Accepting request 989442 from home:dfaggioli:old_qemu

- Fix the following bugs: - bsc#1198037, CVE-2021-4207 - bsc#1198038, CVE-2022-0216 - bsc#1201367, CVE-2022-35414 - bsc#1198035, CVE-2021-4206 - bsc#1198712, CVE-2022-26354 - bsc#1198711, CVE-2022-26353 * Patches added: display-qxl-render-fix-race-condition-in.patch scsi-lsi53c895a-fix-use-after-free-in-ls.patch softmmu-Always-initialize-xlat-in-addres.patch ui-cursor-fix-integer-overflow-in-cursor.patch vhost-vsock-detach-the-virqueue-element-.patch virtio-net-fix-map-leaking-on-error-duri.patch OBS-URL: https://build.opensuse.org/request/show/989442 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=725
2022-07-15 15:41:11 +00:00 · 2022-07-15 15:41:11 +00:00 · 6749a6e9ce
commit 6749a6e9ce
parent 356a2ed499
10 changed files with 353 additions and 9 deletions
--- a/bundles.tar.xz
+++ b/bundles.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8
+oid sha256:caff72ba0d91116cb012ed88bd6f4cce2ee7015889cb1d1502abfdfd8d73dbd7
-size 139264
+size 146284
--- a/display-qxl-render-fix-race-condition-in.patch
+++ b/display-qxl-render-fix-race-condition-in.patch
@ -0,0 +1,37 @@
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Thu, 7 Apr 2022 10:11:06 +0200
 Subject: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Git-commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
 References: bsc#1198037, CVE-2021-4207
 Avoid fetching 'width' and 'height' a second time to prevent possible
 race condition. Refer to security advisory
 https://starlabs.sg/advisories/22-4207/ for more information.
 Fixes: CVE-2021-4207
 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/display/qxl-render.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
 index d28849b121763600d21962321380..237ed293baaea76e9602e50a97ee 100644
 --- a/hw/display/qxl-render.c
 +++ b/hw/display/qxl-render.c
@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
         }
         break;
     case SPICE_CURSOR_TYPE_ALPHA:
 -        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
 +        size = sizeof(uint32_t) * c->width * c->height;
         qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
         if (qxl->debug > 2) {
             cursor_print_ascii_art(c, "qxl/alpha");
--- a/hw-usb-hcd-ehci-fix-writeback-order.patch
+++ b/hw-usb-hcd-ehci-fix-writeback-order.patch
@ -1,7 +1,6 @@
 From e4ad2b63e748643e12306d61aea7aaf5a41a0d3c Mon Sep 17 00:00:00 2001
 From: Arnout Engelen <arnout@bzzt.net>
 Date: Sun, 8 May 2022 17:32:22 +0200
-Subject: [PATCH] hw/usb/hcd-ehci: fix writeback order
+Subject: hw/usb/hcd-ehci: fix writeback order
 Git-commit: f471e8b060798f26a7fc339c6152f82f22a7b33d
 References: bsc#1192115
@ -37,14 +36,14 @@ https://github.com/NixOS/nixpkgs/issues/170803
 Signed-off-by: Arnout Engelen <arnout@bzzt.net>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 (cherry picked from commit f471e8b060798f26a7fc339c6152f82f22a7b33d)
 Signed-off-by: Lin Ma <lma@suse.com>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/usb/hcd-ehci.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 6caa7ac6c2..3464b2406e 100644
+index 6caa7ac6c28f56416f652b665787..3464b2406e94dcc7272116c7249d 100644
 --- a/hw/usb/hcd-ehci.c
 +++ b/hw/usb/hcd-ehci.c
@@ -2009,7 +2009,10 @@ static int ehci_state_writeback(EHCIQueue *q)
@ -59,6 +58,3 @@ index 6caa7ac6c2..3464b2406e 100644
     ehci_free_packet(p);
     /*
 -- 
 2.34.1
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,21 @@
 -------------------------------------------------------------------
 Fri Jul 15 09:08:06 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
 - Fix the following bugs:
  - bsc#1198037, CVE-2021-4207
  - bsc#1198038, CVE-2022-0216
  - bsc#1201367, CVE-2022-35414
  - bsc#1198035, CVE-2021-4206
  - bsc#1198712, CVE-2022-26354
  - bsc#1198711, CVE-2022-26353
 * Patches added:
  display-qxl-render-fix-race-condition-in.patch
  scsi-lsi53c895a-fix-use-after-free-in-ls.patch
  softmmu-Always-initialize-xlat-in-addres.patch
  ui-cursor-fix-integer-overflow-in-cursor.patch
  vhost-vsock-detach-the-virqueue-element-.patch
  virtio-net-fix-map-leaking-on-error-duri.patch
 -------------------------------------------------------------------
 Fri Jul  1 11:46:41 UTC 2022 - Lin Ma <lma@suse.com>
--- a/qemu.spec
+++ b/qemu.spec
@ -251,6 +251,12 @@ Patch00107:     block-qdict-Fix-Werror-maybe-uninitializ.patch
 Patch00108:     pci-fix-overflow-in-snprintf-string-form.patch
 Patch00109:     sphinx-change-default-language-to-en.patch
 Patch00110:     hw-usb-hcd-ehci-fix-writeback-order.patch
 Patch00111:     softmmu-Always-initialize-xlat-in-addres.patch
 Patch00112:     vhost-vsock-detach-the-virqueue-element-.patch
 Patch00113:     virtio-net-fix-map-leaking-on-error-duri.patch
 Patch00114:     display-qxl-render-fix-race-condition-in.patch
 Patch00115:     ui-cursor-fix-integer-overflow-in-cursor.patch
 Patch00116:     scsi-lsi53c895a-fix-use-after-free-in-ls.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@ -1284,6 +1290,12 @@ This package records qemu testsuite results and represents successful testing.
 %patch00108 -p1
 %patch00109 -p1
 %patch00110 -p1
 %patch00111 -p1
 %patch00112 -p1
 %patch00113 -p1
 %patch00114 -p1
 %patch00115 -p1
 %patch00116 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1
--- a/scsi-lsi53c895a-fix-use-after-free-in-ls.patch
+++ b/scsi-lsi53c895a-fix-use-after-free-in-ls.patch
@ -0,0 +1,36 @@
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Tue, 5 Jul 2022 22:05:43 +0200
 Subject: scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
 Git-commit: 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
 References: bsc#1198038, CVE-2022-0216
 Set current_req->req to NULL to prevent reusing a free'd buffer in case of
 repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
 Fixes: CVE-2022-0216
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Reviewed-by: Thomas Huth <thuth@redhat.com>
 Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/scsi/lsi53c895a.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
 index 85e907a7854a8aeaa812978675cd..8033cf05023de397e91a0a121449 100644
 --- a/hw/scsi/lsi53c895a.c
 +++ b/hw/scsi/lsi53c895a.c
@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
         case 0x0d:
             /* The ABORT TAG message clears the current I/O process only. */
             trace_lsi_do_msgout_abort(current_tag);
 -            if (current_req) {
 +            if (current_req && current_req->req) {
                 scsi_req_cancel(current_req->req);
 +                current_req->req = NULL;
             }
             lsi_disconnect(s);
             break;
--- a/softmmu-Always-initialize-xlat-in-addres.patch
+++ b/softmmu-Always-initialize-xlat-in-addres.patch
@ -0,0 +1,67 @@
 From: Richard Henderson <richard.henderson@linaro.org>
 Date: Tue, 21 Jun 2022 08:38:29 -0700
 Subject: softmmu: Always initialize xlat in address_space_translate_for_iotlb
 Git-commit: 418ade7849ce7641c0f7333718caf5091a02fd4c
 References: bsc#1201367, CVE-2022-35414
 The bug is an uninitialized memory read, along the translate_fail
 path, which results in garbage being read from iotlb_to_section,
 which can lead to a crash in io_readx/io_writex.
 The bug may be fixed by writing any value with zero
 in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using
 the xlat'ed address returns io_mem_unassigned, as desired by the
 translate_fail path.
 It is most useful to record the original physical page address,
 which will eventually be logged by memory_region_access_valid
 when the access is rejected by unassigned_mem_accepts.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 softmmu/physmem.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)
 diff --git a/softmmu/physmem.c b/softmmu/physmem.c
 index f69d6b00467f8b53614171fa17a9..d512792f0b2fde28fb7c11991198 100644
 --- a/softmmu/physmem.c
 +++ b/softmmu/physmem.c
@@ -667,7 +667,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
 /* Called from RCU critical section */
 MemoryRegionSection *
 -address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
 +address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
                                   hwaddr *xlat, hwaddr *plen,
                                   MemTxAttrs attrs, int *prot)
 {
@@ -676,6 +676,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
     IOMMUMemoryRegionClass *imrc;
     IOMMUTLBEntry iotlb;
     int iommu_idx;
 +    hwaddr addr = orig_addr;
     AddressSpaceDispatch *d =
         qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
@@ -720,6 +721,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
     return section;
 translate_fail:
 +    /*
 +     * We should be given a page-aligned address -- certainly
 +     * tlb_set_page_with_attrs() does so.  The page offset of xlat
 +     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
 +     * The page portion of xlat will be logged by memory_region_access_valid()
 +     * when this memory access is rejected, so use the original untranslated
 +     * physical address.
 +     */
 +    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
 +    *xlat = orig_addr;
     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
 }
--- a/ui-cursor-fix-integer-overflow-in-cursor.patch
+++ b/ui-cursor-fix-integer-overflow-in-cursor.patch
@ -0,0 +1,83 @@
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Thu, 7 Apr 2022 10:17:12 +0200
 Subject: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Git-commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa
 References: bsc#1198035, CVE-2021-4206
 Prevent potential integer overflow by limiting 'width' and 'height' to
 512x512. Also change 'datasize' type to size_t. Refer to security
 advisory https://starlabs.sg/advisories/22-4206/ for more information.
 Fixes: CVE-2021-4206
 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/display/qxl-render.c | 7 +++++++
 hw/display/vmware_vga.c | 2 ++
 ui/cursor.c             | 8 +++++++-
 3 files changed, 16 insertions(+), 1 deletion(-)
 diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
 index 237ed293baaea76e9602e50a97ee..ca217004bf72e7d394ed7ee9c948 100644
 --- a/hw/display/qxl-render.c
 +++ b/hw/display/qxl-render.c
@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
     size_t size;
     c = cursor_alloc(cursor->header.width, cursor->header.height);
 +
 +    if (!c) {
 +        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
 +                cursor->header.width, cursor->header.height);
 +        goto fail;
 +    }
 +
     c->hot_x = cursor->header.hot_spot_x;
     c->hot_y = cursor->header.hot_spot_y;
     switch (cursor->header.type) {
 diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
 index e2969a6c81c83190a334c35a6db1..2b81d6122fc8fa2751c6a94bd60d 100644
 --- a/hw/display/vmware_vga.c
 +++ b/hw/display/vmware_vga.c
@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
     int i, pixels;
     qc = cursor_alloc(c->width, c->height);
 +    assert(qc != NULL);
 +
     qc->hot_x = c->hot_x;
     qc->hot_y = c->hot_y;
     switch (c->bpp) {
 diff --git a/ui/cursor.c b/ui/cursor.c
 index 1d62ddd4d072f6c60926db9d2315..835f0802f951a3ec965b95d7742e 100644
 --- a/ui/cursor.c
 +++ b/ui/cursor.c
@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
     /* parse pixel data */
     c = cursor_alloc(width, height);
 +    assert(c != NULL);
 +
     for (pixel = 0, y = 0; y < height; y++, line++) {
         for (x = 0; x < height; x++, pixel++) {
             idx = xpm[line][x];
@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
 QEMUCursor *cursor_alloc(int width, int height)
 {
     QEMUCursor *c;
 -    int datasize = width * height * sizeof(uint32_t);
 +    size_t datasize = width * height * sizeof(uint32_t);
 +
 +    if (width > 512 || height > 512) {
 +        return NULL;
 +    }
     c = g_malloc0(sizeof(QEMUCursor) + datasize);
     c->width  = width;
--- a/vhost-vsock-detach-the-virqueue-element-.patch
+++ b/vhost-vsock-detach-the-virqueue-element-.patch
@ -0,0 +1,56 @@
 From: Stefano Garzarella <sgarzare@redhat.com>
 Date: Mon, 28 Feb 2022 10:50:58 +0100
 Subject: vhost-vsock: detach the virqueue element in case of error
 Git-commit: 8d1b247f3748ac4078524130c6d7ae42b6140aaf
 References: bsc#1198712, CVE-2022-26354
 In vhost_vsock_common_send_transport_reset(), if an element popped from
 the virtqueue is invalid, we should call virtqueue_detach_element() to
 detach it from the virtqueue before freeing its memory.
 Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
 Fixes: CVE-2022-26354
 Cc: qemu-stable@nongnu.org
 Reported-by: VictorV <vv474172261@gmail.com>
 Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
 Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/virtio/vhost-vsock-common.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
 index 3f3771274e772ef6f086c87184eb..ed706681ace8e6d015abb0203214 100644
 --- a/hw/virtio/vhost-vsock-common.c
 +++ b/hw/virtio/vhost-vsock-common.c
@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
     if (elem->out_num) {
         error_report("invalid vhost-vsock event virtqueue element with "
                      "out buffers");
 -        goto out;
 +        goto err;
     }
     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
                      &event, sizeof(event)) != sizeof(event)) {
         error_report("vhost-vsock event virtqueue element is too short");
 -        goto out;
 +        goto err;
     }
     virtqueue_push(vq, elem, sizeof(event));
     virtio_notify(VIRTIO_DEVICE(vvc), vq);
 -out:
 +    g_free(elem);
 +    return;
 +
 +err:
 +    virtqueue_detach_element(vq, elem, 0);
     g_free(elem);
 }
--- a/virtio-net-fix-map-leaking-on-error-duri.patch
+++ b/virtio-net-fix-map-leaking-on-error-duri.patch
@ -0,0 +1,39 @@
 From: Jason Wang <jasowang@redhat.com>
 Date: Tue, 8 Mar 2022 10:42:51 +0800
 Subject: virtio-net: fix map leaking on error during receive
 Git-commit: abe300d9d894f7138e1af7c8e9c88c04bfe98b37
 References: bsc#1198711, CVE-2022-26353
 Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
 tries to fix the use after free of the sg by caching the virtqueue
 elements in an array and unmap them at once after receiving the
 packets, But it forgot to unmap the cached elements on error which
 will lead to leaking of mapping and other unexpected results.
 Fixing this by detaching the cached elements on error. This addresses
 CVE-2022-26353.
 Reported-by: Victor Tom <vv474172261@gmail.com>
 Cc: qemu-stable@nongnu.org
 Fixes: CVE-2022-26353
 Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
 ---
 hw/net/virtio-net.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
 index f2014d5ea0b30ceed3b422aeecca..e1f4748831e87b6baa436779d622 100644
 --- a/hw/net/virtio-net.c
 +++ b/hw/net/virtio-net.c
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
 err:
     for (j = 0; j < i; j++) {
 +        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
         g_free(elems[j]);
     }