Accepting request 989442 from home:dfaggioli:old_qemu

- Fix the following bugs:
  - bsc#1198037, CVE-2021-4207
  - bsc#1198038, CVE-2022-0216
  - bsc#1201367, CVE-2022-35414
  - bsc#1198035, CVE-2021-4206
  - bsc#1198712, CVE-2022-26354
  - bsc#1198711, CVE-2022-26353
* Patches added:
  display-qxl-render-fix-race-condition-in.patch
  scsi-lsi53c895a-fix-use-after-free-in-ls.patch
  softmmu-Always-initialize-xlat-in-addres.patch
  ui-cursor-fix-integer-overflow-in-cursor.patch
  vhost-vsock-detach-the-virqueue-element-.patch
  virtio-net-fix-map-leaking-on-error-duri.patch

OBS-URL: https://build.opensuse.org/request/show/989442
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=725
This commit is contained in:
Dario Faggioli 2022-07-15 15:41:11 +00:00 committed by Git OBS Bridge
parent 356a2ed499
commit 6749a6e9ce
10 changed files with 353 additions and 9 deletions

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8
size 139264
oid sha256:caff72ba0d91116cb012ed88bd6f4cce2ee7015889cb1d1502abfdfd8d73dbd7
size 146284

View File

@ -0,0 +1,37 @@
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Thu, 7 Apr 2022 10:11:06 +0200
Subject: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
References: bsc#1198037, CVE-2021-4207
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/display/qxl-render.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index d28849b121763600d21962321380..237ed293baaea76e9602e50a97ee 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
}
break;
case SPICE_CURSOR_TYPE_ALPHA:
- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
+ size = sizeof(uint32_t) * c->width * c->height;
qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
if (qxl->debug > 2) {
cursor_print_ascii_art(c, "qxl/alpha");

View File

@ -1,7 +1,6 @@
From e4ad2b63e748643e12306d61aea7aaf5a41a0d3c Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Sun, 8 May 2022 17:32:22 +0200
Subject: [PATCH] hw/usb/hcd-ehci: fix writeback order
Subject: hw/usb/hcd-ehci: fix writeback order
Git-commit: f471e8b060798f26a7fc339c6152f82f22a7b33d
References: bsc#1192115
@ -37,14 +36,14 @@ https://github.com/NixOS/nixpkgs/issues/170803
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit f471e8b060798f26a7fc339c6152f82f22a7b33d)
Signed-off-by: Lin Ma <lma@suse.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/usb/hcd-ehci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 6caa7ac6c2..3464b2406e 100644
index 6caa7ac6c28f56416f652b665787..3464b2406e94dcc7272116c7249d 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2009,7 +2009,10 @@ static int ehci_state_writeback(EHCIQueue *q)
@ -59,6 +58,3 @@ index 6caa7ac6c2..3464b2406e 100644
ehci_free_packet(p);
/*
--
2.34.1

View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Fri Jul 15 09:08:06 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Fix the following bugs:
- bsc#1198037, CVE-2021-4207
- bsc#1198038, CVE-2022-0216
- bsc#1201367, CVE-2022-35414
- bsc#1198035, CVE-2021-4206
- bsc#1198712, CVE-2022-26354
- bsc#1198711, CVE-2022-26353
* Patches added:
display-qxl-render-fix-race-condition-in.patch
scsi-lsi53c895a-fix-use-after-free-in-ls.patch
softmmu-Always-initialize-xlat-in-addres.patch
ui-cursor-fix-integer-overflow-in-cursor.patch
vhost-vsock-detach-the-virqueue-element-.patch
virtio-net-fix-map-leaking-on-error-duri.patch
-------------------------------------------------------------------
Fri Jul 1 11:46:41 UTC 2022 - Lin Ma <lma@suse.com>

View File

@ -251,6 +251,12 @@ Patch00107: block-qdict-Fix-Werror-maybe-uninitializ.patch
Patch00108: pci-fix-overflow-in-snprintf-string-form.patch
Patch00109: sphinx-change-default-language-to-en.patch
Patch00110: hw-usb-hcd-ehci-fix-writeback-order.patch
Patch00111: softmmu-Always-initialize-xlat-in-addres.patch
Patch00112: vhost-vsock-detach-the-virqueue-element-.patch
Patch00113: virtio-net-fix-map-leaking-on-error-duri.patch
Patch00114: display-qxl-render-fix-race-condition-in.patch
Patch00115: ui-cursor-fix-integer-overflow-in-cursor.patch
Patch00116: scsi-lsi53c895a-fix-use-after-free-in-ls.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -1284,6 +1290,12 @@ This package records qemu testsuite results and represents successful testing.
%patch00108 -p1
%patch00109 -p1
%patch00110 -p1
%patch00111 -p1
%patch00112 -p1
%patch00113 -p1
%patch00114 -p1
%patch00115 -p1
%patch00116 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1

View File

@ -0,0 +1,36 @@
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Tue, 5 Jul 2022 22:05:43 +0200
Subject: scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
Git-commit: 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
References: bsc#1198038, CVE-2022-0216
Set current_req->req to NULL to prevent reusing a free'd buffer in case of
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/scsi/lsi53c895a.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 85e907a7854a8aeaa812978675cd..8033cf05023de397e91a0a121449 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
case 0x0d:
/* The ABORT TAG message clears the current I/O process only. */
trace_lsi_do_msgout_abort(current_tag);
- if (current_req) {
+ if (current_req && current_req->req) {
scsi_req_cancel(current_req->req);
+ current_req->req = NULL;
}
lsi_disconnect(s);
break;

View File

@ -0,0 +1,67 @@
From: Richard Henderson <richard.henderson@linaro.org>
Date: Tue, 21 Jun 2022 08:38:29 -0700
Subject: softmmu: Always initialize xlat in address_space_translate_for_iotlb
Git-commit: 418ade7849ce7641c0f7333718caf5091a02fd4c
References: bsc#1201367, CVE-2022-35414
The bug is an uninitialized memory read, along the translate_fail
path, which results in garbage being read from iotlb_to_section,
which can lead to a crash in io_readx/io_writex.
The bug may be fixed by writing any value with zero
in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using
the xlat'ed address returns io_mem_unassigned, as desired by the
translate_fail path.
It is most useful to record the original physical page address,
which will eventually be logged by memory_region_access_valid
when the access is rejected by unassigned_mem_accepts.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
softmmu/physmem.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index f69d6b00467f8b53614171fa17a9..d512792f0b2fde28fb7c11991198 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -667,7 +667,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
/* Called from RCU critical section */
MemoryRegionSection *
-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
hwaddr *xlat, hwaddr *plen,
MemTxAttrs attrs, int *prot)
{
@@ -676,6 +676,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
IOMMUMemoryRegionClass *imrc;
IOMMUTLBEntry iotlb;
int iommu_idx;
+ hwaddr addr = orig_addr;
AddressSpaceDispatch *d =
qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
@@ -720,6 +721,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
return section;
translate_fail:
+ /*
+ * We should be given a page-aligned address -- certainly
+ * tlb_set_page_with_attrs() does so. The page offset of xlat
+ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
+ * The page portion of xlat will be logged by memory_region_access_valid()
+ * when this memory access is rejected, so use the original untranslated
+ * physical address.
+ */
+ assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
+ *xlat = orig_addr;
return &d->map.sections[PHYS_SECTION_UNASSIGNED];
}

View File

@ -0,0 +1,83 @@
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Thu, 7 Apr 2022 10:17:12 +0200
Subject: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa
References: bsc#1198035, CVE-2021-4206
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/display/qxl-render.c | 7 +++++++
hw/display/vmware_vga.c | 2 ++
ui/cursor.c | 8 +++++++-
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index 237ed293baaea76e9602e50a97ee..ca217004bf72e7d394ed7ee9c948 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
size_t size;
c = cursor_alloc(cursor->header.width, cursor->header.height);
+
+ if (!c) {
+ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
+ cursor->header.width, cursor->header.height);
+ goto fail;
+ }
+
c->hot_x = cursor->header.hot_spot_x;
c->hot_y = cursor->header.hot_spot_y;
switch (cursor->header.type) {
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e2969a6c81c83190a334c35a6db1..2b81d6122fc8fa2751c6a94bd60d 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
int i, pixels;
qc = cursor_alloc(c->width, c->height);
+ assert(qc != NULL);
+
qc->hot_x = c->hot_x;
qc->hot_y = c->hot_y;
switch (c->bpp) {
diff --git a/ui/cursor.c b/ui/cursor.c
index 1d62ddd4d072f6c60926db9d2315..835f0802f951a3ec965b95d7742e 100644
--- a/ui/cursor.c
+++ b/ui/cursor.c
@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
/* parse pixel data */
c = cursor_alloc(width, height);
+ assert(c != NULL);
+
for (pixel = 0, y = 0; y < height; y++, line++) {
for (x = 0; x < height; x++, pixel++) {
idx = xpm[line][x];
@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
QEMUCursor *cursor_alloc(int width, int height)
{
QEMUCursor *c;
- int datasize = width * height * sizeof(uint32_t);
+ size_t datasize = width * height * sizeof(uint32_t);
+
+ if (width > 512 || height > 512) {
+ return NULL;
+ }
c = g_malloc0(sizeof(QEMUCursor) + datasize);
c->width = width;

View File

@ -0,0 +1,56 @@
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Mon, 28 Feb 2022 10:50:58 +0100
Subject: vhost-vsock: detach the virqueue element in case of error
Git-commit: 8d1b247f3748ac4078524130c6d7ae42b6140aaf
References: bsc#1198712, CVE-2022-26354
In vhost_vsock_common_send_transport_reset(), if an element popped from
the virtqueue is invalid, we should call virtqueue_detach_element() to
detach it from the virtqueue before freeing its memory.
Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
Fixes: CVE-2022-26354
Cc: qemu-stable@nongnu.org
Reported-by: VictorV <vv474172261@gmail.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/virtio/vhost-vsock-common.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
index 3f3771274e772ef6f086c87184eb..ed706681ace8e6d015abb0203214 100644
--- a/hw/virtio/vhost-vsock-common.c
+++ b/hw/virtio/vhost-vsock-common.c
@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
if (elem->out_num) {
error_report("invalid vhost-vsock event virtqueue element with "
"out buffers");
- goto out;
+ goto err;
}
if (iov_from_buf(elem->in_sg, elem->in_num, 0,
&event, sizeof(event)) != sizeof(event)) {
error_report("vhost-vsock event virtqueue element is too short");
- goto out;
+ goto err;
}
virtqueue_push(vq, elem, sizeof(event));
virtio_notify(VIRTIO_DEVICE(vvc), vq);
-out:
+ g_free(elem);
+ return;
+
+err:
+ virtqueue_detach_element(vq, elem, 0);
g_free(elem);
}

View File

@ -0,0 +1,39 @@
From: Jason Wang <jasowang@redhat.com>
Date: Tue, 8 Mar 2022 10:42:51 +0800
Subject: virtio-net: fix map leaking on error during receive
Git-commit: abe300d9d894f7138e1af7c8e9c88c04bfe98b37
References: bsc#1198711, CVE-2022-26353
Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
tries to fix the use after free of the sg by caching the virtqueue
elements in an array and unmap them at once after receiving the
packets, But it forgot to unmap the cached elements on error which
will lead to leaking of mapping and other unexpected results.
Fixing this by detaching the cached elements on error. This addresses
CVE-2022-26353.
Reported-by: Victor Tom <vv474172261@gmail.com>
Cc: qemu-stable@nongnu.org
Fixes: CVE-2022-26353
Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/net/virtio-net.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f2014d5ea0b30ceed3b422aeecca..e1f4748831e87b6baa436779d622 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
err:
for (j = 0; j < i; j++) {
+ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
g_free(elems[j]);
}