diff --git a/bundles.tar.xz b/bundles.tar.xz index 9059f106..f4c4dd9a 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8 -size 139264 +oid sha256:caff72ba0d91116cb012ed88bd6f4cce2ee7015889cb1d1502abfdfd8d73dbd7 +size 146284 diff --git a/display-qxl-render-fix-race-condition-in.patch b/display-qxl-render-fix-race-condition-in.patch new file mode 100644 index 00000000..fae98a2d --- /dev/null +++ b/display-qxl-render-fix-race-condition-in.patch @@ -0,0 +1,37 @@ +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 +References: bsc#1198037, CVE-2021-4207 + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +Signed-off-by: Dario Faggioli +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121763600d21962321380..237ed293baaea76e9602e50a97ee 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); diff --git a/hw-usb-hcd-ehci-fix-writeback-order.patch b/hw-usb-hcd-ehci-fix-writeback-order.patch index d6847846..ec6be695 100644 --- a/hw-usb-hcd-ehci-fix-writeback-order.patch +++ b/hw-usb-hcd-ehci-fix-writeback-order.patch @@ -1,7 +1,6 @@ -From e4ad2b63e748643e12306d61aea7aaf5a41a0d3c Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Sun, 8 May 2022 17:32:22 +0200 -Subject: [PATCH] hw/usb/hcd-ehci: fix writeback order +Subject: hw/usb/hcd-ehci: fix writeback order Git-commit: f471e8b060798f26a7fc339c6152f82f22a7b33d References: bsc#1192115 @@ -37,14 +36,14 @@ https://github.com/NixOS/nixpkgs/issues/170803 Signed-off-by: Arnout Engelen Signed-off-by: Gerd Hoffmann -(cherry picked from commit f471e8b060798f26a7fc339c6152f82f22a7b33d) Signed-off-by: Lin Ma +Signed-off-by: Dario Faggioli --- hw/usb/hcd-ehci.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index 6caa7ac6c2..3464b2406e 100644 +index 6caa7ac6c28f56416f652b665787..3464b2406e94dcc7272116c7249d 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2009,7 +2009,10 @@ static int ehci_state_writeback(EHCIQueue *q) @@ -59,6 +58,3 @@ index 6caa7ac6c2..3464b2406e 100644 ehci_free_packet(p); /* --- -2.34.1 - diff --git a/qemu.changes b/qemu.changes index 4f376a20..2cb8dacc 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Fri Jul 15 09:08:06 UTC 2022 - Dario Faggioli + +- Fix the following bugs: + - bsc#1198037, CVE-2021-4207 + - bsc#1198038, CVE-2022-0216 + - bsc#1201367, CVE-2022-35414 + - bsc#1198035, CVE-2021-4206 + - bsc#1198712, CVE-2022-26354 + - bsc#1198711, CVE-2022-26353 +* Patches added: + display-qxl-render-fix-race-condition-in.patch + scsi-lsi53c895a-fix-use-after-free-in-ls.patch + softmmu-Always-initialize-xlat-in-addres.patch + ui-cursor-fix-integer-overflow-in-cursor.patch + vhost-vsock-detach-the-virqueue-element-.patch + virtio-net-fix-map-leaking-on-error-duri.patch + ------------------------------------------------------------------- Fri Jul 1 11:46:41 UTC 2022 - Lin Ma diff --git a/qemu.spec b/qemu.spec index 3a770b4a..d9a23652 100644 --- a/qemu.spec +++ b/qemu.spec @@ -251,6 +251,12 @@ Patch00107: block-qdict-Fix-Werror-maybe-uninitializ.patch Patch00108: pci-fix-overflow-in-snprintf-string-form.patch Patch00109: sphinx-change-default-language-to-en.patch Patch00110: hw-usb-hcd-ehci-fix-writeback-order.patch +Patch00111: softmmu-Always-initialize-xlat-in-addres.patch +Patch00112: vhost-vsock-detach-the-virqueue-element-.patch +Patch00113: virtio-net-fix-map-leaking-on-error-duri.patch +Patch00114: display-qxl-render-fix-race-condition-in.patch +Patch00115: ui-cursor-fix-integer-overflow-in-cursor.patch +Patch00116: scsi-lsi53c895a-fix-use-after-free-in-ls.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1284,6 +1290,12 @@ This package records qemu testsuite results and represents successful testing. %patch00108 -p1 %patch00109 -p1 %patch00110 -p1 +%patch00111 -p1 +%patch00112 -p1 +%patch00113 -p1 +%patch00114 -p1 +%patch00115 -p1 +%patch00116 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 diff --git a/scsi-lsi53c895a-fix-use-after-free-in-ls.patch b/scsi-lsi53c895a-fix-use-after-free-in-ls.patch new file mode 100644 index 00000000..c08c0072 --- /dev/null +++ b/scsi-lsi53c895a-fix-use-after-free-in-ls.patch @@ -0,0 +1,36 @@ +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) + +Git-commit: 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 +References: bsc#1198038, CVE-2022-0216 + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Dario Faggioli +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 85e907a7854a8aeaa812978675cd..8033cf05023de397e91a0a121449 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; diff --git a/softmmu-Always-initialize-xlat-in-addres.patch b/softmmu-Always-initialize-xlat-in-addres.patch new file mode 100644 index 00000000..935dfdda --- /dev/null +++ b/softmmu-Always-initialize-xlat-in-addres.patch @@ -0,0 +1,67 @@ +From: Richard Henderson +Date: Tue, 21 Jun 2022 08:38:29 -0700 +Subject: softmmu: Always initialize xlat in address_space_translate_for_iotlb + +Git-commit: 418ade7849ce7641c0f7333718caf5091a02fd4c +References: bsc#1201367, CVE-2022-35414 + +The bug is an uninitialized memory read, along the translate_fail +path, which results in garbage being read from iotlb_to_section, +which can lead to a crash in io_readx/io_writex. + +The bug may be fixed by writing any value with zero +in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using +the xlat'ed address returns io_mem_unassigned, as desired by the +translate_fail path. + +It is most useful to record the original physical page address, +which will eventually be logged by memory_region_access_valid +when the access is rejected by unassigned_mem_accepts. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065 +Signed-off-by: Richard Henderson +Reviewed-by: Peter Maydell +Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org> +Signed-off-by: Dario Faggioli +--- + softmmu/physmem.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index f69d6b00467f8b53614171fa17a9..d512792f0b2fde28fb7c11991198 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -667,7 +667,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) + + /* Called from RCU critical section */ + MemoryRegionSection * +-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, ++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, + hwaddr *xlat, hwaddr *plen, + MemTxAttrs attrs, int *prot) + { +@@ -676,6 +676,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + IOMMUMemoryRegionClass *imrc; + IOMMUTLBEntry iotlb; + int iommu_idx; ++ hwaddr addr = orig_addr; + AddressSpaceDispatch *d = + qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); + +@@ -720,6 +721,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + return section; + + translate_fail: ++ /* ++ * We should be given a page-aligned address -- certainly ++ * tlb_set_page_with_attrs() does so. The page offset of xlat ++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. ++ * The page portion of xlat will be logged by memory_region_access_valid() ++ * when this memory access is rejected, so use the original untranslated ++ * physical address. ++ */ ++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); ++ *xlat = orig_addr; + return &d->map.sections[PHYS_SECTION_UNASSIGNED]; + } + diff --git a/ui-cursor-fix-integer-overflow-in-cursor.patch b/ui-cursor-fix-integer-overflow-in-cursor.patch new file mode 100644 index 00000000..4ae627d2 --- /dev/null +++ b/ui-cursor-fix-integer-overflow-in-cursor.patch @@ -0,0 +1,83 @@ +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa +References: bsc#1198035, CVE-2021-4206 + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +Signed-off-by: Dario Faggioli +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293baaea76e9602e50a97ee..ca217004bf72e7d394ed7ee9c948 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e2969a6c81c83190a334c35a6db1..2b81d6122fc8fa2751c6a94bd60d 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d072f6c60926db9d2315..835f0802f951a3ec965b95d7742e 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; diff --git a/vhost-vsock-detach-the-virqueue-element-.patch b/vhost-vsock-detach-the-virqueue-element-.patch new file mode 100644 index 00000000..4a4d0cb3 --- /dev/null +++ b/vhost-vsock-detach-the-virqueue-element-.patch @@ -0,0 +1,56 @@ +From: Stefano Garzarella +Date: Mon, 28 Feb 2022 10:50:58 +0100 +Subject: vhost-vsock: detach the virqueue element in case of error + +Git-commit: 8d1b247f3748ac4078524130c6d7ae42b6140aaf +References: bsc#1198712, CVE-2022-26354 + +In vhost_vsock_common_send_transport_reset(), if an element popped from +the virtqueue is invalid, we should call virtqueue_detach_element() to +detach it from the virtqueue before freeing its memory. + +Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") +Fixes: CVE-2022-26354 +Cc: qemu-stable@nongnu.org +Reported-by: VictorV +Signed-off-by: Stefano Garzarella +Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Dario Faggioli +--- + hw/virtio/vhost-vsock-common.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c +index 3f3771274e772ef6f086c87184eb..ed706681ace8e6d015abb0203214 100644 +--- a/hw/virtio/vhost-vsock-common.c ++++ b/hw/virtio/vhost-vsock-common.c +@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) + if (elem->out_num) { + error_report("invalid vhost-vsock event virtqueue element with " + "out buffers"); +- goto out; ++ goto err; + } + + if (iov_from_buf(elem->in_sg, elem->in_num, 0, + &event, sizeof(event)) != sizeof(event)) { + error_report("vhost-vsock event virtqueue element is too short"); +- goto out; ++ goto err; + } + + virtqueue_push(vq, elem, sizeof(event)); + virtio_notify(VIRTIO_DEVICE(vvc), vq); + +-out: ++ g_free(elem); ++ return; ++ ++err: ++ virtqueue_detach_element(vq, elem, 0); + g_free(elem); + } + diff --git a/virtio-net-fix-map-leaking-on-error-duri.patch b/virtio-net-fix-map-leaking-on-error-duri.patch new file mode 100644 index 00000000..5d8232fa --- /dev/null +++ b/virtio-net-fix-map-leaking-on-error-duri.patch @@ -0,0 +1,39 @@ +From: Jason Wang +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: virtio-net: fix map leaking on error during receive + +Git-commit: abe300d9d894f7138e1af7c8e9c88c04bfe98b37 +References: bsc#1198711, CVE-2022-26353 + +Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +tries to fix the use after free of the sg by caching the virtqueue +elements in an array and unmap them at once after receiving the +packets, But it forgot to unmap the cached elements on error which +will lead to leaking of mapping and other unexpected results. + +Fixing this by detaching the cached elements on error. This addresses +CVE-2022-26353. + +Reported-by: Victor Tom +Cc: qemu-stable@nongnu.org +Fixes: CVE-2022-26353 +Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: Dario Faggioli +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index f2014d5ea0b30ceed3b422aeecca..e1f4748831e87b6baa436779d622 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } +