Accepting request 989442 from home:dfaggioli:old_qemu

- Fix the following bugs: - bsc#1198037, CVE-2021-4207 - bsc#1198038, CVE-2022-0216 - bsc#1201367, CVE-2022-35414 - bsc#1198035, CVE-2021-4206 - bsc#1198712, CVE-2022-26354 - bsc#1198711, CVE-2022-26353 * Patches added: display-qxl-render-fix-race-condition-in.patch scsi-lsi53c895a-fix-use-after-free-in-ls.patch softmmu-Always-initialize-xlat-in-addres.patch ui-cursor-fix-integer-overflow-in-cursor.patch vhost-vsock-detach-the-virqueue-element-.patch virtio-net-fix-map-leaking-on-error-duri.patch OBS-URL: https://build.opensuse.org/request/show/989442 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=725
2022-07-15 15:41:11 +00:00 · 2022-07-15 15:41:11 +00:00 · 6749a6e9ce
commit 6749a6e9ce
parent 356a2ed499
10 changed files with 353 additions and 9 deletions
--- a/bundles.tar.xz
+++ b/bundles.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8
-size 139264
+oid sha256:caff72ba0d91116cb012ed88bd6f4cce2ee7015889cb1d1502abfdfd8d73dbd7
+size 146284
--- a/display-qxl-render-fix-race-condition-in.patch
+++ b/display-qxl-render-fix-race-condition-in.patch
@ -0,0 +1,37 @@
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:11:06 +0200
+Subject: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
+References: bsc#1198037, CVE-2021-4207
+
+Avoid fetching 'width' and 'height' a second time to prevent possible
+race condition. Refer to security advisory
+https://starlabs.sg/advisories/22-4207/ for more information.
+
+Fixes: CVE-2021-4207
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ hw/display/qxl-render.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index d28849b121763600d21962321380..237ed293baaea76e9602e50a97ee 100644
+--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
+@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+         }
+         break;
+     case SPICE_CURSOR_TYPE_ALPHA:
+-        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
+        size = sizeof(uint32_t) * c->width * c->height;
+         qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
+         if (qxl->debug > 2) {
+             cursor_print_ascii_art(c, "qxl/alpha");
--- a/hw-usb-hcd-ehci-fix-writeback-order.patch
+++ b/hw-usb-hcd-ehci-fix-writeback-order.patch
@ -1,7 +1,6 @@
-From e4ad2b63e748643e12306d61aea7aaf5a41a0d3c Mon Sep 17 00:00:00 2001
 From: Arnout Engelen <arnout@bzzt.net>
 Date: Sun, 8 May 2022 17:32:22 +0200
-Subject: [PATCH] hw/usb/hcd-ehci: fix writeback order
+Subject: hw/usb/hcd-ehci: fix writeback order

 Git-commit: f471e8b060798f26a7fc339c6152f82f22a7b33d
 References: bsc#1192115
@ -37,14 +36,14 @@ https://github.com/NixOS/nixpkgs/issues/170803

 Signed-off-by: Arnout Engelen <arnout@bzzt.net>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit f471e8b060798f26a7fc339c6152f82f22a7b33d)
 Signed-off-by: Lin Ma <lma@suse.com>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/usb/hcd-ehci.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

 diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 6caa7ac6c2..3464b2406e 100644
+index 6caa7ac6c28f56416f652b665787..3464b2406e94dcc7272116c7249d 100644
 --- a/hw/usb/hcd-ehci.c
 +++ b/hw/usb/hcd-ehci.c
@@ -2009,7 +2009,10 @@ static int ehci_state_writeback(EHCIQueue *q)
@ -59,6 +58,3 @@ index 6caa7ac6c2..3464b2406e 100644
     ehci_free_packet(p);
 
     /*
-- 
-2.34.1
-
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Fri Jul 15 09:08:06 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Fix the following bugs:
+  - bsc#1198037, CVE-2021-4207
+  - bsc#1198038, CVE-2022-0216
+  - bsc#1201367, CVE-2022-35414
+  - bsc#1198035, CVE-2021-4206
+  - bsc#1198712, CVE-2022-26354
+  - bsc#1198711, CVE-2022-26353
+* Patches added:
+  display-qxl-render-fix-race-condition-in.patch
+  scsi-lsi53c895a-fix-use-after-free-in-ls.patch
+  softmmu-Always-initialize-xlat-in-addres.patch
+  ui-cursor-fix-integer-overflow-in-cursor.patch
+  vhost-vsock-detach-the-virqueue-element-.patch
+  virtio-net-fix-map-leaking-on-error-duri.patch
+
 -------------------------------------------------------------------
 Fri Jul  1 11:46:41 UTC 2022 - Lin Ma <lma@suse.com>

--- a/qemu.spec
+++ b/qemu.spec
@ -251,6 +251,12 @@ Patch00107:     block-qdict-Fix-Werror-maybe-uninitializ.patch
 Patch00108:     pci-fix-overflow-in-snprintf-string-form.patch
 Patch00109:     sphinx-change-default-language-to-en.patch
 Patch00110:     hw-usb-hcd-ehci-fix-writeback-order.patch
+Patch00111:     softmmu-Always-initialize-xlat-in-addres.patch
+Patch00112:     vhost-vsock-detach-the-virqueue-element-.patch
+Patch00113:     virtio-net-fix-map-leaking-on-error-duri.patch
+Patch00114:     display-qxl-render-fix-race-condition-in.patch
+Patch00115:     ui-cursor-fix-integer-overflow-in-cursor.patch
+Patch00116:     scsi-lsi53c895a-fix-use-after-free-in-ls.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@ -1284,6 +1290,12 @@ This package records qemu testsuite results and represents successful testing.
 %patch00108 -p1
 %patch00109 -p1
 %patch00110 -p1
+%patch00111 -p1
+%patch00112 -p1
+%patch00113 -p1
+%patch00114 -p1
+%patch00115 -p1
+%patch00116 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1
--- a/scsi-lsi53c895a-fix-use-after-free-in-ls.patch
+++ b/scsi-lsi53c895a-fix-use-after-free-in-ls.patch
@ -0,0 +1,36 @@
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
+
+Git-commit: 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
+References: bsc#1198038, CVE-2022-0216
+
+Set current_req->req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 85e907a7854a8aeaa812978675cd..8033cf05023de397e91a0a121449 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
+         case 0x0d:
+             /* The ABORT TAG message clears the current I/O process only. */
+             trace_lsi_do_msgout_abort(current_tag);
+-            if (current_req) {
+            if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+                current_req->req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
--- a/softmmu-Always-initialize-xlat-in-addres.patch
+++ b/softmmu-Always-initialize-xlat-in-addres.patch
@ -0,0 +1,67 @@
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Tue, 21 Jun 2022 08:38:29 -0700
+Subject: softmmu: Always initialize xlat in address_space_translate_for_iotlb
+
+Git-commit: 418ade7849ce7641c0f7333718caf5091a02fd4c
+References: bsc#1201367, CVE-2022-35414
+
+The bug is an uninitialized memory read, along the translate_fail
+path, which results in garbage being read from iotlb_to_section,
+which can lead to a crash in io_readx/io_writex.
+
+The bug may be fixed by writing any value with zero
+in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using
+the xlat'ed address returns io_mem_unassigned, as desired by the
+translate_fail path.
+
+It is most useful to record the original physical page address,
+which will eventually be logged by memory_region_access_valid
+when the access is rejected by unassigned_mem_accepts.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ softmmu/physmem.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index f69d6b00467f8b53614171fa17a9..d512792f0b2fde28fb7c11991198 100644
+--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
+@@ -667,7 +667,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
+ 
+ /* Called from RCU critical section */
+ MemoryRegionSection *
+-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
+                                   hwaddr *xlat, hwaddr *plen,
+                                   MemTxAttrs attrs, int *prot)
+ {
+@@ -676,6 +676,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     IOMMUMemoryRegionClass *imrc;
+     IOMMUTLBEntry iotlb;
+     int iommu_idx;
+    hwaddr addr = orig_addr;
+     AddressSpaceDispatch *d =
+         qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
+ 
+@@ -720,6 +721,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     return section;
+ 
+ translate_fail:
+    /*
+     * We should be given a page-aligned address -- certainly
+     * tlb_set_page_with_attrs() does so.  The page offset of xlat
+     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
+     * The page portion of xlat will be logged by memory_region_access_valid()
+     * when this memory access is rejected, so use the original untranslated
+     * physical address.
+     */
+    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
+    *xlat = orig_addr;
+     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
+ }
+ 
--- a/ui-cursor-fix-integer-overflow-in-cursor.patch
+++ b/ui-cursor-fix-integer-overflow-in-cursor.patch
@ -0,0 +1,83 @@
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:17:12 +0200
+Subject: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa
+References: bsc#1198035, CVE-2021-4206
+
+Prevent potential integer overflow by limiting 'width' and 'height' to
+512x512. Also change 'datasize' type to size_t. Refer to security
+advisory https://starlabs.sg/advisories/22-4206/ for more information.
+
+Fixes: CVE-2021-4206
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ hw/display/qxl-render.c | 7 +++++++
+ hw/display/vmware_vga.c | 2 ++
+ ui/cursor.c             | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 237ed293baaea76e9602e50a97ee..ca217004bf72e7d394ed7ee9c948 100644
+--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
+@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+     size_t size;
+ 
+     c = cursor_alloc(cursor->header.width, cursor->header.height);
+
+    if (!c) {
+        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
+                cursor->header.width, cursor->header.height);
+        goto fail;
+    }
+
+     c->hot_x = cursor->header.hot_spot_x;
+     c->hot_y = cursor->header.hot_spot_y;
+     switch (cursor->header.type) {
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e2969a6c81c83190a334c35a6db1..2b81d6122fc8fa2751c6a94bd60d 100644
+--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
+@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+     int i, pixels;
+ 
+     qc = cursor_alloc(c->width, c->height);
+    assert(qc != NULL);
+
+     qc->hot_x = c->hot_x;
+     qc->hot_y = c->hot_y;
+     switch (c->bpp) {
+diff --git a/ui/cursor.c b/ui/cursor.c
+index 1d62ddd4d072f6c60926db9d2315..835f0802f951a3ec965b95d7742e 100644
+--- a/ui/cursor.c
+++ b/ui/cursor.c
+@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
+ 
+     /* parse pixel data */
+     c = cursor_alloc(width, height);
+    assert(c != NULL);
+
+     for (pixel = 0, y = 0; y < height; y++, line++) {
+         for (x = 0; x < height; x++, pixel++) {
+             idx = xpm[line][x];
+@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
+ QEMUCursor *cursor_alloc(int width, int height)
+ {
+     QEMUCursor *c;
+-    int datasize = width * height * sizeof(uint32_t);
+    size_t datasize = width * height * sizeof(uint32_t);
+
+    if (width > 512 || height > 512) {
+        return NULL;
+    }
+ 
+     c = g_malloc0(sizeof(QEMUCursor) + datasize);
+     c->width  = width;
--- a/vhost-vsock-detach-the-virqueue-element-.patch
+++ b/vhost-vsock-detach-the-virqueue-element-.patch
@ -0,0 +1,56 @@
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 28 Feb 2022 10:50:58 +0100
+Subject: vhost-vsock: detach the virqueue element in case of error
+
+Git-commit: 8d1b247f3748ac4078524130c6d7ae42b6140aaf
+References: bsc#1198712, CVE-2022-26354
+
+In vhost_vsock_common_send_transport_reset(), if an element popped from
+the virtqueue is invalid, we should call virtqueue_detach_element() to
+detach it from the virtqueue before freeing its memory.
+
+Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
+Fixes: CVE-2022-26354
+Cc: qemu-stable@nongnu.org
+Reported-by: VictorV <vv474172261@gmail.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ hw/virtio/vhost-vsock-common.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
+index 3f3771274e772ef6f086c87184eb..ed706681ace8e6d015abb0203214 100644
+--- a/hw/virtio/vhost-vsock-common.c
+++ b/hw/virtio/vhost-vsock-common.c
+@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
+     if (elem->out_num) {
+         error_report("invalid vhost-vsock event virtqueue element with "
+                      "out buffers");
+-        goto out;
+        goto err;
+     }
+ 
+     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
+                      &event, sizeof(event)) != sizeof(event)) {
+         error_report("vhost-vsock event virtqueue element is too short");
+-        goto out;
+        goto err;
+     }
+ 
+     virtqueue_push(vq, elem, sizeof(event));
+     virtio_notify(VIRTIO_DEVICE(vvc), vq);
+ 
+-out:
+    g_free(elem);
+    return;
+
+err:
+    virtqueue_detach_element(vq, elem, 0);
+     g_free(elem);
+ }
+ 
--- a/virtio-net-fix-map-leaking-on-error-duri.patch
+++ b/virtio-net-fix-map-leaking-on-error-duri.patch
@ -0,0 +1,39 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 8 Mar 2022 10:42:51 +0800
+Subject: virtio-net: fix map leaking on error during receive
+
+Git-commit: abe300d9d894f7138e1af7c8e9c88c04bfe98b37
+References: bsc#1198711, CVE-2022-26353
+
+Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+tries to fix the use after free of the sg by caching the virtqueue
+elements in an array and unmap them at once after receiving the
+packets, But it forgot to unmap the cached elements on error which
+will lead to leaking of mapping and other unexpected results.
+
+Fixing this by detaching the cached elements on error. This addresses
+CVE-2022-26353.
+
+Reported-by: Victor Tom <vv474172261@gmail.com>
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2022-26353
+Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ hw/net/virtio-net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index f2014d5ea0b30ceed3b422aeecca..e1f4748831e87b6baa436779d622 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ 
+ err:
+     for (j = 0; j < i; j++) {
+        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
+         g_free(elems[j]);
+     }
+