1XHKfn+M+1Ye46ts7TY0FiKTjh42r4aUTIg1XLP9DOGflk?= =?utf-8?q?1WYPyV0oZ/AIcAdGphfiFha7YYnI/98L/U81JL5EYu9B2PuxjIQgkX9rSLA/opjeQ?= =?utf-8?q?H9HIiOOmnmom1kijiC21wU8PoF5Hs1y1xa2z37O2SSj4JAeBki0M1TsJEz9S59hoy?= =?utf-8?q?oBRFJsxC2Cf3+/lSxhJSg7C+tY6q9istqnGK5NdeMDwNMQ9X4oHdzS1sw+5gaDwdu?= =?utf-8?q?Ndm5zljRFrobIjrzU/jeSCPlv53r8nQblFwzRiuedTgLk1kD7qfmALGlqCrtsOH4q?= =?utf-8?q?GirxEv6Z7FRbzqwohUoyD9G8Et9w/6ExT9XHDWcno4+ie9BPCyC13UL9A2VguE3BX?= =?utf-8?q?KuKS71l8qN79+GSpFqbl4l9SJoMdSQwN7w4UaOu1H5eUxUJtZoLx43y3qoppFHxv1?= =?utf-8?q?+2N4KX6OFducrsDr0UYv/gYwjqQFnGwKc+XO6AbeCOCk59IoUT0MLkWiCeR2bTL1o?= =?utf-8?q?coUXxL08mx8X11o+U6zY/WuQfI1u0C2B9Y7lyMvOwVH9dBUlRX3vyTl79/B2mzVom?= =?utf-8?q?uA8j6rs7ULS0H4+P7Ah687bmgdgFL7yQCIBCpnV33v4K/Fy49ILm/G1KT3BREG6qc?= =?utf-8?q?jVq7pNM+f7hX5elL34kWJt8GuBQ28rQPATVUfGI8qR0hYghmjChb2pL246OpU9ysR?= =?utf-8?q?TtL2Pya2h1lu832r+oKX2uOUCmY2L3aYNmY1EYM9MxZO6fIjHoWfMtIEoSKd7/ldW?= =?utf-8?q?wOt0D7xr9CEbu4ldqwfBgcqPvojtKW4y6xn2z2EvIPsbMgJwkcJvpRA6E4OaNbH34?= =?utf-8?q?tlXbNYV2bVguGnqhaJ6ZFQDPoz7YO5wzwt+DjaSNmOQ7z6qdtnRlQGxuux5iSiFfw?= =?utf-8?q?tEkgAwXKocoELygoqXYYPYSk08gfMabhx5S7iO1E8u6uQRopCBceniUtdSXF4jDyC?= =?utf-8?q?tYITtq04mKY8kq5Rb7Ka869G46JnLGwAh0gsbTx3m2dgds2+BfKnLUt/Hj0HRO4bu?= =?utf-8?q?bLjxKHRMFQHtSNlfJbtkodEaqfoEwQ1KS//CBi/PsuMoiHtaPWA2eD3HgZJG7ax31?= =?utf-8?q?qA9G6nCBUdfuP5KCyYUzFChis2hfbTQqNH/da40OrWY3tYo4fyo4PZZBU7qAt1npm?= =?utf-8?q?D88t3d33CTeP2ElWavYgdKiEW9lbIcmpx9fUE0EhWpv0vQbfDE51upG01PC8jHBux?= =?utf-8?q?TmUsKjrCi4Jav6NnLMmMFUkheFDNYZgTftGJAHWOWLfRubvR8AF1DnyTJGag05cWf?= =?utf-8?q?RFHY4xv9yRcW15mcbpBsJv+UqjGB6Hk86w=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: e21eb52d-5927-4823-02bc-08da7ada590e X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:24.2989 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6G6TojpbT+d6BpdG7a91cjY3+wubDazxFaHBVyoC0wCd0hITKl/bOfYH21XkWPlrzUtzb2OyyvSlnoCzKhgwuNXHLl2Da2oWhKythGiCBDw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: m-YFcJioLwi7qLFmCHsWpLGbNmGc31vB X-Proofpoint-ORIG-GUID: m-YFcJioLwi7qLFmCHsWpLGbNmGc31vB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=525 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 27ACdJdG006366 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169193 Backport patch to fix CVE-2021-4158. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4158.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 53bad5c453..1d04ad3c67 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3507_1.patch \ file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ + file://CVE-2021-4158.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch new file mode 100644 index 0000000000..f6de53244f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch @@ -0,0 +1,46 @@ +From a0b64c6d078acb9bcfae600e22bf99a9a7deca7c Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 21 Dec 2021 09:45:44 -0500 +Subject: [PATCH] acpi: validate hotplug selector on access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bus is looked up on a pci write, we didn't +validate that the lookup succeeded. +Fuzzers thus can trigger QEMU crash by dereferencing the NULL +bus pointer. + +Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device") +Fixes: CVE-2021-4158 +Cc: "Igor Mammedov" +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Ani Sinha + +Upstream-Status: Backport [9bd6565ccee68f72d5012e24646e12a1c662827e] +CVE: CVE-2021-4158 + +Signed-off-by: Sakib Sajal +--- + hw/acpi/pcihp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +index 30405b511..a5e182dd3 100644 +--- a/hw/acpi/pcihp.c ++++ b/hw/acpi/pcihp.c +@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data, + } + + bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); ++ if (!bus) { ++ break; ++ } + QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) { + Object *o = OBJECT(kid->child); + PCIDevice *dev = PCI_DEVICE(o); +-- +2.33.0 + From patchwork Wed Aug 10 14:11:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11235 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C615FC3F6B0 for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web08.6272.1660140749587824190 for ; Wed, 10 Aug 2022 07:12:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=eW/Vunz8; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdI006366 for ; Wed, 10 Aug 2022 07:12:29 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=eBD0FIPq6LiAXXsu7IkaTvs3vDY/aPYw+HUIkDhEKa4=; b=eW/Vunz8cQ2uii5CWSw+pEo8Ozi3EX8NloQLWxZ8XslCn2KL28CZ9aZzBrP8CWofnmpw 66Xhf9Nq9IK4xnUMs5NBEdwIMjA5jfCMWOsQc2wsTO7Bz/2hfc7BVOqMf00mdNzbIVGp MQaXzJ+Wq7jvl+ARmOuBBonn6u2KWjJRjvkBurGAUwSTJIapDlWhpmChnqQFG2YpFzh0 8LxFMpO5qxdUdN+u+g/e7/PxrcJP049x4iy2z3Vh/B+SgHvvLS4qPF6fPgGV1TlEAFUY RkrqjF/wczNBgdTJVbsKsrAVEKmQ7Btc7aUtfdhVpLIpGxJh4cj+8N0FGqPaNMyW06uP tQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:29 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i8zub0n/8NqXck6kBxjYmBL90okXS5lA/BoJKX/0CSk87ZuZe8/vNBEM7MxHtNRe+6mRiXp615mQBmUKwa4ATeqva2SAmzCGcF5MATNl9pGDctljXu3MoOceX7JhJNo2wBCZIbHAt4vFDdJ46yNlVcrAw5lr/UyNCiv7ZlqgJDXXevgmvhK8kAYW2jrrhq9ROyeALz89J/whI+COnrINzmRq27g5KSurO5EclY7QpXi4Whd3PhKcNrvOEKTV9JQ/ke/q5q6VWjweHU58DETEcb9+Zn3AZk15N5yKP9gJ6S27LzQP56pUG4cRGdpEpgJGpw0IdXEw4pET9aXFT4K0ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eBD0FIPq6LiAXXsu7IkaTvs3vDY/aPYw+HUIkDhEKa4=; b=imFYuj4hgJAMlhZokTh+U0+gbYQlfOTlcqc55HW27TVD6/rSej9b+sOJV8BaW70LnzyueoPS7aclJMzQ0UaMjTCGoSRV1AkB/jKh0pW2OskzJqpi3uQR+8FUgVEqBUTdqqbKfuAh47AtewGbYton76NkudyXNBOoxqNLNH441UlU1tV8m/KDclZaNSCL1Yxlvnri6IPNMsLN+Ty7qc+C8RCod+eoX34eZSgHz0gVpkCrL5W5d6NsBdLvubFWN35igx/hEB9ZY9ZipQs0FfeGJDVkdLemWDr0ELVbQ6oDxkDGlgkYpcVV0GiGEN07h/dJl++j7tfZYgj2sXwHfZnmxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:25 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:25 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 4/5] qemu: fix CVE-2022-0358 Date: Wed, 10 Aug 2022 10:11:58 -0400 Message-Id: <20220810141159.21182-4-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220810141159.21182-1-sakib.sajal@windriver.com> References: <20220810141159.21182-1-sakib.sajal@windriver.com> X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 626863bf-3579-43c7-d7ce-08da7ada5944 X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0To+T+xtaXCgIHwaYTXCxsWudtllKZNh5xjnO/zJolxOLIjdLBWtwMCGAHdEPL4vBtEQ/xBckf07+Kb+NST3yu8OjeIQU159Rfrlg6Lt5ESUztdHlMcRF/wDAmdNDLayEt0hTOYxVG8swOZTyOWvDMe1OzQCBXIlZBVxk3hEyCiR/U7Zm5ZX6Pk7fJiH7OVb4V2v5tN2qcg+QdZYBaZLFhwaCLA4sfrs7PV+J3aZHRr2KPW+y9oUSDx9u9TzyIVQueLdwLVNEmPR1U2grVmJWcZZjUEJItZEP1hQzdmWoh8+qItUUSMzChMjLO3xbYxkxITRWBEgvmJIIR1zxOFJScE7OwkAAKKijuphp173YtmvBPPACq3+e71ju1SJcz68zeJrC3w2/z0/4zdXIQQ4AFwaNzS09qvut08bRuv26My6npPuz/2O+jeUHmIRQenxzrUE8dRZMlJN9foBHTK1SJD7WRisyme09v1mU8xY7Yhm377lTOsPbyoNoSBcy1BfY5aRmVa8wYZB/o25G08yrX63l910divGas9IMRSTPS3Lot0HEygU60d/wM4HBPf832m7qXaU1RmciP86dAM3HgzLVPlIf2hfslu2cPoeHKwNUf4DxYAeuznC9zxbdltl+gvqAqTeZCy5py0/T41l7qOai+0QPWECLM7L2ktU97Cnnoxj9y6EYdQZlF9GubwgfN/OBI0wvIy73AK1raj3VFlmBaJlsfchz4CObSQZhhk2t8UDv6JykCDPdJV13NrGdnwiXmX/Ln3YPXppi3uyqa0viA8jMPqbqtbkTaPiFuJ63uYhcQIeyhT+InQcwF3/9KAtPrWrGfHCpZXCAbRbTA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(86362001)(966005)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: v2XZjdjuFTHJ78GLmv7lH+79aIkc4SzAZU7QOZLLl51AfEYWQwCx7YuZmKK+B36SfrIaYk7ShnZFIeI3XZ1FGrFYs2Gz/PUI7dyWgsfsDTrj1fZrsKo3R2Wtyp4A+sny4cFyC5f7QtIFm5bH33sKNSkXz4jyncn4FCq6ufjKhI328DdVA00iWI2MZTbiWRlytOUKnmNd3AkTwJa2aJC1zr3sVcEqv5UljgG0x1NdjVNZh+R31p2kKoZExFECHAjFfOau/NyQYjHHTyfF4FhrV2XEuYuwGr2LUMOghDV57Yqrsm1cdEUJgt0qxRwSIA9VURcRhYILS1ew7LPRV0u6Gk5UQo7NEmzUdrF6OIKIDtLSWWU46mlJDNAXgTIpwmjnCGZxiLTlxL4uA6glnEQq4oy1UgjzAKQrdr3gOXAFG58oByAmATIE9McZhlIcmiFhItIZvC9/n3I+KtyHcLKS/j4rusJqbPngPpScbyCGmfHy62iPO0LRQ/sg0RQEO7E5YlK+fuVQLmMpnYHVkPz94H5PqVXbK7e3/l6KH3rkupuA2TsXFyQwr1Lu03I9J1ggkirBiPrnedqjeiaO4M5ShniWuniESfGI1l0E+v8SlT6aC9SO5A4SKsrCxa4i9yI0FacG2CwQ4wkULx+Xd0WkwFF1+TLZuXUMIaJJ2dxAODG8a8LVupwP10cV5o/AJViJ7u/jUsuv64SG9DxXmQYS1ixHHMLjRRJC8D66AcIvOm3w6hHA0kSj8cLK0tqBPMWiNYalRy3RRaUG6PFLhNRy+qBm0nMXwG+IlUDc9wHrSNHbDNQod7vIBlmGFoBJMAlAf4gcXw+C1Hy4HhN5qbmCLAtkd6Pk3K1qWi273ePrD9dpAXgFy6Lh8O2+2FcCfh4FzTt9m/qzbe3DpMUaedekoyAWsnO7aEDxHZpiNfEORXU/rtfm0s0w2coRKdEJlEZ2ywOqwaWHjIcMjvqE7sYIfXuPhuvgjrINa+mg2t6lQIJVyiYzUqHQOJ7B7VUW6EqDtswz6Ic8IhX56RaAjMtxSPetZ/mmFJTjdvYGa5kcmB1wEEp8BO0dvCCXse/haN6zoEU2TSeOXMVxExQ3VLB1yorPaOiMWWqIZ1S7FbyN006PRvyKOunT4IF8nwA/YX0pGgMnP+rs+s4Gb7cKDpo5Pzdsx6G5CN8M5HQjVPfxHetYtPs6bHwRPsD4Nq3yzDFoJjG38g5ZSX3O978NV6WoWDVEbQ9qlTxAWwh/gXHQjvtIgIonlrALZRBvGc7BLGK6EebCUvXEVHezFDJizshXV9G+4zY6VZfGvpR1U/mpaJuDj++JVDclu/7h+YAl9Gd/lNrSC+NMWgmE4uHwgkW6+Jxw4+Mymv50MmGnDLVHCTBXf+pRMoFFQT4pMwPm96Lm5pQhIjVCXb+HshTTTkFM+dijx4IWURzeiECe79/TKJ2jxpQrGaq44WhXCfVorcJvp2eCNhbGpf6Iv2Lkrr/5r6uHI1lgR7dKeWmE+OLlQ0oB3QOq0fJL70adtGlDylV1F7G7l06iUfegg1r7yv9LSYjlgwezOJObRux8CFbTsG4kKf5B3w5E7kcOkse2Re/biqf1FNw4Nq/UVhaGRyN5Cw== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 626863bf-3579-43c7-d7ce-08da7ada5944 X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:24.6427 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: h0hv01h7bIcHuOadgCY4WD66WKQnf+XBQSAwFQWEWIN8rFZ1cF8fVQKvb9b3CoXHsvMqOavK6/p+nTAT2VEEzwEH5eWTdlxIYL4VrjQjQfg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: wCPGSMlpv7ToG98fuRFLR-P852Ugf2Ct X-Proofpoint-ORIG-GUID: wCPGSMlpv7ToG98fuRFLR-P852Ugf2Ct X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=871 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169195 Backport patch to fix CVE-2022-0358. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-0358.patch | 106 ++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1d04ad3c67..44d4c9ca2f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ file://CVE-2021-4158.patch \ + file://CVE-2022-0358.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch new file mode 100644 index 0000000000..8eb1475638 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch @@ -0,0 +1,106 @@ +From 4d2558ec9336d3614a43f7437c9cf74793ae3a87 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups + (CVE-2022-0358) + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO +Suggested-by: Miklos Szeredi +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Vivek Goyal +Message-Id: +Signed-off-by: Dr. David Alan Gilbert + dgilbert: Fixed missing {}'s style nit + +Upstream-Status: Backport [449e8171f96a6a944d1f3b7d3627ae059eae21ca] +CVE: CVE-2022-0358 + +Signed-off-by: Sakib Sajal +--- + tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 64b5b4fbb..b3d0674f6 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "qemu/cutils.h" + #include "passthrough_helpers.h" +@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++ int ret; ++ ++ ret = getgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++ ++ if (!ret) { ++ return; ++ } ++ ++ /* Drop all supplementary groups. We should not need it */ ++ ret = setgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) + + qemu_init_exec_dir(argv[0]); + ++ drop_supplementary_groups(); ++ + pthread_mutex_init(&lo.mutex, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.33.0 + From patchwork Wed Aug 10 14:11:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sakib Sajal X-Patchwork-Id: 11238 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C900DC25B07 for ; Wed, 10 Aug 2022 14:12:35 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web09.6309.1660140750062072225 for ; Wed, 10 Aug 2022 07:12:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=GYOLr76k; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5221100a95=sakib.sajal@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27ACdJdJ006366 for ; Wed, 10 Aug 2022 07:12:29 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=0w/1ZKpUk6AH/bixG5DAJGW9y8Ao5k4AbkqfhDFPZyg=; b=GYOLr76kPrmFxZl6e6g73cmmL04VkVW5XJE7X2FCf7ZYiAhlUeeZbvXljreNC+c62rTS RYM1ONvAsEWhA2OlTeOw0Ev+VhsUW9lZ4lZh/4O6oPnHOjj/IKqK82LYLAHZrcaGhpuP UdsmwAC5uSg+MIJWGq/QgxrO+0bO8esCW8DKNnFTtcqWUipvcUaptg7XLj8Hj9hrkiUs Pv8/XFQ2yRe6sIkfxoodQbFvr+ykttt2KFRsl5/LGlIy/2zmwngBM2NGLR18Chk4HiWf v0+kZuGbVNpHleoBPm6p8XQ4TeShnW6TNrW+Yd4d7wmSYSIOy1zzc4YoMM78ie0x7OF8 JQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3huwr7rkp5-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Aug 2022 07:12:29 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=augf/hzu0VQcb2E+leCLCloL60zQ7L/xzA2viq4cbZwNgpNWj38KZ8opl+4CJz8Tp3CLZPFcGyomjoBauwz8UWaPWM6c8zUX6zirwmGDIzpNMLVwMYgU7ZAThjsnJGDptJMBgimPoV4kY1sXPxpMICCoU1LWA/gHDD6w8pIryVPzf5GFylphQG0KJygUBKHl2/c5kao9OCpOUr/L/gcmppMGHjlyyl6Vw5/m//djLnBJwQExDcgMvSH2TMIaJhM7Im566SDRFPJUaffCJrJWiJR5KMGHxbr3XVwqohW75g3fQCuD5iTQgHH3YE9DMXk3AjeqeA/L0BIgVmwBDA5z3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0w/1ZKpUk6AH/bixG5DAJGW9y8Ao5k4AbkqfhDFPZyg=; b=SVVTnIvT58SYeBCTcWQOtUdmzmU8pbr4tuDJj9PcSy8GVX5p1DNQf8fFNLJmkiE5HyfDkdkARIpvOU5NsuPXGwoRH0WxQbu4jvOUhNlLCWM+beSh+jtJJZtga/clS6NOgHwrKoKfgpqVl/yYGnvA82F+vYuz7Y5zGt//PGAZbKpcdViGqMzbV0744kegpDBelrsmDMmkJtVz2wcaLak33efP/DJ8s0jokCVTs4NLCthxZAE8KKNTDe212DKOiYDqYeIzD4srUEWjXF7eM1XQrAVOUzJyMc6nifAir4SNvjcKn7cWr6usvFIQFWwo++bXU6opydMfxjUlupgnqaTYvA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) by MN2PR11MB3646.namprd11.prod.outlook.com (2603:10b6:208:f4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Wed, 10 Aug 2022 14:12:26 +0000 Received: from DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf]) by DM6PR11MB2538.namprd11.prod.outlook.com ([fe80::3c53:9479:88d3:bdcf%7]) with mapi id 15.20.5504.020; Wed, 10 Aug 2022 14:12:26 +0000 From: Sakib Sajal To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 5/5] qemu: fix CVE-2022-0216 Date: Wed, 10 Aug 2022 10:11:59 -0400 Message-Id: <20220810141159.21182-5-sakib.sajal@windriver.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20220810141159.21182-1-sakib.sajal@windriver.com> References: <20220810141159.21182-1-sakib.sajal@windriver.com> X-ClientProxiedBy: YQBPR0101CA0130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:5::33) To DM6PR11MB2538.namprd11.prod.outlook.com (2603:10b6:5:be::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f1e0e61e-c18b-4a94-5d10-08da7ada598c X-MS-TrafficTypeDiagnostic: MN2PR11MB3646:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xLZF/ZVUmPaxfiTyz/4d1pU84UFDpNlp4LRdttPVzhQ0fN3Nx2letgRCkDE0Gvetba/wStgXUIQovbPeBECLX1eYIZN8TLyiwpP5IZFvyXYJhELUCw5cxHWbn2NMs4NfqHvBHeD55qRYh3giNBQp2eIRyFaxs+4K7fRzQAWGZy/QG4y3ZqQJH64jNhOkHx5nLiwhbqdRJVOxH4+6onU3X1MeHY6bJ6mxhNbAQe87KC50kev260RQWgK5XOUz/7z8Jnys+Tz7qVWmmO7IyHffiqSH072VPDAkNN4bTJDNHQ+Y7FjlAAtRoWAPUh76yWgBYbezRlD/h+xZve6rp0FM4iozoUFscIGZu3FhuGURsCjICFbOnIU2TnJy/XykHWigNv58FGPDKx32BLybrMToSbGw4Glq+GQVfK/asr0cRsjJjSgRXyu3NIYsezh1hCk0cor6CYqrVGrCRxTCjvBMgsroVdXEwLf2P9+lnmDFYUm/Q37UUvudpABPrIr/uy6F8voKCoBU6FEE5jMmCb7lD4MkSVB4nWG5blVrYffsGgqIy4jQgZepRmTXzCZDM3MWv/lZxxh4Xd2NMkWYUZM/zDNZZh2cR7gAQIGujWQ9FjR83PTjuKgF87AUXhgCHSHHTV1sv3kaDWzuaX1CEyPMWR4vxgX/YLoV5fz+S+EUa4g7l68D0EvHIllmu2IXajnVmZ98P0LlHVbRQ1zYrK5kxhk0+xY/9rjKa3jYwAdRhG87D1sFZVSpKFkVJFwJGbnH3SDd2qbfWPjSwYp63XteATDOCyD24PQ/iUd14g6uP5POLWSuALO5Sug9yO3zOMBHtIlIQa/vHqdtGLzk6T7hAQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2538.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(346002)(366004)(376002)(136003)(396003)(39850400004)(478600001)(6486002)(41300700001)(86362001)(966005)(6666004)(36756003)(6512007)(26005)(6506007)(186003)(2616005)(52116002)(83380400001)(316002)(6916009)(1076003)(8676002)(66946007)(44832011)(8936002)(66556008)(66476007)(38100700002)(38350700002)(5660300002)(2906002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: uSyBXbdhpY6wFowxuk2r2oQsY5jbhVkzVmEG2PK075beNrI866CgR4LB/2e6BWJ6bCvm1RFt6nHFXI98jniVlGIhFG+UEpOo1i8GmmIILbZI9HpCwLTyXJ9sZZXMRrV9ZWdWmI5vTOx3d6Nd9S1UClCjuKRwD+N53EHmi9EEKyir9UadVt51z91Bg/MtqJUN6NtNh+3fx0KWiSP7imJK3v4y00yIBnx4wt84vuDiFo/lAbs3acm/XpMFeAFlmfisUhkhUICcXhGOC8H1UcXLoBCQvVJ6Vu5sQzRI7zt/I07eCy8/hNQfWTEID3TugpqrbCsgaWKFpXusHhMrpOCd475wo0Zcke/f+6bXA+8E2t4YCZ4THHVoHfaLxQ+3Jo8o1nJFCkWLuW24YXretYOwmHhds4zSj4aWOx2teYMmgQrvsIso5yW0MI7HEh4XP89vyGiZp/9fxVp0v6zuclY1uqWPPFBpzH/jU2Lh8TEZUl72fpYRB4rVc3P66DxCZumXb2GxDKY3Xf1XYjDnFMbwGWJP6esbX8e9hfVn5rW2L1ylpABksOQBTB3k/KMqZTrHgpQk+8IpvrrpZ3Ifqu6znx562dH/zcYCFIiSDgqXzN2GuQ9VYL1xCeZ0tTwOLDfsPLAlOUUF2eCI9/1I9XIogFg7cSnN6vxTNjX1FBIXHNAGeZvIqgtjPw6KCKXlqqWllAkIvvHMxWjsKt9mG+20mCUVxkfG98HbanqjSY6SmiyDkBqyGqTELtBhtuwj2/HveTbgDB72gsgLYVtVKJpdbuvBYL8XPtXvDLkeD+wo/+ZdfhmzBCBTVo/RQbJN9/UEynz4VapVLyLQxHuQcqhOl99owVDq34VN3x9NM7WIcD6fVJVF4kDTYfiuhdB+H2pXJ/INs50XEXLQczp/b/9FGkzBV555JVS2PhmFMRcxuYZeZZJiW/WfgGIMDs4LMNmedZNmnXnQGp012Zidfl0srxCpg/j4tV+IaCqTYMdo7WMOKQS4OEinKQELGhTqNN2W2MvoeA/EmhIV5sMUqiVsR3O9BoxVYZRPLmMy+tn39Sa7K0b78Fcp5tDHPNZIYisqRpTK8PUZ5rkf2G0yFRm+ccw2twTn5ZeqDTWwDA95WXc6bLyczn+6NGK7R9vc9eo0ZbZNsGJsNqPsa4xpQwyfOe0xZKXX9kGR/NcBI8Zr+8ta3QpuzRy727miHqi7qAd4rH0QwI+GncWbnGkarzRit3sRODCOppsRqjDN/ouGavHk4HmAV/CxEj5WC79qEY3ebzUNHss4zCPup0HGGGGGygJD4g0J4OLMCysOyFF54LonbujK0I5aam5BWviPE4J8VnMs1jGsPlVR/maxBrCmukuoGQApLs96EHOORAILLSnyfW3/7xSw93IDhbZy7yrYNIsOgHCjhdx5gmg1zfjL2aeYKX8lgXyY/HXzr18aMrsnqmQaWjcyot3SUvN1vm7nF/mb3/EONQIUGwEWGwQGtD+f5cjRM8R5w3IPKMJc7jSER86hQFYK6ILkp5R2SildDmIBLTWKqsYKCOiECw/nsyn2mGcCwg0EAAVId217FVKBZniAafxpSoOLdyxvVEplNEAAA+B6z05PVYRQA+tryg== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: f1e0e61e-c18b-4a94-5d10-08da7ada598c X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2022 14:12:25.1895 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kj2XrkPRkLB+jRhhNxxeryuNHDUfL+XunWAvH/UwpWhAQRdr9qQCj1bbXuPNDTfW/xDZPIfzmpARx4paeLFb0OnuT8TtfF7OciHuYgO8EYE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646 X-Proofpoint-GUID: 3482RcW9vBFJkbTbmoeNJO8OgxSL2x2Z X-Proofpoint-ORIG-GUID: 3482RcW9vBFJkbTbmoeNJO8OgxSL2x2Z X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-10_08,2022-08-10_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 phishscore=0 impostorscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 mlxlogscore=898 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208100045 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 10 Aug 2022 14:12:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/169196 Backport relevant patches to fix CVE-2022-0216. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2022-0216_1.patch | 42 +++++++++++++++ .../qemu/qemu/CVE-2022-0216_2.patch | 52 +++++++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 44d4c9ca2f..a493ac8add 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -41,6 +41,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3929.patch \ file://CVE-2021-4158.patch \ file://CVE-2022-0358.patch \ + file://CVE-2022-0216_1.patch \ + file://CVE-2022-0216_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 0000000000..de7458fc72 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch @@ -0,0 +1,42 @@ +From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 85e907a78..8033cf050 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch new file mode 100644 index 0000000000..12f5a602da --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch @@ -0,0 +1,52 @@ +From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in + lsi_do_msgout (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 8033cf050..fbe3fa3dd 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +2.33.0 +