Message ID | 20220914060411.20436-1-chee.yang.lee@intel.com |
---|---|
State | Accepted, archived |
Commit | c852d3e6742fe82b9f4ec84b077d6e1b0bfd021e |
Headers | show |
Series | [dunfell,1/2] gst-plugins-good: fix several CVE | expand |
On Tue, Sep 13, 2022 at 8:04 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote: > > From: Chee Yang Lee <chee.yang.lee@intel.com> > > backport fixes: > CVE-2020-13754, backport patches as debian security tracker notes > https://security-tracker.debian.org/tracker/CVE-2020-13754 > > CVE-2021-3713 > CVE-2021-3748 > CVE-2021-3930 > CVE-2021-4206 > CVE-2021-4207 > CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2. > > Ignore: > CVE-2020-27661, issue introduced in v5.1.0-rc0 > https://security-tracker.debian.org/tracker/CVE-2020-27661 While this patch applies and builds without error, it results in quite a few runtime errors during oe-selftest: https://errors.yoctoproject.org/Errors/Details/671970/ Not sure which of the CVE fixes cause this :-( Steve > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 14 ++ > .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++ > .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++ > .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++ > .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++ > .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++ > .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++ > .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++ > .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++ > .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++ > .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++ > .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++ > 12 files changed, 748 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index a773068499..c1db723e90 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2020-13791.patch \ > file://CVE-2022-35414.patch \ > file://CVE-2020-27821.patch \ > + file://CVE-2020-13754-1.patch \ > + file://CVE-2020-13754-2.patch \ > + file://CVE-2020-13754-3.patch \ > + file://CVE-2020-13754-4.patch \ > + file://CVE-2021-3713.patch \ > + file://CVE-2021-3748.patch \ > + file://CVE-2021-3930.patch \ > + file://CVE-2021-4206.patch \ > + file://CVE-2021-4207.patch \ > + file://CVE-2022-0216-1.patch \ > + file://CVE-2022-0216-2.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" > # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 > CVE_CHECK_WHITELIST += "CVE-2018-18438" > > +# the issue introduced in v5.1.0-rc0 > +CVE_CHECK_WHITELIST += "CVE-2020-27661" > + > COMPATIBLE_HOST_mipsarchn32 = "null" > COMPATIBLE_HOST_mipsarchn64 = "null" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > new file mode 100644 > index 0000000000..fdfff9d81d > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > @@ -0,0 +1,91 @@ > +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 > +From: "Michael S. Tsirkin" <mst@redhat.com> > +Date: Wed, 10 Jun 2020 09:47:49 -0400 > +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in > + memory_region_access_valid" > + > +Memory API documentation documents valid .min_access_size and .max_access_size > +fields and explains that any access outside these boundaries is blocked. > + > +This is what devices seem to assume. > + > +However this is not what the implementation does: it simply > +ignores the boundaries unless there's an "accepts" callback. > + > +Naturally, this breaks a bunch of devices. > + > +Revert to the documented behaviour. > + > +Devices that want to allow any access can just drop the valid field, > +or add the impl field to have accesses converted to appropriate > +length. > + > +Cc: qemu-stable@nongnu.org > +Reviewed-by: Richard Henderson <rth@twiddle.net> > +Fixes: CVE-2020-13754 > +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 > +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > +Message-Id: <20200610134731.1514409-1-mst@redhat.com> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > + > +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 > +CVE: CVE-2020-13754 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + memory.c | 29 +++++++++-------------------- > + 1 file changed, 9 insertions(+), 20 deletions(-) > + > +diff --git a/memory.c b/memory.c > +index 2f15a4b..9200b20 100644 > +--- a/memory.c > ++++ b/memory.c > +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, > + bool is_write, > + MemTxAttrs attrs) > + { > +- int access_size_min, access_size_max; > +- int access_size, i; > +- > +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { > ++ if (mr->ops->valid.accepts > ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { > + return false; > + } > + > +- if (!mr->ops->valid.accepts) { > +- return true; > +- } > +- > +- access_size_min = mr->ops->valid.min_access_size; > +- if (!mr->ops->valid.min_access_size) { > +- access_size_min = 1; > ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { > ++ return false; > + } > + > +- access_size_max = mr->ops->valid.max_access_size; > ++ /* Treat zero as compatibility all valid */ > + if (!mr->ops->valid.max_access_size) { > +- access_size_max = 4; > ++ return true; > + } > + > +- access_size = MAX(MIN(size, access_size_max), access_size_min); > +- for (i = 0; i < size; i += access_size) { > +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, > +- is_write, attrs)) { > +- return false; > +- } > ++ if (size > mr->ops->valid.max_access_size > ++ || size < mr->ops->valid.min_access_size) { > ++ return false; > + } > +- > + return true; > + } > + > +-- > +1.8.3.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > new file mode 100644 > index 0000000000..7354edc54d > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > @@ -0,0 +1,69 @@ > +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 > +From: Michael Tokarev <mjt@tls.msk.ru> > +Date: Mon, 20 Jul 2020 19:06:27 +0300 > +Subject: [PATCH] acpi: accept byte and word access to core ACPI registers > + > +All ISA registers should be accessible as bytes, words or dwords > +(if wide enough). Fix the access constraints for acpi-pm-evt, > +acpi-pm-tmr & acpi-cnt registers. > + > +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") > +Fixes: afafe4bbe0 (apci: switch cnt to memory api) > +Fixes: 77d58b1e47 (apci: switch timer to memory api) > +Fixes: b5a7c024d2 (apci: switch evt to memory api) > +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ > +Buglink: https://bugs.debian.org/964793 > +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 > +BugLink: https://bugs.launchpad.net/bugs/1886318 > +Reported-By: Simon John <git@the-jedi.co.uk> > +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> > +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> > +Cc: qemu-stable@nongnu.org > +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > + > +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb > +CVE: CVE-2020-13754 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/acpi/core.c | 9 ++++++--- > + 1 file changed, 6 insertions(+), 3 deletions(-) > + > +diff --git a/hw/acpi/core.c b/hw/acpi/core.c > +index f6d9ec4..ac06db3 100644 > +--- a/hw/acpi/core.c > ++++ b/hw/acpi/core.c > +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, > + static const MemoryRegionOps acpi_pm_evt_ops = { > + .read = acpi_pm_evt_read, > + .write = acpi_pm_evt_write, > +- .valid.min_access_size = 2, > ++ .impl.min_access_size = 2, > ++ .valid.min_access_size = 1, > + .valid.max_access_size = 2, > + .endianness = DEVICE_LITTLE_ENDIAN, > + }; > +@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, > + static const MemoryRegionOps acpi_pm_tmr_ops = { > + .read = acpi_pm_tmr_read, > + .write = acpi_pm_tmr_write, > +- .valid.min_access_size = 4, > ++ .impl.min_access_size = 4, > ++ .valid.min_access_size = 1, > + .valid.max_access_size = 4, > + .endianness = DEVICE_LITTLE_ENDIAN, > + }; > +@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, > + static const MemoryRegionOps acpi_pm_cnt_ops = { > + .read = acpi_pm_cnt_read, > + .write = acpi_pm_cnt_write, > +- .valid.min_access_size = 2, > ++ .impl.min_access_size = 2, > ++ .valid.min_access_size = 1, > + .valid.max_access_size = 2, > + .endianness = DEVICE_LITTLE_ENDIAN, > + }; > +-- > +1.8.3.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > new file mode 100644 > index 0000000000..2a8781050f > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > @@ -0,0 +1,65 @@ > +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 > +From: Laurent Vivier <lvivier@redhat.com> > +Date: Tue, 21 Jul 2020 10:33:22 +0200 > +Subject: [PATCH] xhci: fix valid.max_access_size to access address registers > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=utf8 > +Content-Transfer-Encoding: 8bit > + > +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow > +64-bit mode access in "runtime" and "operational" MemoryRegionOps. > + > +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. > + > +XHCI specs: > +"If the xHC supports 64-bit addressing (AC64 = â1â), then software > +should write 64-bit registers using only Qword accesses. If a > +system is incapable of issuing Qword accesses, then writes to the > +64-bit address fields shall be performed using 2 Dword accesses; > +low Dword-first, high-Dword second. If the xHC supports 32-bit > +addressing (AC64 = â0â), then the high Dword of registers containing > +64-bit address fields are unused and software should write addresses > +using only Dword accesses" > + > +The problem has been detected with SLOF, as linux kernel always accesses > +registers using 32-bit access even if AC64 is set and revealed by > +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") > + > +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> > +Signed-off-by: Laurent Vivier <lvivier@redhat.com> > +Message-id: 20200721083322.90651-1-lvivier@redhat.com > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 > +CVE: CVE-2020-13754 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/usb/hcd-xhci.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c > +index b330e36..67a18fe 100644 > +--- a/hw/usb/hcd-xhci.c > ++++ b/hw/usb/hcd-xhci.c > +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { > + .read = xhci_oper_read, > + .write = xhci_oper_write, > + .valid.min_access_size = 4, > +- .valid.max_access_size = 4, > ++ .valid.max_access_size = sizeof(dma_addr_t), > + .endianness = DEVICE_LITTLE_ENDIAN, > + }; > + > +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { > + .read = xhci_runtime_read, > + .write = xhci_runtime_write, > + .valid.min_access_size = 4, > +- .valid.max_access_size = 4, > ++ .valid.max_access_size = sizeof(dma_addr_t), > + .endianness = DEVICE_LITTLE_ENDIAN, > + }; > + > +-- > +1.8.3.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > new file mode 100644 > index 0000000000..6bad07d03f > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > @@ -0,0 +1,39 @@ > +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 > +From: Alistair Francis <alistair.francis@wdc.com> > +Date: Tue, 30 Jun 2020 13:12:11 -0700 > +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT > + > +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 > +"memory: Revert "memory: accept mismatching sizes in > +memory_region_access_valid"" broke most RISC-V boards as they do 64 bit > +accesses to the CLINT and QEMU would trigger a fault. Fix this failure > +by allowing 8 byte accesses. > + > +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> > +Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> > + > +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 > +CVE: CVE-2020-13754 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/riscv/sifive_clint.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c > +index b11ffa0..669c21a 100644 > +--- a/hw/riscv/sifive_clint.c > ++++ b/hw/riscv/sifive_clint.c > +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { > + .endianness = DEVICE_LITTLE_ENDIAN, > + .valid = { > + .min_access_size = 4, > +- .max_access_size = 4 > ++ .max_access_size = 8 > + } > + }; > + > +-- > +1.8.3.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > new file mode 100644 > index 0000000000..cdd9c38db9 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > @@ -0,0 +1,67 @@ > +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 > +From: Gerd Hoffmann <kraxel@redhat.com> > +Date: Wed, 18 Aug 2021 14:05:05 +0200 > +Subject: [PATCH] uas: add stream number sanity checks. > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +The device uses the guest-supplied stream number unchecked, which can > +lead to guest-triggered out-of-band access to the UASDevice->data3 and > +UASDevice->status3 fields. Add the missing checks. > + > +Fixes: CVE-2021-3713 > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > +Reported-by: Chen Zhe <chenzhe@huawei.com> > +Reported-by: Tan Jingguo <tanjingguo@huawei.com> > +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> > + > +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a > +CVE: CVE-2021-3713 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/usb/dev-uas.c | 11 +++++++++++ > + 1 file changed, 11 insertions(+) > + > +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c > +index 6d6d1073..0b8cd4dd 100644 > +--- a/hw/usb/dev-uas.c > ++++ b/hw/usb/dev-uas.c > +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) > + } > + break; > + case UAS_PIPE_ID_STATUS: > ++ if (p->stream > UAS_MAX_STREAMS) { > ++ goto err_stream; > ++ } > + if (p->stream) { > + QTAILQ_FOREACH(st, &uas->results, next) { > + if (st->stream == p->stream) { > +@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) > + break; > + case UAS_PIPE_ID_DATA_IN: > + case UAS_PIPE_ID_DATA_OUT: > ++ if (p->stream > UAS_MAX_STREAMS) { > ++ goto err_stream; > ++ } > + if (p->stream) { > + req = usb_uas_find_request(uas, p->stream); > + } else { > +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) > + p->status = USB_RET_STALL; > + break; > + } > ++ > ++err_stream: > ++ error_report("%s: invalid stream %d", __func__, p->stream); > ++ p->status = USB_RET_STALL; > ++ return; > + } > + > + static void usb_uas_unrealize(USBDevice *dev, Error **errp) > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > new file mode 100644 > index 0000000000..b291ade4e3 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > @@ -0,0 +1,124 @@ > +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 > +From: Jason Wang <jasowang@redhat.com> > +Date: Thu, 2 Sep 2021 13:44:12 +0800 > +Subject: [PATCH] virtio-net: fix use after unmap/free for sg > + > +When mergeable buffer is enabled, we try to set the num_buffers after > +the virtqueue elem has been unmapped. This will lead several issues, > +E.g a use after free when the descriptor has an address which belongs > +to the non direct access region. In this case we use bounce buffer > +that is allocated during address_space_map() and freed during > +address_space_unmap(). > + > +Fixing this by storing the elems temporarily in an array and delay the > +unmap after we set the the num_buffers. > + > +This addresses CVE-2021-3748. > + > +Reported-by: Alexander Bulekov <alxndr@bu.edu> > +Fixes: fbe78f4f55c6 ("virtio-net support") > +Cc: qemu-stable@nongnu.org > +Signed-off-by: Jason Wang <jasowang@redhat.com> > + > +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 > +CVE: CVE-2021-3748 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- > + 1 file changed, 32 insertions(+), 7 deletions(-) > + > +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c > +index 16d20cdee52a..f205331dcf8c 100644 > +--- a/hw/net/virtio-net.c > ++++ b/hw/net/virtio-net.c > +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > + VirtIONet *n = qemu_get_nic_opaque(nc); > + VirtIONetQueue *q = virtio_net_get_subqueue(nc); > + VirtIODevice *vdev = VIRTIO_DEVICE(n); > ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; > ++ size_t lens[VIRTQUEUE_MAX_SIZE]; > + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; > + struct virtio_net_hdr_mrg_rxbuf mhdr; > + unsigned mhdr_cnt = 0; > +- size_t offset, i, guest_offset; > ++ size_t offset, i, guest_offset, j; > ++ ssize_t err; > + > + if (!virtio_net_can_receive(nc)) { > + return -1; > +@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > + > + total = 0; > + > ++ if (i == VIRTQUEUE_MAX_SIZE) { > ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); > ++ err = size; > ++ goto err; > ++ } > ++ > + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); > + if (!elem) { > + if (i) { > +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > + n->guest_hdr_len, n->host_hdr_len, > + vdev->guest_features); > + } > +- return -1; > ++ err = -1; > ++ goto err; > + } > + > + if (elem->in_num < 1) { > +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > + "virtio-net receive queue contains no in buffers"); > + virtqueue_detach_element(q->rx_vq, elem, 0); > + g_free(elem); > +- return -1; > ++ err = -1; > ++ goto err; > + } > + > + sg = elem->in_sg; > +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > + if (!n->mergeable_rx_bufs && offset < size) { > + virtqueue_unpop(q->rx_vq, elem, total); > + g_free(elem); > +- return size; > ++ err = size; > ++ goto err; > + } > + > +- /* signal other side */ > +- virtqueue_fill(q->rx_vq, elem, total, i++); > +- g_free(elem); > ++ elems[i] = elem; > ++ lens[i] = total; > ++ i++; > + } > + > + if (mhdr_cnt) { > +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > + &mhdr.num_buffers, sizeof mhdr.num_buffers); > + } > + > ++ for (j = 0; j < i; j++) { > ++ /* signal other side */ > ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); > ++ g_free(elems[j]); > ++ } > ++ > + virtqueue_flush(q->rx_vq, i); > + virtio_notify(vdev, q->rx_vq); > + > + return size; > ++ > ++err: > ++ for (j = 0; j < i; j++) { > ++ g_free(elems[j]); > ++ } > ++ > ++ return err; > + } > + > + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > new file mode 100644 > index 0000000000..b1b5558647 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > @@ -0,0 +1,53 @@ > +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 > +From: Mauro Matteo Cascella <mcascell@redhat.com> > +Date: Thu, 4 Nov 2021 17:31:38 +0100 > +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT > + commands > + > +This avoids an off-by-one read of 'mode_sense_valid' buffer in > +hw/scsi/scsi-disk.c:mode_sense_page(). > + > +Fixes: CVE-2021-3930 > +Cc: qemu-stable@nongnu.org > +Reported-by: Alexander Bulekov <alxndr@bu.edu> > +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") > +Fixes: #546 > +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > + > +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 > +CVE: CVE-2021-3930 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/scsi/scsi-disk.c | 6 ++++++ > + 1 file changed, 6 insertions(+) > + > +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c > +index e8a547dbb7..d4914178ea 100644 > +--- a/hw/scsi/scsi-disk.c > ++++ b/hw/scsi/scsi-disk.c > +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, > + uint8_t *p = *p_outbuf + 2; > + int length; > + > ++ assert(page < ARRAY_SIZE(mode_sense_valid)); > + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { > + return -1; > + } > +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, > + return -1; > + } > + > ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ > ++ if (page == MODE_PAGE_ALLS) { > ++ return -1; > ++ } > ++ > + p = mode_current; > + memset(mode_current, 0, inlen + 2); > + len = mode_sense_page(s, page, &p, 0); > +-- > +GitLab > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > new file mode 100644 > index 0000000000..80ad49e4ed > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > @@ -0,0 +1,89 @@ > +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 > +From: Mauro Matteo Cascella <mcascell@redhat.com> > +Date: Thu, 7 Apr 2022 10:17:12 +0200 > +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc > + (CVE-2021-4206) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Prevent potential integer overflow by limiting 'width' and 'height' to > +512x512. Also change 'datasize' type to size_t. Refer to security > +advisory https://starlabs.sg/advisories/22-4206/ for more information. > + > +Fixes: CVE-2021-4206 > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a > +CVE: CVE-2021-4206 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/display/qxl-render.c | 7 +++++++ > + hw/display/vmware_vga.c | 2 ++ > + ui/cursor.c | 8 +++++++- > + 3 files changed, 16 insertions(+), 1 deletion(-) > + > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c > +index 237ed293ba..ca217004bf 100644 > +--- a/hw/display/qxl-render.c > ++++ b/hw/display/qxl-render.c > +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, > + size_t size; > + > + c = cursor_alloc(cursor->header.width, cursor->header.height); > ++ > ++ if (!c) { > ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, > ++ cursor->header.width, cursor->header.height); > ++ goto fail; > ++ } > ++ > + c->hot_x = cursor->header.hot_spot_x; > + c->hot_y = cursor->header.hot_spot_y; > + switch (cursor->header.type) { > +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c > +index 98c83474ad..45d06cbe25 100644 > +--- a/hw/display/vmware_vga.c > ++++ b/hw/display/vmware_vga.c > +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, > + int i, pixels; > + > + qc = cursor_alloc(c->width, c->height); > ++ assert(qc != NULL); > ++ > + qc->hot_x = c->hot_x; > + qc->hot_y = c->hot_y; > + switch (c->bpp) { > +diff --git a/ui/cursor.c b/ui/cursor.c > +index 1d62ddd4d0..835f0802f9 100644 > +--- a/ui/cursor.c > ++++ b/ui/cursor.c > +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) > + > + /* parse pixel data */ > + c = cursor_alloc(width, height); > ++ assert(c != NULL); > ++ > + for (pixel = 0, y = 0; y < height; y++, line++) { > + for (x = 0; x < height; x++, pixel++) { > + idx = xpm[line][x]; > +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) > + QEMUCursor *cursor_alloc(int width, int height) > + { > + QEMUCursor *c; > +- int datasize = width * height * sizeof(uint32_t); > ++ size_t datasize = width * height * sizeof(uint32_t); > ++ > ++ if (width > 512 || height > 512) { > ++ return NULL; > ++ } > + > + c = g_malloc0(sizeof(QEMUCursor) + datasize); > + c->width = width; > +-- > +GitLab > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > new file mode 100644 > index 0000000000..8418246247 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > @@ -0,0 +1,43 @@ > +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 > +From: Mauro Matteo Cascella <mcascell@redhat.com> > +Date: Thu, 7 Apr 2022 10:11:06 +0200 > +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor > + (CVE-2021-4207) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Avoid fetching 'width' and 'height' a second time to prevent possible > +race condition. Refer to security advisory > +https://starlabs.sg/advisories/22-4207/ for more information. > + > +Fixes: CVE-2021-4207 > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb > +CVE: CVE-2021-4207 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/display/qxl-render.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c > +index d28849b121..237ed293ba 100644 > +--- a/hw/display/qxl-render.c > ++++ b/hw/display/qxl-render.c > +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, > + } > + break; > + case SPICE_CURSOR_TYPE_ALPHA: > +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; > ++ size = sizeof(uint32_t) * c->width * c->height; > + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); > + if (qxl->debug > 2) { > + cursor_print_ascii_art(c, "qxl/alpha"); > +-- > +GitLab > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > new file mode 100644 > index 0000000000..6a7ce0e26c > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > @@ -0,0 +1,42 @@ > +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 > +From: Mauro Matteo Cascella <mcascell@redhat.com> > +Date: Tue, 5 Jul 2022 22:05:43 +0200 > +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout > + (CVE-2022-0216) > + > +Set current_req->req to NULL to prevent reusing a free'd buffer in case of > +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. > + > +Fixes: CVE-2022-0216 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > +Reviewed-by: Thomas Huth <thuth@redhat.com> > +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > + > +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 > +CVE: CVE-2022-0216 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/scsi/lsi53c895a.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c > +index c8773f73f7..99ea42d49b 100644 > +--- a/hw/scsi/lsi53c895a.c > ++++ b/hw/scsi/lsi53c895a.c > +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) > + case 0x0d: > + /* The ABORT TAG message clears the current I/O process only. */ > + trace_lsi_do_msgout_abort(current_tag); > +- if (current_req) { > ++ if (current_req && current_req->req) { > + scsi_req_cancel(current_req->req); > ++ current_req->req = NULL; > + } > + lsi_disconnect(s); > + break; > +-- > +GitLab > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > new file mode 100644 > index 0000000000..137906cd30 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > @@ -0,0 +1,52 @@ > +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 > +From: Mauro Matteo Cascella <mcascell@redhat.com> > +Date: Mon, 11 Jul 2022 14:33:16 +0200 > +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout > + (CVE-2022-0216) > + > +Set current_req to NULL, not current_req->req, to prevent reusing a free'd > +buffer in case of repeated SCSI cancel requests. Also apply the fix to > +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel > +the request. > + > +Thanks to Alexander Bulekov for providing a reproducer. > + > +Fixes: CVE-2022-0216 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > +Tested-by: Alexander Bulekov <alxndr@bu.edu> > +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > + > +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 > +CVE: CVE-2022-0216 > +Upstream-Status: Backport > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > +--- > + hw/scsi/lsi53c895a.c | 3 +- > + 1 files changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c > +index 99ea42d49b..ad5f5e5f39 100644 > +--- a/hw/scsi/lsi53c895a.c > ++++ b/hw/scsi/lsi53c895a.c > +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) > + trace_lsi_do_msgout_abort(current_tag); > + if (current_req && current_req->req) { > + scsi_req_cancel(current_req->req); > +- current_req->req = NULL; > ++ current_req = NULL; > + } > + lsi_disconnect(s); > + break; > +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) > + /* clear the current I/O process */ > + if (s->current) { > + scsi_req_cancel(s->current->req); > ++ current_req = NULL; > + } > + > + /* As the current implemented devices scsi_disk and scsi_generic > +-- > +GitLab > + > -- > 2.36.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170635): https://lists.openembedded.org/g/openembedded-core/message/170635 > Mute This Topic: https://lists.openembedded.org/mt/93672603/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Steve Sakoman > Sent: Thursday, September 15, 2022 10:14 PM > To: Lee, Chee Yang <chee.yang.lee@intel.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs > > On Tue, Sep 13, 2022 at 8:04 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote: > > > > From: Chee Yang Lee <chee.yang.lee@intel.com> > > > > backport fixes: > > CVE-2020-13754, backport patches as debian security tracker notes > > https://security-tracker.debian.org/tracker/CVE-2020-13754 > > > > CVE-2021-3713 > > CVE-2021-3748 > > CVE-2021-3930 > > CVE-2021-4206 > > CVE-2021-4207 > > CVE-2022-0216, does not include qtest in patches, the qtest code were not available > in v4.2. > > > > Ignore: > > CVE-2020-27661, issue introduced in v5.1.0-rc0 > > https://security-tracker.debian.org/tracker/CVE-2020-27661 > > While this patch applies and builds without error, it results in quite a few runtime > errors during > oe-selftest: > > https://errors.yoctoproject.org/Errors/Details/671970/ > > Not sure which of the CVE fixes cause this :-( It might be because of: https://lists.openembedded.org/g/openembedded-core/message/156694 Thanks, Anuj > > Steve > > > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > --- > > meta/recipes-devtools/qemu/qemu.inc | 14 ++ > > .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++ > > .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++ > > .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++ > > .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++ > > .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++ > > .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++ > > .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++ > > .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++ > > .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++ > > .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++ > > .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++ > > 12 files changed, 748 insertions(+) > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > create mode 100644 > > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > > b/meta/recipes-devtools/qemu/qemu.inc > > index a773068499..c1db723e90 100644 > > --- a/meta/recipes-devtools/qemu/qemu.inc > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}- > ${PV}.tar.xz \ > > file://CVE-2020-13791.patch \ > > file://CVE-2022-35414.patch \ > > file://CVE-2020-27821.patch \ > > + file://CVE-2020-13754-1.patch \ > > + file://CVE-2020-13754-2.patch \ > > + file://CVE-2020-13754-3.patch \ > > + file://CVE-2020-13754-4.patch \ > > + file://CVE-2021-3713.patch \ > > + file://CVE-2021-3748.patch \ > > + file://CVE-2021-3930.patch \ > > + file://CVE-2021-4206.patch \ > > + file://CVE-2021-4207.patch \ > > + file://CVE-2022-0216-1.patch \ > > + file://CVE-2022-0216-2.patch \ > > " > > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > > > @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" > > # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 > > CVE_CHECK_WHITELIST += "CVE-2018-18438" > > > > +# the issue introduced in v5.1.0-rc0 > > +CVE_CHECK_WHITELIST += "CVE-2020-27661" > > + > > COMPATIBLE_HOST_mipsarchn32 = "null" > > COMPATIBLE_HOST_mipsarchn64 = "null" > > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > new file mode 100644 > > index 0000000000..fdfff9d81d > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > @@ -0,0 +1,91 @@ > > +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 > > +2001 > > +From: "Michael S. Tsirkin" <mst@redhat.com> > > +Date: Wed, 10 Jun 2020 09:47:49 -0400 > > +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in > > +memory_region_access_valid" > > + > > +Memory API documentation documents valid .min_access_size and > > +.max_access_size fields and explains that any access outside these boundaries is > blocked. > > + > > +This is what devices seem to assume. > > + > > +However this is not what the implementation does: it simply ignores > > +the boundaries unless there's an "accepts" callback. > > + > > +Naturally, this breaks a bunch of devices. > > + > > +Revert to the documented behaviour. > > + > > +Devices that want to allow any access can just drop the valid field, > > +or add the impl field to have accesses converted to appropriate > > +length. > > + > > +Cc: qemu-stable@nongnu.org > > +Reviewed-by: Richard Henderson <rth@twiddle.net> > > +Fixes: CVE-2020-13754 > > +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 > > +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in > > +memory_region_access_valid") > > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > +Message-Id: <20200610134731.1514409-1-mst@redhat.com> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > + > > +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d8 > > +9e0e89165c8fc9 > > +CVE: CVE-2020-13754 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + memory.c | 29 +++++++++-------------------- > > + 1 file changed, 9 insertions(+), 20 deletions(-) > > + > > +diff --git a/memory.c b/memory.c > > +index 2f15a4b..9200b20 100644 > > +--- a/memory.c > > ++++ b/memory.c > > +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion > *mr, > > + bool is_write, > > + MemTxAttrs attrs) { > > +- int access_size_min, access_size_max; > > +- int access_size, i; > > +- > > +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { > > ++ if (mr->ops->valid.accepts > > ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, > > ++ attrs)) { > > + return false; > > + } > > + > > +- if (!mr->ops->valid.accepts) { > > +- return true; > > +- } > > +- > > +- access_size_min = mr->ops->valid.min_access_size; > > +- if (!mr->ops->valid.min_access_size) { > > +- access_size_min = 1; > > ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { > > ++ return false; > > + } > > + > > +- access_size_max = mr->ops->valid.max_access_size; > > ++ /* Treat zero as compatibility all valid */ > > + if (!mr->ops->valid.max_access_size) { > > +- access_size_max = 4; > > ++ return true; > > + } > > + > > +- access_size = MAX(MIN(size, access_size_max), access_size_min); > > +- for (i = 0; i < size; i += access_size) { > > +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, > > +- is_write, attrs)) { > > +- return false; > > +- } > > ++ if (size > mr->ops->valid.max_access_size > > ++ || size < mr->ops->valid.min_access_size) { > > ++ return false; > > + } > > +- > > + return true; > > + } > > + > > +-- > > +1.8.3.1 > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > new file mode 100644 > > index 0000000000..7354edc54d > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > @@ -0,0 +1,69 @@ > > +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 > > +2001 > > +From: Michael Tokarev <mjt@tls.msk.ru> > > +Date: Mon, 20 Jul 2020 19:06:27 +0300 > > +Subject: [PATCH] acpi: accept byte and word access to core ACPI > > +registers > > + > > +All ISA registers should be accessible as bytes, words or dwords (if > > +wide enough). Fix the access constraints for acpi-pm-evt, > > +acpi-pm-tmr & acpi-cnt registers. > > + > > +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes > > +in memory_region_access_valid") > > +Fixes: afafe4bbe0 (apci: switch cnt to memory api) > > +Fixes: 77d58b1e47 (apci: switch timer to memory api) > > +Fixes: b5a7c024d2 (apci: switch evt to memory api) > > +Buglink: > > +https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.per > > +ard@citrix.com/T/ > > +Buglink: https://bugs.debian.org/964793 > > +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 > > +BugLink: https://bugs.launchpad.net/bugs/1886318 > > +Reported-By: Simon John <git@the-jedi.co.uk> > > +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> > > +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> > > +Cc: qemu-stable@nongnu.org > > +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> > > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > + > > +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e > > +448b1d447cf3fb > > +CVE: CVE-2020-13754 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/acpi/core.c | 9 ++++++--- > > + 1 file changed, 6 insertions(+), 3 deletions(-) > > + > > +diff --git a/hw/acpi/core.c b/hw/acpi/core.c index f6d9ec4..ac06db3 > > +100644 > > +--- a/hw/acpi/core.c > > ++++ b/hw/acpi/core.c > > +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, > > +hwaddr addr, uint64_t val, static const MemoryRegionOps acpi_pm_evt_ops = { > > + .read = acpi_pm_evt_read, > > + .write = acpi_pm_evt_write, > > +- .valid.min_access_size = 2, > > ++ .impl.min_access_size = 2, > > ++ .valid.min_access_size = 1, > > + .valid.max_access_size = 2, > > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -527,7 +528,8 @@ > > +static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t > > +val, static const MemoryRegionOps acpi_pm_tmr_ops = { > > + .read = acpi_pm_tmr_read, > > + .write = acpi_pm_tmr_write, > > +- .valid.min_access_size = 4, > > ++ .impl.min_access_size = 4, > > ++ .valid.min_access_size = 1, > > + .valid.max_access_size = 4, > > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -599,7 +601,8 @@ > > +static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t > > +val, static const MemoryRegionOps acpi_pm_cnt_ops = { > > + .read = acpi_pm_cnt_read, > > + .write = acpi_pm_cnt_write, > > +- .valid.min_access_size = 2, > > ++ .impl.min_access_size = 2, > > ++ .valid.min_access_size = 1, > > + .valid.max_access_size = 2, > > + .endianness = DEVICE_LITTLE_ENDIAN, }; > > +-- > > +1.8.3.1 > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > new file mode 100644 > > index 0000000000..2a8781050f > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > @@ -0,0 +1,65 @@ > > +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 > > +2001 > > +From: Laurent Vivier <lvivier@redhat.com> > > +Date: Tue, 21 Jul 2020 10:33:22 +0200 > > +Subject: [PATCH] xhci: fix valid.max_access_size to access address > > +registers > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=utf8 > > +Content-Transfer-Encoding: 8bit > > + > > +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow > > +64-bit mode access in "runtime" and "operational" MemoryRegionOps. > > + > > +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. > > + > > +XHCI specs: > > +"If the xHC supports 64-bit addressing (AC64 = â1â), then software > > +should write 64-bit registers using only Qword accesses. If a system > > +is incapable of issuing Qword accesses, then writes to the 64-bit > > +address fields shall be performed using 2 Dword accesses; low > > +Dword-first, high-Dword second. If the xHC supports 32-bit > > +addressing (AC64 = â0â), then the high Dword of registers containing > > +64-bit address fields are unused and software should write addresses > > +using only Dword accesses" > > + > > +The problem has been detected with SLOF, as linux kernel always > > +accesses registers using 32-bit access even if AC64 is set and > > +revealed by > > +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in > > +memory_region_access_valid"") > > + > > +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> > > +Signed-off-by: Laurent Vivier <lvivier@redhat.com> > > +Message-id: 20200721083322.90651-1-lvivier@redhat.com > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > + > > +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda56 > > +1107ba14830a17 > > +CVE: CVE-2020-13754 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/usb/hcd-xhci.c | 4 ++-- > > + 1 file changed, 2 insertions(+), 2 deletions(-) > > + > > +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index > > +b330e36..67a18fe 100644 > > +--- a/hw/usb/hcd-xhci.c > > ++++ b/hw/usb/hcd-xhci.c > > +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { > > + .read = xhci_oper_read, > > + .write = xhci_oper_write, > > + .valid.min_access_size = 4, > > +- .valid.max_access_size = 4, > > ++ .valid.max_access_size = sizeof(dma_addr_t), > > + .endianness = DEVICE_LITTLE_ENDIAN, }; > > + > > +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { > > + .read = xhci_runtime_read, > > + .write = xhci_runtime_write, > > + .valid.min_access_size = 4, > > +- .valid.max_access_size = 4, > > ++ .valid.max_access_size = sizeof(dma_addr_t), > > + .endianness = DEVICE_LITTLE_ENDIAN, }; > > + > > +-- > > +1.8.3.1 > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > new file mode 100644 > > index 0000000000..6bad07d03f > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > @@ -0,0 +1,39 @@ > > +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 > > +2001 > > +From: Alistair Francis <alistair.francis@wdc.com> > > +Date: Tue, 30 Jun 2020 13:12:11 -0700 > > +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT > > + > > +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 > > +"memory: Revert "memory: accept mismatching sizes in > > +memory_region_access_valid"" broke most RISC-V boards as they do 64 > > +bit accesses to the CLINT and QEMU would trigger a fault. Fix this > > +failure by allowing 8 byte accesses. > > + > > +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > > +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> > > +Message-Id: > > +<122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.fra > > +ncis@wdc.com> > > + > > +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381 > > +336bc9b9a22f79 > > +CVE: CVE-2020-13754 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/riscv/sifive_clint.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c index > > +b11ffa0..669c21a 100644 > > +--- a/hw/riscv/sifive_clint.c > > ++++ b/hw/riscv/sifive_clint.c > > +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { > > + .endianness = DEVICE_LITTLE_ENDIAN, > > + .valid = { > > + .min_access_size = 4, > > +- .max_access_size = 4 > > ++ .max_access_size = 8 > > + } > > + }; > > + > > +-- > > +1.8.3.1 > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > new file mode 100644 > > index 0000000000..cdd9c38db9 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > @@ -0,0 +1,67 @@ > > +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 > > +2001 > > +From: Gerd Hoffmann <kraxel@redhat.com> > > +Date: Wed, 18 Aug 2021 14:05:05 +0200 > > +Subject: [PATCH] uas: add stream number sanity checks. > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +The device uses the guest-supplied stream number unchecked, which can > > +lead to guest-triggered out-of-band access to the UASDevice->data3 > > +and > > +UASDevice->status3 fields. Add the missing checks. > > + > > +Fixes: CVE-2021-3713 > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > +Reported-by: Chen Zhe <chenzhe@huawei.com> > > +Reported-by: Tan Jingguo <tanjingguo@huawei.com> > > +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > > +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> > > + > > +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17 > > +d59caf073ce45b33a > > +CVE: CVE-2021-3713 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/usb/dev-uas.c | 11 +++++++++++ > > + 1 file changed, 11 insertions(+) > > + > > +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c index > > +6d6d1073..0b8cd4dd 100644 > > +--- a/hw/usb/dev-uas.c > > ++++ b/hw/usb/dev-uas.c > > +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, > USBPacket *p) > > + } > > + break; > > + case UAS_PIPE_ID_STATUS: > > ++ if (p->stream > UAS_MAX_STREAMS) { > > ++ goto err_stream; > > ++ } > > + if (p->stream) { > > + QTAILQ_FOREACH(st, &uas->results, next) { > > + if (st->stream == p->stream) { @@ -857,6 +860,9 @@ > > +static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) > > + break; > > + case UAS_PIPE_ID_DATA_IN: > > + case UAS_PIPE_ID_DATA_OUT: > > ++ if (p->stream > UAS_MAX_STREAMS) { > > ++ goto err_stream; > > ++ } > > + if (p->stream) { > > + req = usb_uas_find_request(uas, p->stream); > > + } else { > > +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, > USBPacket *p) > > + p->status = USB_RET_STALL; > > + break; > > + } > > ++ > > ++err_stream: > > ++ error_report("%s: invalid stream %d", __func__, p->stream); > > ++ p->status = USB_RET_STALL; > > ++ return; > > + } > > + > > + static void usb_uas_unrealize(USBDevice *dev, Error **errp) > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > new file mode 100644 > > index 0000000000..b291ade4e3 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > @@ -0,0 +1,124 @@ > > +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 > > +2001 > > +From: Jason Wang <jasowang@redhat.com> > > +Date: Thu, 2 Sep 2021 13:44:12 +0800 > > +Subject: [PATCH] virtio-net: fix use after unmap/free for sg > > + > > +When mergeable buffer is enabled, we try to set the num_buffers after > > +the virtqueue elem has been unmapped. This will lead several issues, > > +E.g a use after free when the descriptor has an address which belongs > > +to the non direct access region. In this case we use bounce buffer > > +that is allocated during address_space_map() and freed during > > +address_space_unmap(). > > + > > +Fixing this by storing the elems temporarily in an array and delay > > +the unmap after we set the the num_buffers. > > + > > +This addresses CVE-2021-3748. > > + > > +Reported-by: Alexander Bulekov <alxndr@bu.edu> > > +Fixes: fbe78f4f55c6 ("virtio-net support") > > +Cc: qemu-stable@nongnu.org > > +Signed-off-by: Jason Wang <jasowang@redhat.com> > > + > > +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf3 > > +57e11f6 > > +CVE: CVE-2021-3748 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- > > + 1 file changed, 32 insertions(+), 7 deletions(-) > > + > > +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index > > +16d20cdee52a..f205331dcf8c 100644 > > +--- a/hw/net/virtio-net.c > > ++++ b/hw/net/virtio-net.c > > +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState > *nc, const uint8_t *buf, > > + VirtIONet *n = qemu_get_nic_opaque(nc); > > + VirtIONetQueue *q = virtio_net_get_subqueue(nc); > > + VirtIODevice *vdev = VIRTIO_DEVICE(n); > > ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; > > ++ size_t lens[VIRTQUEUE_MAX_SIZE]; > > + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; > > + struct virtio_net_hdr_mrg_rxbuf mhdr; > > + unsigned mhdr_cnt = 0; > > +- size_t offset, i, guest_offset; > > ++ size_t offset, i, guest_offset, j; > > ++ ssize_t err; > > + > > + if (!virtio_net_can_receive(nc)) { > > + return -1; > > +@@ -1780,6 +1783,12 @@ static ssize_t > > +virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > > + > > + total = 0; > > + > > ++ if (i == VIRTQUEUE_MAX_SIZE) { > > ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); > > ++ err = size; > > ++ goto err; > > ++ } > > ++ > > + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); > > + if (!elem) { > > + if (i) { > > +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, > const uint8_t *buf, > > + n->guest_hdr_len, n->host_hdr_len, > > + vdev->guest_features); > > + } > > +- return -1; > > ++ err = -1; > > ++ goto err; > > + } > > + > > + if (elem->in_num < 1) { > > +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, > const uint8_t *buf, > > + "virtio-net receive queue contains no in buffers"); > > + virtqueue_detach_element(q->rx_vq, elem, 0); > > + g_free(elem); > > +- return -1; > > ++ err = -1; > > ++ goto err; > > + } > > + > > + sg = elem->in_sg; > > +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState > *nc, const uint8_t *buf, > > + if (!n->mergeable_rx_bufs && offset < size) { > > + virtqueue_unpop(q->rx_vq, elem, total); > > + g_free(elem); > > +- return size; > > ++ err = size; > > ++ goto err; > > + } > > + > > +- /* signal other side */ > > +- virtqueue_fill(q->rx_vq, elem, total, i++); > > +- g_free(elem); > > ++ elems[i] = elem; > > ++ lens[i] = total; > > ++ i++; > > + } > > + > > + if (mhdr_cnt) { > > +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState > *nc, const uint8_t *buf, > > + &mhdr.num_buffers, sizeof mhdr.num_buffers); > > + } > > + > > ++ for (j = 0; j < i; j++) { > > ++ /* signal other side */ > > ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); > > ++ g_free(elems[j]); > > ++ } > > ++ > > + virtqueue_flush(q->rx_vq, i); > > + virtio_notify(vdev, q->rx_vq); > > + > > + return size; > > ++ > > ++err: > > ++ for (j = 0; j < i; j++) { > > ++ g_free(elems[j]); > > ++ } > > ++ > > ++ return err; > > + } > > + > > + static ssize_t virtio_net_do_receive(NetClientState *nc, const > > + uint8_t *buf, > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > new file mode 100644 > > index 0000000000..b1b5558647 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > @@ -0,0 +1,53 @@ > > +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 > > +2001 > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > +Date: Thu, 4 Nov 2021 17:31:38 +0100 > > +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in > > +MODE SELECT commands > > + > > +This avoids an off-by-one read of 'mode_sense_valid' buffer in > > +hw/scsi/scsi-disk.c:mode_sense_page(). > > + > > +Fixes: CVE-2021-3930 > > +Cc: qemu-stable@nongnu.org > > +Reported-by: Alexander Bulekov <alxndr@bu.edu> > > +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") > > +Fixes: #546 > > +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > + > > +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2 > > +423d83f5c99a457e8 > > +CVE: CVE-2021-3930 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/scsi/scsi-disk.c | 6 ++++++ > > + 1 file changed, 6 insertions(+) > > + > > +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index > > +e8a547dbb7..d4914178ea 100644 > > +--- a/hw/scsi/scsi-disk.c > > ++++ b/hw/scsi/scsi-disk.c > > +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, > uint8_t **p_outbuf, > > + uint8_t *p = *p_outbuf + 2; > > + int length; > > + > > ++ assert(page < ARRAY_SIZE(mode_sense_valid)); > > + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { > > + return -1; > > + } > > +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState > *s, int page, > > + return -1; > > + } > > + > > ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ > > ++ if (page == MODE_PAGE_ALLS) { > > ++ return -1; > > ++ } > > ++ > > + p = mode_current; > > + memset(mode_current, 0, inlen + 2); > > + len = mode_sense_page(s, page, &p, 0); > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > new file mode 100644 > > index 0000000000..80ad49e4ed > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > @@ -0,0 +1,89 @@ > > +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 > > +2001 > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > +Date: Thu, 7 Apr 2022 10:17:12 +0200 > > +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc > > + (CVE-2021-4206) > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +Prevent potential integer overflow by limiting 'width' and 'height' > > +to 512x512. Also change 'datasize' type to size_t. Refer to security > > +advisory https://starlabs.sg/advisories/22-4206/ for more information. > > + > > +Fixes: CVE-2021-4206 > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > > +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > + > > +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a > > +CVE: CVE-2021-4206 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/display/qxl-render.c | 7 +++++++ > > + hw/display/vmware_vga.c | 2 ++ > > + ui/cursor.c | 8 +++++++- > > + 3 files changed, 16 insertions(+), 1 deletion(-) > > + > > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index > > +237ed293ba..ca217004bf 100644 > > +--- a/hw/display/qxl-render.c > > ++++ b/hw/display/qxl-render.c > > +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, > QXLCursor *cursor, > > + size_t size; > > + > > + c = cursor_alloc(cursor->header.width, cursor->header.height); > > ++ > > ++ if (!c) { > > ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, > > ++ cursor->header.width, cursor->header.height); > > ++ goto fail; > > ++ } > > ++ > > + c->hot_x = cursor->header.hot_spot_x; > > + c->hot_y = cursor->header.hot_spot_y; > > + switch (cursor->header.type) { > > +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index > > +98c83474ad..45d06cbe25 100644 > > +--- a/hw/display/vmware_vga.c > > ++++ b/hw/display/vmware_vga.c > > +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct > vmsvga_state_s *s, > > + int i, pixels; > > + > > + qc = cursor_alloc(c->width, c->height); > > ++ assert(qc != NULL); > > ++ > > + qc->hot_x = c->hot_x; > > + qc->hot_y = c->hot_y; > > + switch (c->bpp) { > > +diff --git a/ui/cursor.c b/ui/cursor.c index 1d62ddd4d0..835f0802f9 > > +100644 > > +--- a/ui/cursor.c > > ++++ b/ui/cursor.c > > +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char > > +*xpm[]) > > + > > + /* parse pixel data */ > > + c = cursor_alloc(width, height); > > ++ assert(c != NULL); > > ++ > > + for (pixel = 0, y = 0; y < height; y++, line++) { > > + for (x = 0; x < height; x++, pixel++) { > > + idx = xpm[line][x]; > > +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) > > +QEMUCursor *cursor_alloc(int width, int height) { > > + QEMUCursor *c; > > +- int datasize = width * height * sizeof(uint32_t); > > ++ size_t datasize = width * height * sizeof(uint32_t); > > ++ > > ++ if (width > 512 || height > 512) { > > ++ return NULL; > > ++ } > > + > > + c = g_malloc0(sizeof(QEMUCursor) + datasize); > > + c->width = width; > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > new file mode 100644 > > index 0000000000..8418246247 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > @@ -0,0 +1,43 @@ > > +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 > > +2001 > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > +Date: Thu, 7 Apr 2022 10:11:06 +0200 > > +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor > > + (CVE-2021-4207) > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +Avoid fetching 'width' and 'height' a second time to prevent possible > > +race condition. Refer to security advisory > > +https://starlabs.sg/advisories/22-4207/ for more information. > > + > > +Fixes: CVE-2021-4207 > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > > +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > + > > +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb > > +CVE: CVE-2021-4207 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/display/qxl-render.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index > > +d28849b121..237ed293ba 100644 > > +--- a/hw/display/qxl-render.c > > ++++ b/hw/display/qxl-render.c > > +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, > QXLCursor *cursor, > > + } > > + break; > > + case SPICE_CURSOR_TYPE_ALPHA: > > +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; > > ++ size = sizeof(uint32_t) * c->width * c->height; > > + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); > > + if (qxl->debug > 2) { > > + cursor_print_ascii_art(c, "qxl/alpha"); > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > new file mode 100644 > > index 0000000000..6a7ce0e26c > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > @@ -0,0 +1,42 @@ > > +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 > > +2001 > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > +Date: Tue, 5 Jul 2022 22:05:43 +0200 > > +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout > > + (CVE-2022-0216) > > + > > +Set current_req->req to NULL to prevent reusing a free'd buffer in > > +case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the > patch. > > + > > +Fixes: CVE-2022-0216 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > +Reviewed-by: Thomas Huth <thuth@redhat.com> > > +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > + > > +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52f > > +d3ad44b1e9e8ad4b8 > > +CVE: CVE-2022-0216 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/scsi/lsi53c895a.c | 3 ++- > > + 1 file changed, 2 insertions(+), 1 deletion(-) > > + > > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index > > +c8773f73f7..99ea42d49b 100644 > > +--- a/hw/scsi/lsi53c895a.c > > ++++ b/hw/scsi/lsi53c895a.c > > +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) > > + case 0x0d: > > + /* The ABORT TAG message clears the current I/O process only. */ > > + trace_lsi_do_msgout_abort(current_tag); > > +- if (current_req) { > > ++ if (current_req && current_req->req) { > > + scsi_req_cancel(current_req->req); > > ++ current_req->req = NULL; > > + } > > + lsi_disconnect(s); > > + break; > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > new file mode 100644 > > index 0000000000..137906cd30 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > @@ -0,0 +1,52 @@ > > +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 > > +2001 > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > +Date: Mon, 11 Jul 2022 14:33:16 +0200 > > +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in > > +lsi_do_msgout > > + (CVE-2022-0216) > > + > > +Set current_req to NULL, not current_req->req, to prevent reusing a > > +free'd buffer in case of repeated SCSI cancel requests. Also apply > > +the fix to CLEAR QUEUE and BUS DEVICE RESET messages as well, since > > +they also cancel the request. > > + > > +Thanks to Alexander Bulekov for providing a reproducer. > > + > > +Fixes: CVE-2022-0216 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > +Tested-by: Alexander Bulekov <alxndr@bu.edu> > > +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > + > > +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 > > +CVE: CVE-2022-0216 > > +Upstream-Status: Backport > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > +--- > > + hw/scsi/lsi53c895a.c | 3 +- > > + 1 files changed, 2 insertions(+), 1 deletion(-) > > + > > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index > > +99ea42d49b..ad5f5e5f39 100644 > > +--- a/hw/scsi/lsi53c895a.c > > ++++ b/hw/scsi/lsi53c895a.c > > +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) > > + trace_lsi_do_msgout_abort(current_tag); > > + if (current_req && current_req->req) { > > + scsi_req_cancel(current_req->req); > > +- current_req->req = NULL; > > ++ current_req = NULL; > > + } > > + lsi_disconnect(s); > > + break; > > +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) > > + /* clear the current I/O process */ > > + if (s->current) { > > + scsi_req_cancel(s->current->req); > > ++ current_req = NULL; > > + } > > + > > + /* As the current implemented devices scsi_disk and > > +scsi_generic > > +-- > > +GitLab > > + > > -- > > 2.36.1 > > > > > > > >
On Sun, Sep 18, 2022 at 2:44 PM Mittal, Anuj <anuj.mittal@intel.com> wrote: > > > > > -----Original Message----- > > From: openembedded-core@lists.openembedded.org <openembedded- > > core@lists.openembedded.org> On Behalf Of Steve Sakoman > > Sent: Thursday, September 15, 2022 10:14 PM > > To: Lee, Chee Yang <chee.yang.lee@intel.com> > > Cc: openembedded-core@lists.openembedded.org > > Subject: Re: [OE-core] [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs > > > > On Tue, Sep 13, 2022 at 8:04 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote: > > > > > > From: Chee Yang Lee <chee.yang.lee@intel.com> > > > > > > backport fixes: > > > CVE-2020-13754, backport patches as debian security tracker notes > > > https://security-tracker.debian.org/tracker/CVE-2020-13754 > > > > > > CVE-2021-3713 > > > CVE-2021-3748 > > > CVE-2021-3930 > > > CVE-2021-4206 > > > CVE-2021-4207 > > > CVE-2022-0216, does not include qtest in patches, the qtest code were not available > > in v4.2. > > > > > > Ignore: > > > CVE-2020-27661, issue introduced in v5.1.0-rc0 > > > https://security-tracker.debian.org/tracker/CVE-2020-27661 > > > > While this patch applies and builds without error, it results in quite a few runtime > > errors during > > oe-selftest: > > > > https://errors.yoctoproject.org/Errors/Details/671970/ > > > > Not sure which of the CVE fixes cause this :-( > > It might be because of: > > https://lists.openembedded.org/g/openembedded-core/message/156694 Yes, on further investigation there are no issues with this patch. The issues were with a couple of missing PACKAGECONFIGS in the qemu recipe. After adding those all is well again. Thanks for the hint Anuj! Steve > > > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > --- > > > meta/recipes-devtools/qemu/qemu.inc | 14 ++ > > > .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++ > > > .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++ > > > .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++ > > > .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++ > > > .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++ > > > .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++ > > > .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++ > > > .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++ > > > .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++ > > > .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++ > > > .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++ > > > 12 files changed, 748 insertions(+) > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > > create mode 100644 > > > meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > > > b/meta/recipes-devtools/qemu/qemu.inc > > > index a773068499..c1db723e90 100644 > > > --- a/meta/recipes-devtools/qemu/qemu.inc > > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > > @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}- > > ${PV}.tar.xz \ > > > file://CVE-2020-13791.patch \ > > > file://CVE-2022-35414.patch \ > > > file://CVE-2020-27821.patch \ > > > + file://CVE-2020-13754-1.patch \ > > > + file://CVE-2020-13754-2.patch \ > > > + file://CVE-2020-13754-3.patch \ > > > + file://CVE-2020-13754-4.patch \ > > > + file://CVE-2021-3713.patch \ > > > + file://CVE-2021-3748.patch \ > > > + file://CVE-2021-3930.patch \ > > > + file://CVE-2021-4206.patch \ > > > + file://CVE-2021-4207.patch \ > > > + file://CVE-2022-0216-1.patch \ > > > + file://CVE-2022-0216-2.patch \ > > > " > > > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > > > > > @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" > > > # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 > > > CVE_CHECK_WHITELIST += "CVE-2018-18438" > > > > > > +# the issue introduced in v5.1.0-rc0 > > > +CVE_CHECK_WHITELIST += "CVE-2020-27661" > > > + > > > COMPATIBLE_HOST_mipsarchn32 = "null" > > > COMPATIBLE_HOST_mipsarchn64 = "null" > > > > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > > new file mode 100644 > > > index 0000000000..fdfff9d81d > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch > > > @@ -0,0 +1,91 @@ > > > +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 > > > +2001 > > > +From: "Michael S. Tsirkin" <mst@redhat.com> > > > +Date: Wed, 10 Jun 2020 09:47:49 -0400 > > > +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in > > > +memory_region_access_valid" > > > + > > > +Memory API documentation documents valid .min_access_size and > > > +.max_access_size fields and explains that any access outside these boundaries is > > blocked. > > > + > > > +This is what devices seem to assume. > > > + > > > +However this is not what the implementation does: it simply ignores > > > +the boundaries unless there's an "accepts" callback. > > > + > > > +Naturally, this breaks a bunch of devices. > > > + > > > +Revert to the documented behaviour. > > > + > > > +Devices that want to allow any access can just drop the valid field, > > > +or add the impl field to have accesses converted to appropriate > > > +length. > > > + > > > +Cc: qemu-stable@nongnu.org > > > +Reviewed-by: Richard Henderson <rth@twiddle.net> > > > +Fixes: CVE-2020-13754 > > > +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 > > > +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in > > > +memory_region_access_valid") > > > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > > +Message-Id: <20200610134731.1514409-1-mst@redhat.com> > > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > > + > > > +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d8 > > > +9e0e89165c8fc9 > > > +CVE: CVE-2020-13754 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + memory.c | 29 +++++++++-------------------- > > > + 1 file changed, 9 insertions(+), 20 deletions(-) > > > + > > > +diff --git a/memory.c b/memory.c > > > +index 2f15a4b..9200b20 100644 > > > +--- a/memory.c > > > ++++ b/memory.c > > > +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion > > *mr, > > > + bool is_write, > > > + MemTxAttrs attrs) { > > > +- int access_size_min, access_size_max; > > > +- int access_size, i; > > > +- > > > +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { > > > ++ if (mr->ops->valid.accepts > > > ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, > > > ++ attrs)) { > > > + return false; > > > + } > > > + > > > +- if (!mr->ops->valid.accepts) { > > > +- return true; > > > +- } > > > +- > > > +- access_size_min = mr->ops->valid.min_access_size; > > > +- if (!mr->ops->valid.min_access_size) { > > > +- access_size_min = 1; > > > ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { > > > ++ return false; > > > + } > > > + > > > +- access_size_max = mr->ops->valid.max_access_size; > > > ++ /* Treat zero as compatibility all valid */ > > > + if (!mr->ops->valid.max_access_size) { > > > +- access_size_max = 4; > > > ++ return true; > > > + } > > > + > > > +- access_size = MAX(MIN(size, access_size_max), access_size_min); > > > +- for (i = 0; i < size; i += access_size) { > > > +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, > > > +- is_write, attrs)) { > > > +- return false; > > > +- } > > > ++ if (size > mr->ops->valid.max_access_size > > > ++ || size < mr->ops->valid.min_access_size) { > > > ++ return false; > > > + } > > > +- > > > + return true; > > > + } > > > + > > > +-- > > > +1.8.3.1 > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > > new file mode 100644 > > > index 0000000000..7354edc54d > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch > > > @@ -0,0 +1,69 @@ > > > +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 > > > +2001 > > > +From: Michael Tokarev <mjt@tls.msk.ru> > > > +Date: Mon, 20 Jul 2020 19:06:27 +0300 > > > +Subject: [PATCH] acpi: accept byte and word access to core ACPI > > > +registers > > > + > > > +All ISA registers should be accessible as bytes, words or dwords (if > > > +wide enough). Fix the access constraints for acpi-pm-evt, > > > +acpi-pm-tmr & acpi-cnt registers. > > > + > > > +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes > > > +in memory_region_access_valid") > > > +Fixes: afafe4bbe0 (apci: switch cnt to memory api) > > > +Fixes: 77d58b1e47 (apci: switch timer to memory api) > > > +Fixes: b5a7c024d2 (apci: switch evt to memory api) > > > +Buglink: > > > +https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.per > > > +ard@citrix.com/T/ > > > +Buglink: https://bugs.debian.org/964793 > > > +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 > > > +BugLink: https://bugs.launchpad.net/bugs/1886318 > > > +Reported-By: Simon John <git@the-jedi.co.uk> > > > +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> > > > +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> > > > +Cc: qemu-stable@nongnu.org > > > +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> > > > +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > > + > > > +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e > > > +448b1d447cf3fb > > > +CVE: CVE-2020-13754 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/acpi/core.c | 9 ++++++--- > > > + 1 file changed, 6 insertions(+), 3 deletions(-) > > > + > > > +diff --git a/hw/acpi/core.c b/hw/acpi/core.c index f6d9ec4..ac06db3 > > > +100644 > > > +--- a/hw/acpi/core.c > > > ++++ b/hw/acpi/core.c > > > +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, > > > +hwaddr addr, uint64_t val, static const MemoryRegionOps acpi_pm_evt_ops = { > > > + .read = acpi_pm_evt_read, > > > + .write = acpi_pm_evt_write, > > > +- .valid.min_access_size = 2, > > > ++ .impl.min_access_size = 2, > > > ++ .valid.min_access_size = 1, > > > + .valid.max_access_size = 2, > > > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -527,7 +528,8 @@ > > > +static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t > > > +val, static const MemoryRegionOps acpi_pm_tmr_ops = { > > > + .read = acpi_pm_tmr_read, > > > + .write = acpi_pm_tmr_write, > > > +- .valid.min_access_size = 4, > > > ++ .impl.min_access_size = 4, > > > ++ .valid.min_access_size = 1, > > > + .valid.max_access_size = 4, > > > + .endianness = DEVICE_LITTLE_ENDIAN, }; @@ -599,7 +601,8 @@ > > > +static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t > > > +val, static const MemoryRegionOps acpi_pm_cnt_ops = { > > > + .read = acpi_pm_cnt_read, > > > + .write = acpi_pm_cnt_write, > > > +- .valid.min_access_size = 2, > > > ++ .impl.min_access_size = 2, > > > ++ .valid.min_access_size = 1, > > > + .valid.max_access_size = 2, > > > + .endianness = DEVICE_LITTLE_ENDIAN, }; > > > +-- > > > +1.8.3.1 > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > > new file mode 100644 > > > index 0000000000..2a8781050f > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch > > > @@ -0,0 +1,65 @@ > > > +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Laurent Vivier <lvivier@redhat.com> > > > +Date: Tue, 21 Jul 2020 10:33:22 +0200 > > > +Subject: [PATCH] xhci: fix valid.max_access_size to access address > > > +registers > > > +MIME-Version: 1.0 > > > +Content-Type: text/plain; charset=utf8 > > > +Content-Transfer-Encoding: 8bit > > > + > > > +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow > > > +64-bit mode access in "runtime" and "operational" MemoryRegionOps. > > > + > > > +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. > > > + > > > +XHCI specs: > > > +"If the xHC supports 64-bit addressing (AC64 = â1â), then software > > > +should write 64-bit registers using only Qword accesses. If a system > > > +is incapable of issuing Qword accesses, then writes to the 64-bit > > > +address fields shall be performed using 2 Dword accesses; low > > > +Dword-first, high-Dword second. If the xHC supports 32-bit > > > +addressing (AC64 = â0â), then the high Dword of registers containing > > > +64-bit address fields are unused and software should write addresses > > > +using only Dword accesses" > > > + > > > +The problem has been detected with SLOF, as linux kernel always > > > +accesses registers using 32-bit access even if AC64 is set and > > > +revealed by > > > +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in > > > +memory_region_access_valid"") > > > + > > > +Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> > > > +Signed-off-by: Laurent Vivier <lvivier@redhat.com> > > > +Message-id: 20200721083322.90651-1-lvivier@redhat.com > > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > > + > > > +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda56 > > > +1107ba14830a17 > > > +CVE: CVE-2020-13754 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/usb/hcd-xhci.c | 4 ++-- > > > + 1 file changed, 2 insertions(+), 2 deletions(-) > > > + > > > +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index > > > +b330e36..67a18fe 100644 > > > +--- a/hw/usb/hcd-xhci.c > > > ++++ b/hw/usb/hcd-xhci.c > > > +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { > > > + .read = xhci_oper_read, > > > + .write = xhci_oper_write, > > > + .valid.min_access_size = 4, > > > +- .valid.max_access_size = 4, > > > ++ .valid.max_access_size = sizeof(dma_addr_t), > > > + .endianness = DEVICE_LITTLE_ENDIAN, }; > > > + > > > +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { > > > + .read = xhci_runtime_read, > > > + .write = xhci_runtime_write, > > > + .valid.min_access_size = 4, > > > +- .valid.max_access_size = 4, > > > ++ .valid.max_access_size = sizeof(dma_addr_t), > > > + .endianness = DEVICE_LITTLE_ENDIAN, }; > > > + > > > +-- > > > +1.8.3.1 > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > > new file mode 100644 > > > index 0000000000..6bad07d03f > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch > > > @@ -0,0 +1,39 @@ > > > +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Alistair Francis <alistair.francis@wdc.com> > > > +Date: Tue, 30 Jun 2020 13:12:11 -0700 > > > +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT > > > + > > > +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 > > > +"memory: Revert "memory: accept mismatching sizes in > > > +memory_region_access_valid"" broke most RISC-V boards as they do 64 > > > +bit accesses to the CLINT and QEMU would trigger a fault. Fix this > > > +failure by allowing 8 byte accesses. > > > + > > > +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > > > +Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> > > > +Message-Id: > > > +<122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.fra > > > +ncis@wdc.com> > > > + > > > +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381 > > > +336bc9b9a22f79 > > > +CVE: CVE-2020-13754 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/riscv/sifive_clint.c | 2 +- > > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > > + > > > +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c index > > > +b11ffa0..669c21a 100644 > > > +--- a/hw/riscv/sifive_clint.c > > > ++++ b/hw/riscv/sifive_clint.c > > > +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { > > > + .endianness = DEVICE_LITTLE_ENDIAN, > > > + .valid = { > > > + .min_access_size = 4, > > > +- .max_access_size = 4 > > > ++ .max_access_size = 8 > > > + } > > > + }; > > > + > > > +-- > > > +1.8.3.1 > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > > new file mode 100644 > > > index 0000000000..cdd9c38db9 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch > > > @@ -0,0 +1,67 @@ > > > +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Gerd Hoffmann <kraxel@redhat.com> > > > +Date: Wed, 18 Aug 2021 14:05:05 +0200 > > > +Subject: [PATCH] uas: add stream number sanity checks. > > > +MIME-Version: 1.0 > > > +Content-Type: text/plain; charset=UTF-8 > > > +Content-Transfer-Encoding: 8bit > > > + > > > +MIME-Version: 1.0 > > > +Content-Type: text/plain; charset=UTF-8 > > > +Content-Transfer-Encoding: 8bit > > > + > > > +The device uses the guest-supplied stream number unchecked, which can > > > +lead to guest-triggered out-of-band access to the UASDevice->data3 > > > +and > > > +UASDevice->status3 fields. Add the missing checks. > > > + > > > +Fixes: CVE-2021-3713 > > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > > +Reported-by: Chen Zhe <chenzhe@huawei.com> > > > +Reported-by: Tan Jingguo <tanjingguo@huawei.com> > > > +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > > > +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> > > > + > > > +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17 > > > +d59caf073ce45b33a > > > +CVE: CVE-2021-3713 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/usb/dev-uas.c | 11 +++++++++++ > > > + 1 file changed, 11 insertions(+) > > > + > > > +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c index > > > +6d6d1073..0b8cd4dd 100644 > > > +--- a/hw/usb/dev-uas.c > > > ++++ b/hw/usb/dev-uas.c > > > +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, > > USBPacket *p) > > > + } > > > + break; > > > + case UAS_PIPE_ID_STATUS: > > > ++ if (p->stream > UAS_MAX_STREAMS) { > > > ++ goto err_stream; > > > ++ } > > > + if (p->stream) { > > > + QTAILQ_FOREACH(st, &uas->results, next) { > > > + if (st->stream == p->stream) { @@ -857,6 +860,9 @@ > > > +static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) > > > + break; > > > + case UAS_PIPE_ID_DATA_IN: > > > + case UAS_PIPE_ID_DATA_OUT: > > > ++ if (p->stream > UAS_MAX_STREAMS) { > > > ++ goto err_stream; > > > ++ } > > > + if (p->stream) { > > > + req = usb_uas_find_request(uas, p->stream); > > > + } else { > > > +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, > > USBPacket *p) > > > + p->status = USB_RET_STALL; > > > + break; > > > + } > > > ++ > > > ++err_stream: > > > ++ error_report("%s: invalid stream %d", __func__, p->stream); > > > ++ p->status = USB_RET_STALL; > > > ++ return; > > > + } > > > + > > > + static void usb_uas_unrealize(USBDevice *dev, Error **errp) > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > > new file mode 100644 > > > index 0000000000..b291ade4e3 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch > > > @@ -0,0 +1,124 @@ > > > +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Jason Wang <jasowang@redhat.com> > > > +Date: Thu, 2 Sep 2021 13:44:12 +0800 > > > +Subject: [PATCH] virtio-net: fix use after unmap/free for sg > > > + > > > +When mergeable buffer is enabled, we try to set the num_buffers after > > > +the virtqueue elem has been unmapped. This will lead several issues, > > > +E.g a use after free when the descriptor has an address which belongs > > > +to the non direct access region. In this case we use bounce buffer > > > +that is allocated during address_space_map() and freed during > > > +address_space_unmap(). > > > + > > > +Fixing this by storing the elems temporarily in an array and delay > > > +the unmap after we set the the num_buffers. > > > + > > > +This addresses CVE-2021-3748. > > > + > > > +Reported-by: Alexander Bulekov <alxndr@bu.edu> > > > +Fixes: fbe78f4f55c6 ("virtio-net support") > > > +Cc: qemu-stable@nongnu.org > > > +Signed-off-by: Jason Wang <jasowang@redhat.com> > > > + > > > +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf3 > > > +57e11f6 > > > +CVE: CVE-2021-3748 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- > > > + 1 file changed, 32 insertions(+), 7 deletions(-) > > > + > > > +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index > > > +16d20cdee52a..f205331dcf8c 100644 > > > +--- a/hw/net/virtio-net.c > > > ++++ b/hw/net/virtio-net.c > > > +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState > > *nc, const uint8_t *buf, > > > + VirtIONet *n = qemu_get_nic_opaque(nc); > > > + VirtIONetQueue *q = virtio_net_get_subqueue(nc); > > > + VirtIODevice *vdev = VIRTIO_DEVICE(n); > > > ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; > > > ++ size_t lens[VIRTQUEUE_MAX_SIZE]; > > > + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; > > > + struct virtio_net_hdr_mrg_rxbuf mhdr; > > > + unsigned mhdr_cnt = 0; > > > +- size_t offset, i, guest_offset; > > > ++ size_t offset, i, guest_offset, j; > > > ++ ssize_t err; > > > + > > > + if (!virtio_net_can_receive(nc)) { > > > + return -1; > > > +@@ -1780,6 +1783,12 @@ static ssize_t > > > +virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, > > > + > > > + total = 0; > > > + > > > ++ if (i == VIRTQUEUE_MAX_SIZE) { > > > ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); > > > ++ err = size; > > > ++ goto err; > > > ++ } > > > ++ > > > + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); > > > + if (!elem) { > > > + if (i) { > > > +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, > > const uint8_t *buf, > > > + n->guest_hdr_len, n->host_hdr_len, > > > + vdev->guest_features); > > > + } > > > +- return -1; > > > ++ err = -1; > > > ++ goto err; > > > + } > > > + > > > + if (elem->in_num < 1) { > > > +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, > > const uint8_t *buf, > > > + "virtio-net receive queue contains no in buffers"); > > > + virtqueue_detach_element(q->rx_vq, elem, 0); > > > + g_free(elem); > > > +- return -1; > > > ++ err = -1; > > > ++ goto err; > > > + } > > > + > > > + sg = elem->in_sg; > > > +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState > > *nc, const uint8_t *buf, > > > + if (!n->mergeable_rx_bufs && offset < size) { > > > + virtqueue_unpop(q->rx_vq, elem, total); > > > + g_free(elem); > > > +- return size; > > > ++ err = size; > > > ++ goto err; > > > + } > > > + > > > +- /* signal other side */ > > > +- virtqueue_fill(q->rx_vq, elem, total, i++); > > > +- g_free(elem); > > > ++ elems[i] = elem; > > > ++ lens[i] = total; > > > ++ i++; > > > + } > > > + > > > + if (mhdr_cnt) { > > > +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState > > *nc, const uint8_t *buf, > > > + &mhdr.num_buffers, sizeof mhdr.num_buffers); > > > + } > > > + > > > ++ for (j = 0; j < i; j++) { > > > ++ /* signal other side */ > > > ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); > > > ++ g_free(elems[j]); > > > ++ } > > > ++ > > > + virtqueue_flush(q->rx_vq, i); > > > + virtio_notify(vdev, q->rx_vq); > > > + > > > + return size; > > > ++ > > > ++err: > > > ++ for (j = 0; j < i; j++) { > > > ++ g_free(elems[j]); > > > ++ } > > > ++ > > > ++ return err; > > > + } > > > + > > > + static ssize_t virtio_net_do_receive(NetClientState *nc, const > > > + uint8_t *buf, > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > > new file mode 100644 > > > index 0000000000..b1b5558647 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch > > > @@ -0,0 +1,53 @@ > > > +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Date: Thu, 4 Nov 2021 17:31:38 +0100 > > > +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in > > > +MODE SELECT commands > > > + > > > +This avoids an off-by-one read of 'mode_sense_valid' buffer in > > > +hw/scsi/scsi-disk.c:mode_sense_page(). > > > + > > > +Fixes: CVE-2021-3930 > > > +Cc: qemu-stable@nongnu.org > > > +Reported-by: Alexander Bulekov <alxndr@bu.edu> > > > +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") > > > +Fixes: #546 > > > +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> > > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > > + > > > +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2 > > > +423d83f5c99a457e8 > > > +CVE: CVE-2021-3930 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/scsi/scsi-disk.c | 6 ++++++ > > > + 1 file changed, 6 insertions(+) > > > + > > > +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index > > > +e8a547dbb7..d4914178ea 100644 > > > +--- a/hw/scsi/scsi-disk.c > > > ++++ b/hw/scsi/scsi-disk.c > > > +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, > > uint8_t **p_outbuf, > > > + uint8_t *p = *p_outbuf + 2; > > > + int length; > > > + > > > ++ assert(page < ARRAY_SIZE(mode_sense_valid)); > > > + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { > > > + return -1; > > > + } > > > +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState > > *s, int page, > > > + return -1; > > > + } > > > + > > > ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ > > > ++ if (page == MODE_PAGE_ALLS) { > > > ++ return -1; > > > ++ } > > > ++ > > > + p = mode_current; > > > + memset(mode_current, 0, inlen + 2); > > > + len = mode_sense_page(s, page, &p, 0); > > > +-- > > > +GitLab > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > > new file mode 100644 > > > index 0000000000..80ad49e4ed > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch > > > @@ -0,0 +1,89 @@ > > > +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 > > > +2001 > > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Date: Thu, 7 Apr 2022 10:17:12 +0200 > > > +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc > > > + (CVE-2021-4206) > > > +MIME-Version: 1.0 > > > +Content-Type: text/plain; charset=UTF-8 > > > +Content-Transfer-Encoding: 8bit > > > + > > > +Prevent potential integer overflow by limiting 'width' and 'height' > > > +to 512x512. Also change 'datasize' type to size_t. Refer to security > > > +advisory https://starlabs.sg/advisories/22-4206/ for more information. > > > + > > > +Fixes: CVE-2021-4206 > > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > > > +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> > > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > > + > > > +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a > > > +CVE: CVE-2021-4206 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/display/qxl-render.c | 7 +++++++ > > > + hw/display/vmware_vga.c | 2 ++ > > > + ui/cursor.c | 8 +++++++- > > > + 3 files changed, 16 insertions(+), 1 deletion(-) > > > + > > > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index > > > +237ed293ba..ca217004bf 100644 > > > +--- a/hw/display/qxl-render.c > > > ++++ b/hw/display/qxl-render.c > > > +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, > > QXLCursor *cursor, > > > + size_t size; > > > + > > > + c = cursor_alloc(cursor->header.width, cursor->header.height); > > > ++ > > > ++ if (!c) { > > > ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, > > > ++ cursor->header.width, cursor->header.height); > > > ++ goto fail; > > > ++ } > > > ++ > > > + c->hot_x = cursor->header.hot_spot_x; > > > + c->hot_y = cursor->header.hot_spot_y; > > > + switch (cursor->header.type) { > > > +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index > > > +98c83474ad..45d06cbe25 100644 > > > +--- a/hw/display/vmware_vga.c > > > ++++ b/hw/display/vmware_vga.c > > > +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct > > vmsvga_state_s *s, > > > + int i, pixels; > > > + > > > + qc = cursor_alloc(c->width, c->height); > > > ++ assert(qc != NULL); > > > ++ > > > + qc->hot_x = c->hot_x; > > > + qc->hot_y = c->hot_y; > > > + switch (c->bpp) { > > > +diff --git a/ui/cursor.c b/ui/cursor.c index 1d62ddd4d0..835f0802f9 > > > +100644 > > > +--- a/ui/cursor.c > > > ++++ b/ui/cursor.c > > > +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char > > > +*xpm[]) > > > + > > > + /* parse pixel data */ > > > + c = cursor_alloc(width, height); > > > ++ assert(c != NULL); > > > ++ > > > + for (pixel = 0, y = 0; y < height; y++, line++) { > > > + for (x = 0; x < height; x++, pixel++) { > > > + idx = xpm[line][x]; > > > +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) > > > +QEMUCursor *cursor_alloc(int width, int height) { > > > + QEMUCursor *c; > > > +- int datasize = width * height * sizeof(uint32_t); > > > ++ size_t datasize = width * height * sizeof(uint32_t); > > > ++ > > > ++ if (width > 512 || height > 512) { > > > ++ return NULL; > > > ++ } > > > + > > > + c = g_malloc0(sizeof(QEMUCursor) + datasize); > > > + c->width = width; > > > +-- > > > +GitLab > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > > new file mode 100644 > > > index 0000000000..8418246247 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch > > > @@ -0,0 +1,43 @@ > > > +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Date: Thu, 7 Apr 2022 10:11:06 +0200 > > > +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor > > > + (CVE-2021-4207) > > > +MIME-Version: 1.0 > > > +Content-Type: text/plain; charset=UTF-8 > > > +Content-Transfer-Encoding: 8bit > > > + > > > +Avoid fetching 'width' and 'height' a second time to prevent possible > > > +race condition. Refer to security advisory > > > +https://starlabs.sg/advisories/22-4207/ for more information. > > > + > > > +Fixes: CVE-2021-4207 > > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > > > +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> > > > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > > > + > > > +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb > > > +CVE: CVE-2021-4207 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/display/qxl-render.c | 2 +- > > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > > + > > > +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index > > > +d28849b121..237ed293ba 100644 > > > +--- a/hw/display/qxl-render.c > > > ++++ b/hw/display/qxl-render.c > > > +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, > > QXLCursor *cursor, > > > + } > > > + break; > > > + case SPICE_CURSOR_TYPE_ALPHA: > > > +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; > > > ++ size = sizeof(uint32_t) * c->width * c->height; > > > + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); > > > + if (qxl->debug > 2) { > > > + cursor_print_ascii_art(c, "qxl/alpha"); > > > +-- > > > +GitLab > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > > new file mode 100644 > > > index 0000000000..6a7ce0e26c > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch > > > @@ -0,0 +1,42 @@ > > > +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 > > > +2001 > > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Date: Tue, 5 Jul 2022 22:05:43 +0200 > > > +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout > > > + (CVE-2022-0216) > > > + > > > +Set current_req->req to NULL to prevent reusing a free'd buffer in > > > +case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the > > patch. > > > + > > > +Fixes: CVE-2022-0216 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 > > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Reviewed-by: Thomas Huth <thuth@redhat.com> > > > +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> > > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > > + > > > +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52f > > > +d3ad44b1e9e8ad4b8 > > > +CVE: CVE-2022-0216 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/scsi/lsi53c895a.c | 3 ++- > > > + 1 file changed, 2 insertions(+), 1 deletion(-) > > > + > > > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index > > > +c8773f73f7..99ea42d49b 100644 > > > +--- a/hw/scsi/lsi53c895a.c > > > ++++ b/hw/scsi/lsi53c895a.c > > > +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) > > > + case 0x0d: > > > + /* The ABORT TAG message clears the current I/O process only. */ > > > + trace_lsi_do_msgout_abort(current_tag); > > > +- if (current_req) { > > > ++ if (current_req && current_req->req) { > > > + scsi_req_cancel(current_req->req); > > > ++ current_req->req = NULL; > > > + } > > > + lsi_disconnect(s); > > > + break; > > > +-- > > > +GitLab > > > + > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > > b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > > new file mode 100644 > > > index 0000000000..137906cd30 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch > > > @@ -0,0 +1,52 @@ > > > +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 > > > +2001 > > > +From: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Date: Mon, 11 Jul 2022 14:33:16 +0200 > > > +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in > > > +lsi_do_msgout > > > + (CVE-2022-0216) > > > + > > > +Set current_req to NULL, not current_req->req, to prevent reusing a > > > +free'd buffer in case of repeated SCSI cancel requests. Also apply > > > +the fix to CLEAR QUEUE and BUS DEVICE RESET messages as well, since > > > +they also cancel the request. > > > + > > > +Thanks to Alexander Bulekov for providing a reproducer. > > > + > > > +Fixes: CVE-2022-0216 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 > > > +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > > +Tested-by: Alexander Bulekov <alxndr@bu.edu> > > > +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> > > > +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > > + > > > +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 > > > +CVE: CVE-2022-0216 > > > +Upstream-Status: Backport > > > +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > > > +--- > > > + hw/scsi/lsi53c895a.c | 3 +- > > > + 1 files changed, 2 insertions(+), 1 deletion(-) > > > + > > > +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index > > > +99ea42d49b..ad5f5e5f39 100644 > > > +--- a/hw/scsi/lsi53c895a.c > > > ++++ b/hw/scsi/lsi53c895a.c > > > +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) > > > + trace_lsi_do_msgout_abort(current_tag); > > > + if (current_req && current_req->req) { > > > + scsi_req_cancel(current_req->req); > > > +- current_req->req = NULL; > > > ++ current_req = NULL; > > > + } > > > + lsi_disconnect(s); > > > + break; > > > +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) > > > + /* clear the current I/O process */ > > > + if (s->current) { > > > + scsi_req_cancel(s->current->req); > > > ++ current_req = NULL; > > > + } > > > + > > > + /* As the current implemented devices scsi_disk and > > > +scsi_generic > > > +-- > > > +GitLab > > > + > > > -- > > > 2.36.1 > > > > > > > > > > > >
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch @@ -0,0 +1,59 @@ +From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Wed, 18 May 2022 10:23:15 +0300 +Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap + corruption in WavPack header handling code + +blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then +results in allocating a very small buffer. Into that buffer blocksize +data is memcpy'd later which then causes out of bound writes and can +potentially lead to anything from crashes to remote code execution. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1920 + +https://gstreamer.freedesktop.org/security/sa-2022-0004.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612> + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + .../gst/matroska/matroska-demux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 64cc6be60be..01d754c3eb9 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } else { + guint8 *outdata = NULL; + gsize buf_size, size; +- guint32 block_samples, flags, crc, blocksize; ++ guint32 block_samples, flags, crc; ++ gsize blocksize; + GstAdapter *adapter; + + adapter = gst_adapter_new (); +@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + return GST_FLOW_ERROR; + } + ++ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { ++ GST_ERROR_OBJECT (element, "Too big wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); ++ return GST_FLOW_ERROR; ++ } ++ + g_assert (newbuf == NULL); + + newbuf = +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch @@ -0,0 +1,69 @@ +From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Wed, 18 May 2022 12:00:48 +0300 +Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption + in DIB buffer inversion code + +Check that width*bpp/8 doesn't overflow a guint and also that +height*stride fits into the provided buffer without overflowing. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1921 + +See https://gstreamer.freedesktop.org/security/sa-2022-0001.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608> + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c +index eafe865494c..0d18a6495c7 100644 +--- a/gst/avi/gstavidemux.c ++++ b/gst/avi/gstavidemux.c +@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) + static GstBuffer * + gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) + { +- gint y, w, h; +- gint bpp, stride; ++ guint y, w, h; ++ guint bpp, stride; + guint8 *tmp = NULL; + GstMapInfo map; + guint32 fourcc; +@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) + h = stream->strf.vids->height; + w = stream->strf.vids->width; + bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; ++ ++ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { ++ GST_WARNING ("Width x stride overflows"); ++ return buf; ++ } ++ ++ if (w == 0 || h == 0) { ++ GST_WARNING ("Zero width or height"); ++ return buf; ++ } ++ + stride = GST_ROUND_UP_4 (w * (bpp / 8)); + + buf = gst_buffer_make_writable (buf); + + gst_buffer_map (buf, &map, GST_MAP_READWRITE); +- if (map.size < (stride * h)) { ++ if (map.size < ((guint64) stride * (guint64) h)) { + GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); + gst_buffer_unmap (buf, &map); + return buf; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch @@ -0,0 +1,214 @@ +From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Wed, 18 May 2022 11:24:37 +0300 +Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc + decompression code + +Various variables were of smaller types than needed and there were no +checks for any overflows when doing additions on the sizes. This is all +checked now. + +In addition the size of the decompressed data is limited to 120MB now as +any larger sizes are likely pathological and we can avoid out of memory +situations in many cases like this. + +Also fix a bug where the available output size on the next iteration in +the zlib/bz2 decompression code was provided too large and could +potentially lead to out of bound writes. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + +https://gstreamer.freedesktop.org/security/sa-2022-0002.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> + +CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- + 1 file changed, 61 insertions(+), 15 deletions(-) + +diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c +index eb317644cc5..6fadbba9567 100644 +--- a/gst/matroska/matroska-read-common.c ++++ b/gst/matroska/matroska-read-common.c +@@ -70,6 +70,10 @@ typedef struct + gboolean audio_only; + } TargetTypeContext; + ++/* 120MB as maximum decompressed data size. Anything bigger is likely ++ * pathological, and like this we avoid out of memory situations in many cases ++ */ ++#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) + + static gboolean + gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, +@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + GstMatroskaTrackCompressionAlgorithm algo) + { + guint8 *new_data = NULL; +- guint new_size = 0; ++ gsize new_size = 0; + guint8 *data = *data_out; +- guint size = *size_out; ++ const gsize size = *size_out; + gboolean ret = TRUE; + ++ if (size > G_MAXUINT32) { ++ GST_WARNING ("too large compressed data buffer."); ++ ret = FALSE; ++ goto out; ++ } ++ + if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { + #ifdef HAVE_ZLIB + /* zlib encoded data */ + z_stream zstream; +- guint orig_size; + int result; + +- orig_size = size; + zstream.zalloc = (alloc_func) 0; + zstream.zfree = (free_func) 0; + zstream.opaque = (voidpf) 0; +@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + goto out; + } + zstream.next_in = (Bytef *) data; +- zstream.avail_in = orig_size; +- new_size = orig_size; ++ zstream.avail_in = size; ++ new_size = size; + new_data = g_malloc (new_size); + zstream.avail_out = new_size; + zstream.next_out = (Bytef *) new_data; +@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + break; + } + ++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = Z_MEM_ERROR; ++ break; ++ } ++ + new_size += 4096; + new_data = g_realloc (new_data, new_size); + zstream.next_out = (Bytef *) (new_data + zstream.total_out); +- zstream.avail_out += 4096; ++ /* avail_out is an unsigned int */ ++ g_assert (new_size - zstream.total_out <= G_MAXUINT); ++ zstream.avail_out = new_size - zstream.total_out; + } while (zstream.avail_in > 0); + + if (result != Z_STREAM_END) { +@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + #ifdef HAVE_BZ2 + /* bzip2 encoded data */ + bz_stream bzstream; +- guint orig_size; + int result; + + bzstream.bzalloc = NULL; + bzstream.bzfree = NULL; + bzstream.opaque = NULL; +- orig_size = size; + + if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { + GST_WARNING ("bzip2 initialization failed."); +@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } + + bzstream.next_in = (char *) data; +- bzstream.avail_in = orig_size; +- new_size = orig_size; ++ bzstream.avail_in = size; ++ new_size = size; + new_data = g_malloc (new_size); + bzstream.avail_out = new_size; + bzstream.next_out = (char *) new_data; +@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + break; + } + ++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = BZ_MEM_ERROR; ++ break; ++ } ++ + new_size += 4096; + new_data = g_realloc (new_data, new_size); +- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); +- bzstream.avail_out += 4096; ++ bzstream.next_out = ++ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32); ++ /* avail_out is an unsigned int */ ++ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32 <= G_MAXUINT); ++ bzstream.avail_out = ++ new_size - ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32; + } while (bzstream.avail_in > 0); + + if (result != BZ_STREAM_END) { + ret = FALSE; + g_free (new_data); + } else { +- new_size = bzstream.total_out_lo32; ++ new_size = ++ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; + } + BZ2_bzDecompressEnd (&bzstream); + +@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { + /* lzo encoded data */ + int result; +- int orig_size, out_size; ++ gint orig_size, out_size; ++ ++ if (size > G_MAXINT) { ++ GST_WARNING ("too large compressed data buffer."); ++ ret = FALSE; ++ goto out; ++ } + + orig_size = size; + out_size = size; +@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + result = lzo1x_decode (new_data, &out_size, data, &orig_size); + + if (orig_size > 0) { ++ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = LZO_ERROR; ++ break; ++ } + new_size += 4096; + new_data = g_realloc (new_data, new_size); + } +@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { + /* header stripped encoded data */ + if (enc->comp_settings_length > 0) { ++ if (size > G_MAXSIZE - enc->comp_settings_length ++ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ ret = FALSE; ++ goto out; ++ } ++ + new_data = g_malloc (size + enc->comp_settings_length); + new_size = size + enc->comp_settings_length; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch @@ -0,0 +1,60 @@ +From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Mon, 30 May 2022 10:15:37 +0300 +Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code + +Various variables were of smaller types than needed and there were no +checks for any overflows when doing additions on the sizes. This is all +checked now. + +In addition the size of the decompressed data is limited to 200MB now as +any larger sizes are likely pathological and we can avoid out of memory +situations in many cases like this. + +Also fix a bug where the available output size on the next iteration in +the zlib decompression code was provided too large and could +potentially lead to out of bound writes. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: tbd + +https://gstreamer.freedesktop.org/security/sa-2022-0003.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 +CVE: CVE-2022-2122 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + gst/isomp4/qtdemux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 7cc346b1e63..97ba0799a8d 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) + break; + } + ++ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ ret = Z_MEM_ERROR; ++ break; ++ } ++ + *length += 4096; + buffer = (guint8 *) g_realloc (buffer, *length); + z.next_out = (Bytef *) (buffer + z.total_out); +- z.avail_out += 4096; ++ z.avail_out += *length - z.total_out; + } while (z.avail_in > 0); + + if (ret != Z_STREAM_END) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 1038cbf224..831a317a82 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb @@ -10,6 +10,10 @@ SRC_URI = " \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ file://CVE-2021-3497.patch \ file://CVE-2021-3498.patch \ + file://CVE-2022-1920.patch \ + file://CVE-2022-1921.patch \ + file://CVE-2022-1922-1923-1924-1925.patch \ + file://CVE-2022-2122.patch \ " SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 966a904eef..14793b7fdf 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb @@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522" # so we need to ignore the false hits CVE_CHECK_WHITELIST += "CVE-2021-3497" CVE_CHECK_WHITELIST += "CVE-2021-3498" +CVE_CHECK_WHITELIST += "CVE-2022-1920" +CVE_CHECK_WHITELIST += "CVE-2022-1921" +CVE_CHECK_WHITELIST += "CVE-2022-1922" +CVE_CHECK_WHITELIST += "CVE-2022-1923" +CVE_CHECK_WHITELIST += "CVE-2022-1924" +CVE_CHECK_WHITELIST += "CVE-2022-1925" +CVE_CHECK_WHITELIST += "CVE-2022-2122" require gstreamer1.0-ptest.inc