rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity
5f7cc8fe5e
qemu/scsi-lsi53c895a-really-fix-use-after-fre.patch

142 lines
5.1 KiB
Diff
Raw Normal View History

Accepting request 990667 from home:dfaggioli:old_qemu - Substantial rework of the spec file: * the 'make check' testsuite now runs in the %check section of the main package, not in a subpackage * switched from %setup to %autosetup * rearranged the content in order to minimize the use of %if, %ifarch, etc - Properly fix bsc#1198038, CVE-2022-0216 * Patches added: scsi-lsi53c895a-really-fix-use-after-fre.patch tests-qtest-Move-the-fuzz-tests-to-x86-o.patch - Make temp dir (for update_git.sh) configurable - Added new subpackages (audio-dbus, ui-dbus) - bsc#1199018 was never fixed in Factory's QEMU 6.2. It is now (since the patches are already in SeaBIOS 1.16.0) - Some tests are having issues when run in OBS. They seem to be due to race conditions, triggered by resource constraints of OBS workers. Let's disable them for now, while looking for a fix - Update to v7.0.0. For full release notese, see: * https://wiki.qemu.org/ChangeLog/7.0 Be sure to also check the following pages: * https://qemu-project.gitlab.io/qemu/about/removed-features.html * https://qemu-project.gitlab.io/qemu/about/deprecated.html Some notable changes: * [ARM] The virt board has gained a new control knob to disable passing a RNG seed in the DTB (dtb-kaslr-seed) * [ARM] The AST2600 SoC now supports a dummy version of the i3c device * [ARM] The virt board can now run guests with KVM on hosts with restricted IPA ranges * [ARM] The virt board now supports virtio-mem-pci * [ARM] The virt board now supports specifying the guest CPU topology * [ARM] On the virt board, we now enable PAuth when using KVM or hvf and the host CPU supports it * [RISC-V] Add support for ratified 1.0 Vector extension * [RISC-V] Support for the Zve64f and Zve32f extensions * [RISC-V] Drop support for draft 0.7.1 Vector extension * [RISC-V] Support Zfhmin and Zfh extensions * [RISC-V] RISC-V KVM support * [RISC-V] Mark Hypervisor extension as non experimental * [RISC-V] Enable Hypervisor extension by default * [x86] Support for Intel AMX. * [PCI/PCIe] Q35: fix PCIe device becoming disabled after migration when ACPI based PCI hotplug is used (6b0969f1ec) * [PCI/PCIe] initial bits of SR/IOV support (250346169) * [PCI/PCIe] arm/virt: fixed PXB interrupt routing (e609301b45) * [PCI/PCIe] arm/virt: support for virtio-mem-pci (b1b87327a9) * [virtiofs] Fix for CVE-2022-0358 - behaviour with supplementary groups and SGID directories * [virtiofs] Improved security label support * [virtiofs] The virtiofsd in qemu is now starting to be deprecated; please start using and contributing to Rust virtiofsd * Patches dropped: acpi-validate-hotplug-selector-on-access.patch block-backend-Retain-permissions-after-m.patch block-qdict-Fix-Werror-maybe-uninitializ.patch brotli-fix-actual-variable-array-paramet.patch display-qxl-render-fix-race-condition-in.patch doc-Add-the-SGX-numa-description.patch hw-i386-amd_iommu-Fix-maybe-uninitialize.patch hw-intc-exynos4210_gic-provide-more-room.patch hw-nvme-fix-CVE-2021-3929.patch hw-nvram-at24-return-0xff-if-1-byte-addr.patch iotest-065-explicit-compression-type.patch iotest-214-explicit-compression-type.patch iotest-302-use-img_info_log-helper.patch iotest-303-explicit-compression-type.patch iotest-39-use-_qcow2_dump_header.patch iotests-60-more-accurate-set-dirty-bit-i.patch iotests-bash-tests-filter-compression-ty.patch iotests-common.rc-introduce-_qcow2_dump_.patch iotests-declare-lack-of-support-for-comp.patch iotests-drop-qemu_img_verbose-helper.patch iotests-massive-use-_qcow2_dump_header.patch iotests-MRCE-Write-data-to-source.patch iotests.py-filter-out-successful-output-.patch iotests.py-img_info_log-rename-imgopts-a.patch iotests.py-implement-unsupported_imgopts.patch iotests.py-qemu_img-create-support-IMGOP.patch iotests.py-rewrite-default-luks-support-.patch iotests-specify-some-unsupported_imgopts.patch meson-build-all-modules-by-default.patch numa-Enable-numa-for-SGX-EPC-sections.patch numa-Support-SGX-numa-in-the-monitor-and.patch python-aqmp-add-__del__-method-to-legacy.patch python-aqmp-add-_session_guard.patch python-aqmp-add-SocketAddrT-to-package-r.patch python-aqmp-add-socket-bind-step-to-lega.patch python-aqmp-add-start_server-and-accept-.patch python-aqmp-copy-type-definitions-from-q.patch python-aqmp-drop-_bind_hack.patch python-aqmp-fix-docstring-typo.patch python-aqmp-Fix-negotiation-with-pre-oob.patch python-aqmp-fix-race-condition-in-legacy.patch Python-aqmp-fix-type-definitions-for-myp.patch python-aqmp-handle-asyncio.TimeoutError-.patch python-aqmp-refactor-_do_accept-into-two.patch python-aqmp-remove-_new_session-and-_est.patch python-aqmp-rename-accept-to-start_serve.patch python-aqmp-rename-AQMPError-to-QMPError.patch python-aqmp-split-_client_connected_cb-o.patch python-aqmp-squelch-pylint-warning-for-t.patch python-aqmp-stop-the-server-during-disco.patch python-introduce-qmp-shell-wrap-convenie.patch python-machine-raise-VMLaunchFailure-exc.patch python-move-qmp-shell-under-the-AQMP-pac.patch python-move-qmp-utilities-to-python-qemu.patch python-qmp-switch-qmp-shell-to-AQMP.patch python-support-recording-QMP-session-to-.patch python-upgrade-mypy-to-0.780.patch qcow2-simple-case-support-for-downgradin.patch qemu-binfmt-conf.sh-should-use-F-as-shor.patch tests-qemu-iotests-040-Skip-TestCommitWi.patch tests-qemu-iotests-Fix-051-for-binaries-.patch tests-qemu-iotests-testrunner-Quote-case.patch tools-virtiofsd-Add-rseq-syscall-to-the-.patch ui-cursor-fix-integer-overflow-in-cursor.patch vhost-vsock-detach-the-virqueue-element-.patch virtiofsd-Drop-membership-of-all-supplem.patch virtio-net-fix-map-leaking-on-error-duri.patch Disable-some-tests-that-have-problems-in.patch * Patches added: intc-exynos4210_gic-replace-snprintf-wit.patch Revert-8dcb404bff6d9147765d7dd3e9c849337.patch ------------------------------------------------------------------ - Fix bsc#1197084 * Patches added: hostmem-default-the-amount-of-prealloc-t.patch - Get rid of downstream patches breaking s390 modules. Replace them with the upstream proposed and Acked (but never committed) solution (bsc#1199015) * Patches added: modules-generates-per-target-modinfo.patch modules-introduces-module_kconfig-direct.patch * Patches dropped: Fix-the-module-building-problem-for-s390.patch modules-quick-fix-a-fundamental-error-in.patch - backport patches for having coroutine work well when LTO is used * Patches added: coroutine-ucontext-use-QEMU_DEFINE_STATI.patch coroutine-use-QEMU_DEFINE_STATIC_CO_TLS.patch coroutine-win32-use-QEMU_DEFINE_STATIC_C.patch - seabios: drop patch that changes python in python2. Just go to python3 directly. * Patches dropped: seabios-use-python2-explicitly-as-needed.patch OBS-URL: https://build.opensuse.org/request/show/990667 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=726
2022-07-22 13:50:51 +02:00
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Mon, 11 Jul 2022 14:33:16 +0200
Subject: scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
(CVE-2022-0216)
Git-commit: 4367a20cc442c56b05611b4224de9a61908f9eac
References: bsc#1198038, CVE-2022-0216
Set current_req to NULL, not current_req->req, to prevent reusing a free'd
buffer in case of repeated SCSI cancel requests. Also apply the fix to
CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
the request.
Thanks to Alexander Bulekov for providing a reproducer.
Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/scsi/lsi53c895a.c | 3 +-
tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++
2 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 99ea42d49b08c301406db810ffef..ad5f5e5f394f27665feaf7e265eb 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
trace_lsi_do_msgout_abort(current_tag);
if (current_req && current_req->req) {
scsi_req_cancel(current_req->req);
- current_req->req = NULL;
+ current_req = NULL;
}
lsi_disconnect(s);
break;
@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
/* clear the current I/O process */
if (s->current) {
scsi_req_cancel(s->current->req);
+ current_req = NULL;
}
/* As the current implemented devices scsi_disk and scsi_generic
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
index ba5d468970cf9da86615d55211bf..c1af0ab1ce62350b7455b953cf83 100644
--- a/tests/qtest/fuzz-lsi53c895a-test.c
+++ b/tests/qtest/fuzz-lsi53c895a-test.c
@@ -8,6 +8,79 @@
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
+/*
+ * This used to trigger a UAF in lsi_do_msgout()
+ * https://gitlab.com/qemu-project/qemu/-/issues/972
+ */
+static void test_lsi_do_msgout_cancel_req(void)
+{
+ QTestState *s;
+
+ if (sizeof(void *) == 4) {
+ g_test_skip("memory size too big for 32-bit build");
+ return;
+ }
+
+ s = qtest_init("-M q35 -m 4G -display none -nodefaults "
+ "-device lsi53c895a,id=scsi "
+ "-device scsi-hd,drive=disk0 "
+ "-drive file=null-co://,id=disk0,if=none,format=raw");
+
+ qtest_outl(s, 0xcf8, 0x80000810);
+ qtest_outl(s, 0xcf8, 0xc000);
+ qtest_outl(s, 0xcf8, 0x80000810);
+ qtest_outw(s, 0xcfc, 0x7);
+ qtest_outl(s, 0xcf8, 0x80000810);
+ qtest_outl(s, 0xcfc, 0xc000);
+ qtest_outl(s, 0xcf8, 0x80000804);
+ qtest_outw(s, 0xcfc, 0x05);
+ qtest_writeb(s, 0x69736c10, 0x08);
+ qtest_writeb(s, 0x69736c13, 0x58);
+ qtest_writeb(s, 0x69736c1a, 0x01);
+ qtest_writeb(s, 0x69736c1b, 0x06);
+ qtest_writeb(s, 0x69736c22, 0x01);
+ qtest_writeb(s, 0x69736c23, 0x07);
+ qtest_writeb(s, 0x69736c2b, 0x02);
+ qtest_writeb(s, 0x69736c48, 0x08);
+ qtest_writeb(s, 0x69736c4b, 0x58);
+ qtest_writeb(s, 0x69736c52, 0x04);
+ qtest_writeb(s, 0x69736c53, 0x06);
+ qtest_writeb(s, 0x69736c5b, 0x02);
+ qtest_outl(s, 0xc02d, 0x697300);
+ qtest_writeb(s, 0x5a554662, 0x01);
+ qtest_writeb(s, 0x5a554663, 0x07);
+ qtest_writeb(s, 0x5a55466a, 0x10);
+ qtest_writeb(s, 0x5a55466b, 0x22);
+ qtest_writeb(s, 0x5a55466c, 0x5a);
+ qtest_writeb(s, 0x5a55466d, 0x5a);
+ qtest_writeb(s, 0x5a55466e, 0x34);
+ qtest_writeb(s, 0x5a55466f, 0x5a);
+ qtest_writeb(s, 0x5a345a5a, 0x77);
+ qtest_writeb(s, 0x5a345a5b, 0x55);
+ qtest_writeb(s, 0x5a345a5c, 0x51);
+ qtest_writeb(s, 0x5a345a5d, 0x27);
+ qtest_writeb(s, 0x27515577, 0x41);
+ qtest_outl(s, 0xc02d, 0x5a5500);
+ qtest_writeb(s, 0x364001d0, 0x08);
+ qtest_writeb(s, 0x364001d3, 0x58);
+ qtest_writeb(s, 0x364001da, 0x01);
+ qtest_writeb(s, 0x364001db, 0x26);
+ qtest_writeb(s, 0x364001dc, 0x0d);
+ qtest_writeb(s, 0x364001dd, 0xae);
+ qtest_writeb(s, 0x364001de, 0x41);
+ qtest_writeb(s, 0x364001df, 0x5a);
+ qtest_writeb(s, 0x5a41ae0d, 0xf8);
+ qtest_writeb(s, 0x5a41ae0e, 0x36);
+ qtest_writeb(s, 0x5a41ae0f, 0xd7);
+ qtest_writeb(s, 0x5a41ae10, 0x36);
+ qtest_writeb(s, 0x36d736f8, 0x0c);
+ qtest_writeb(s, 0x36d736f9, 0x80);
+ qtest_writeb(s, 0x36d736fa, 0x0d);
+ qtest_outl(s, 0xc02d, 0x364000);
+
+ qtest_quit(s);
+}
+
/*
* This used to trigger the assert in lsi_do_dma()
* https://bugs.launchpad.net/qemu/+bug/697510
@@ -48,5 +121,8 @@ int main(int argc, char **argv)
test_lsi_do_dma_empty_queue);
}
+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
+ test_lsi_do_msgout_cancel_req);
+
return g_test_run();
}
Copy Permalink