* [PATCH 1/4] qemu: fix CVE-2021-4145
@ 2022-05-31 22:08 Sakib Sajal
2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw)
To: openembedded-core
Fix for CVE-2021-4145, commit 66fed30c9c, fixes another commit:
d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts")
Hence, backport both the patches to resolve the CVE.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-4145_1.patch | 67 +++++++++++++++
.../qemu/qemu/CVE-2021-4145_2.patch | 85 +++++++++++++++++++
3 files changed, 154 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 568ef1be94..aa372810ce 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -75,6 +75,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3930.patch \
file://CVE-2021-20196_1.patch \
file://CVE-2021-20196_2.patch \
+ file://CVE-2021-4145_1.patch \
+ file://CVE-2021-4145_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
new file mode 100644
index 0000000000..02eae727d5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_1.patch
@@ -0,0 +1,67 @@
+From 59fe260a352156261ad0d89be446e5dd0ac96de3 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Date: Sat, 3 Jul 2021 00:16:36 +0300
+Subject: [PATCH 1/2] block/mirror: fix active mirror dead-lock in
+ mirror_wait_on_conflicts
+
+It's possible that requests start to wait each other in
+mirror_wait_on_conflicts(). To avoid it let's use same technique as in
+block/io.c in bdrv_wait_serialising_requests_locked() /
+bdrv_find_conflicting_request(): don't wait on intersecting request if
+it is already waiting for some other request.
+
+For details of the dead-lock look at testIntersectingActiveIO()
+test-case which we actually fixing now.
+
+Fixes: d06107ade0ce74dc39739bac80de84b51ec18546
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Message-Id: <20210702211636.228981-4-vsementsov@virtuozzo.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+CVE: CVE-2021-4145
+Upstream-Status: Backport [d44dae1a7cf782ec9235746ebb0e6c1a20dd7288]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ block/mirror.c | 12 ++++++++++++
+ tests/qemu-iotests/151 | 0
+ 2 files changed, 12 insertions(+)
+ mode change 100755 => 100644 tests/qemu-iotests/151
+
+diff --git a/block/mirror.c b/block/mirror.c
+index 8e1ad6ece..fab008568 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -106,6 +106,7 @@ struct MirrorOp {
+ bool is_in_flight;
+ CoQueue waiting_requests;
+ Coroutine *co;
++ MirrorOp *waiting_for_op;
+
+ QTAILQ_ENTRY(MirrorOp) next;
+ };
+@@ -158,7 +159,18 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self,
+ if (ranges_overlap(self_start_chunk, self_nb_chunks,
+ op_start_chunk, op_nb_chunks))
+ {
++ /*
++ * If the operation is already (indirectly) waiting for us, or
++ * will wait for us as soon as it wakes up, then just go on
++ * (instead of producing a deadlock in the former case).
++ */
++ if (op->waiting_for_op) {
++ continue;
++ }
++
++ self->waiting_for_op = op;
+ qemu_co_queue_wait(&op->waiting_requests, NULL);
++ self->waiting_for_op = NULL;
+ break;
+ }
+ }
+diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151
+old mode 100755
+new mode 100644
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
new file mode 100644
index 0000000000..891664375c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4145_2.patch
@@ -0,0 +1,85 @@
+From 09036c63a4a498d65de0d035211b01f0482e3533 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Sep 2021 14:45:33 +0200
+Subject: [PATCH 2/2] block/mirror: fix NULL pointer dereference in
+ mirror_wait_on_conflicts()
+
+In mirror_iteration() we call mirror_wait_on_conflicts() with
+`self` parameter set to NULL.
+
+Starting from commit d44dae1a7c we dereference `self` pointer in
+mirror_wait_on_conflicts() without checks if it is not NULL.
+
+Backtrace:
+ Program terminated with signal SIGSEGV, Segmentation fault.
+ #0 mirror_wait_on_conflicts (self=0x0, s=<optimized out>, offset=<optimized out>, bytes=<optimized out>)
+ at ../block/mirror.c:172
+ 172 self->waiting_for_op = op;
+ [Current thread is 1 (Thread 0x7f0908931ec0 (LWP 380249))]
+ (gdb) bt
+ #0 mirror_wait_on_conflicts (self=0x0, s=<optimized out>, offset=<optimized out>, bytes=<optimized out>)
+ at ../block/mirror.c:172
+ #1 0x00005610c5d9d631 in mirror_run (job=0x5610c76a2c00, errp=<optimized out>) at ../block/mirror.c:491
+ #2 0x00005610c5d58726 in job_co_entry (opaque=0x5610c76a2c00) at ../job.c:917
+ #3 0x00005610c5f046c6 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
+ at ../util/coroutine-ucontext.c:173
+ #4 0x00007f0909975820 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91
+ from /usr/lib64/libc.so.6
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2001404
+Fixes: d44dae1a7c ("block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20210910124533.288318-1-sgarzare@redhat.com>
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Signed-off-by: Hanna Reitz <hreitz@redhat.com>
+
+CVE: CVE-2021-4145
+Upstream-Status: Backport [66fed30c9cd11854fc878a4eceb507e915d7c9cd]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ block/mirror.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index fab008568..ca0be146f 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -159,18 +159,25 @@ static void coroutine_fn mirror_wait_on_conflicts(MirrorOp *self,
+ if (ranges_overlap(self_start_chunk, self_nb_chunks,
+ op_start_chunk, op_nb_chunks))
+ {
+- /*
+- * If the operation is already (indirectly) waiting for us, or
+- * will wait for us as soon as it wakes up, then just go on
+- * (instead of producing a deadlock in the former case).
+- */
+- if (op->waiting_for_op) {
+- continue;
++ if (self) {
++ /*
++ * If the operation is already (indirectly) waiting for us,
++ * or will wait for us as soon as it wakes up, then just go
++ * on (instead of producing a deadlock in the former case).
++ */
++ if (op->waiting_for_op) {
++ continue;
++ }
++
++ self->waiting_for_op = op;
+ }
+
+- self->waiting_for_op = op;
+ qemu_co_queue_wait(&op->waiting_requests, NULL);
+- self->waiting_for_op = NULL;
++
++ if (self) {
++ self->waiting_for_op = NULL;
++ }
++
+ break;
+ }
+ }
+--
+2.33.0
+
--
2.33.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/4] qemu: fix CVE-2021-3750 2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal @ 2022-05-31 22:08 ` Sakib Sajal 2022-05-31 22:08 ` [PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal ` (2 subsequent siblings) 3 siblings, 0 replies; 6+ messages in thread From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw) To: openembedded-core Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++++++ .../qemu/qemu/CVE-2021-3750_2.patch | 65 ++++++++ .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++++++++++++++++++ 4 files changed, 284 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..5605ece5bb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2021-3750_1.patch \ + file://CVE-2021-3750_2.patch \ + file://CVE-2021-3750_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch new file mode 100644 index 0000000000..8381661886 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch @@ -0,0 +1,60 @@ +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu <peterx@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +CVE: CVE-2021-3750 +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d6..44368e285 100644 +--- a/hw/intc/arm_gicv3_redist.c ++++ b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch new file mode 100644 index 0000000000..82d2675ab2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch @@ -0,0 +1,65 @@ +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu <peterx@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211215182421.418374-3-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +CVE: CVE-2021-3750 +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + softmmu/physmem.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 2cd1de4a2..68612afbd 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +- MemTxResult result = MEMTX_OK; + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); +- result = flatview_write_continue(fv, addr, attrs, buf, len, +- addr1, l, mr); +- +- return result; ++ return flatview_write_continue(fv, addr, attrs, buf, len, ++ addr1, l, mr); + } + + /* Called within RCU critical section. */ +@@ -3096,12 +3093,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, + MemTxAttrs attrs) + { + FlatView *fv; +- bool result; + + RCU_READ_LOCK_GUARD(); + fv = address_space_to_flatview(as); +- result = flatview_access_valid(fv, addr, len, is_write, attrs); +- return result; ++ return flatview_access_valid(fv, addr, len, is_write, attrs); + } + + static hwaddr +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch new file mode 100644 index 0000000000..e5748b50ce --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch @@ -0,0 +1,156 @@ +From 9df520db8c1bf24f1ff1c9739b7870056f2bc991 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:21 +0100 +Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add the 'memory' bit to the memory attributes to restrict bus +controller accesses to memories. + +Introduce flatview_access_allowed() to check bus permission +before running any bus transaction. + +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is +restricted. + +There is no change for the default case where 'memory' is not set. + +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211215182421.418374-4-philmd@redhat.com> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] +Signed-off-by: Thomas Huth <thuth@redhat.com> + +CVE: CVE-2021-3750 +Upstream-Status: Backport [3ab6fdc91b72e156da22848f0003ff4225690ced] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + include/exec/memattrs.h | 9 +++++++++ + softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h +index 95f2d20d5..9fb98bc1e 100644 +--- a/include/exec/memattrs.h ++++ b/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + /* Invert endianness for this page */ +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 68612afbd..f15216da0 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -38,6 +38,7 @@ + #include "qemu/config-file.h" + #include "qemu/error-report.h" + #include "qemu/qemu-print.h" ++#include "qemu/log.h" + #include "exec/memory.h" + #include "exec/ioport.h" + #include "sysemu/dma.h" +@@ -2736,6 +2737,33 @@ static bool prepare_mmio_access(MemoryRegion *mr) + return release_lock; + } + ++/** ++ * flatview_access_allowed ++ * @mr: #MemoryRegion to be accessed ++ * @attrs: memory transaction attributes ++ * @addr: address within that memory region ++ * @len: the number of bytes to access ++ * ++ * Check if a memory transaction is allowed. ++ * ++ * Returns: true if transaction is allowed, false if denied. ++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -2750,7 +2778,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + const uint8_t *buf = ptr; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -2795,6 +2826,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +@@ -2812,7 +2846,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, + uint8_t *buf = ptr; + + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -2856,6 +2893,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +-- +2.33.0 + -- 2.33.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] qemu: fix CVE-2022-26353 2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal 2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal @ 2022-05-31 22:08 ` Sakib Sajal 2022-05-31 22:08 ` [PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal [not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org> 3 siblings, 0 replies; 6+ messages in thread From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw) To: openembedded-core Backport fix to resolve CVE-2022-26353: abe300d9d8 virtio-net: fix map leaking on error during receive Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-26353.patch | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5605ece5bb..898377d11b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -80,6 +80,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750_1.patch \ file://CVE-2021-3750_2.patch \ file://CVE-2021-3750_3.patch \ + file://CVE-2022-26353.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch new file mode 100644 index 0000000000..e76444b9fe --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26353.patch @@ -0,0 +1,44 @@ +From 2263354a272db3e520687af31675684c9c705456 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: [PATCH] virtio-net: fix map leaking on error during receive + +Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +tries to fix the use after free of the sg by caching the virtqueue +elements in an array and unmap them at once after receiving the +packets, But it forgot to unmap the cached elements on error which +will lead to leaking of mapping and other unexpected results. + +Fixing this by detaching the cached elements on error. This addresses +CVE-2022-26353. + +Reported-by: Victor Tom <vv474172261@gmail.com> +Cc: qemu-stable@nongnu.org +Fixes: CVE-2022-26353 +Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +CVE: CVE-2022-26353 +Upstream-Status: Backport [abe300d9d894f7138e1af7c8e9c88c04bfe98b37] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index df1d30e2c..a351d16b5 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1795,6 +1795,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } + +-- +2.33.0 + -- 2.33.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] qemu: fix CVE-2021-4206 2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal 2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal 2022-05-31 22:08 ` [PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal @ 2022-05-31 22:08 ` Sakib Sajal [not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org> 3 siblings, 0 replies; 6+ messages in thread From: Sakib Sajal @ 2022-05-31 22:08 UTC (permalink / raw) To: openembedded-core Backport fix to resolve CVE-2021-4206: fa892e9abb ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 898377d11b..b6595a7731 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -81,6 +81,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750_2.patch \ file://CVE-2021-3750_3.patch \ file://CVE-2022-26353.patch \ + file://CVE-2021-4206.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..bc76d3a206 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From 1ed7525cc9d9a98ef126e9803b09f50aa9f2e3bf Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-4206 +Upstream-Status: Backport [fa892e9abb728e76afcf27323ab29c57fb0fe7aa] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 3ce2e57b8..c2ecef706 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -246,6 +246,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index bef0d7d69..e30dbdcb3 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -510,6 +510,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d..835f0802f 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +2.33.0 + -- 2.33.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
[parent not found: <16F44FFA6E0E788F.31706@lists.openembedded.org>]
* Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750 [not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org> @ 2022-06-01 3:52 ` Sakib Sajal 2022-06-01 8:00 ` Davide Gardenal 0 siblings, 1 reply; 6+ messages in thread From: Sakib Sajal @ 2022-06-01 3:52 UTC (permalink / raw) To: openembedded-core This set of patches is for hardknott branch. On 2022-05-31 18:08, Sakib Sajal wrote: > Backport appropriate patches to resolve CVE-2021-3750. > > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 3 + > .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++++++ > .../qemu/qemu/CVE-2021-3750_2.patch | 65 ++++++++ > .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++++++++++++++++++ > 4 files changed, 284 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index aa372810ce..5605ece5bb 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2021-20196_2.patch \ > file://CVE-2021-4145_1.patch \ > file://CVE-2021-4145_2.patch \ > + file://CVE-2021-3750_1.patch \ > + file://CVE-2021-3750_2.patch \ > + file://CVE-2021-3750_3.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch > new file mode 100644 > index 0000000000..8381661886 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch > @@ -0,0 +1,60 @@ > +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> > +Date: Wed, 15 Dec 2021 19:24:19 +0100 > +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of > + MEMTX_ERROR > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Quoting Peter Maydell: > + > + "These MEMTX_* aren't from the memory transaction > + API functions; they're just being used by gicd_readl() and > + friends as a way to indicate a success/failure so that the > + actual MemoryRegionOps read/write fns like gicv3_dist_read() > + can log a guest error." > + > +We are going to introduce more MemTxResult bits, so it is > +safer to check for !MEMTX_OK rather than MEMTX_ERROR. > + > +Reviewed-by: Peter Xu <peterx@redhat.com> > +Reviewed-by: David Hildenbrand <david@redhat.com> > +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> > +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> > +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > + > +CVE: CVE-2021-3750 > +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] > + > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + hw/intc/arm_gicv3_redist.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c > +index 8645220d6..44368e285 100644 > +--- a/hw/intc/arm_gicv3_redist.c > ++++ b/hw/intc/arm_gicv3_redist.c > +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, > + break; > + } > + > +- if (r == MEMTX_ERROR) { > ++ if (r != MEMTX_OK) { > + qemu_log_mask(LOG_GUEST_ERROR, > + "%s: invalid guest read at offset " TARGET_FMT_plx > + "size %u\n", __func__, offset, size); > +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, > + break; > + } > + > +- if (r == MEMTX_ERROR) { > ++ if (r != MEMTX_OK) { > + qemu_log_mask(LOG_GUEST_ERROR, > + "%s: invalid guest write at offset " TARGET_FMT_plx > + "size %u\n", __func__, offset, size); > +-- > +2.33.0 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch > new file mode 100644 > index 0000000000..82d2675ab2 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch > @@ -0,0 +1,65 @@ > +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> > +Date: Wed, 15 Dec 2021 19:24:20 +0100 > +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and > + address_space_access_valid > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Remove unuseful local 'result' variables. > + > +Reviewed-by: Peter Xu <peterx@redhat.com> > +Reviewed-by: David Hildenbrand <david@redhat.com> > +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> > +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> > +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > +Message-Id: <20211215182421.418374-3-philmd@redhat.com> > +Signed-off-by: Thomas Huth <thuth@redhat.com> > + > +CVE: CVE-2021-3750 > +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] > + > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + softmmu/physmem.c | 11 +++-------- > + 1 file changed, 3 insertions(+), 8 deletions(-) > + > +diff --git a/softmmu/physmem.c b/softmmu/physmem.c > +index 2cd1de4a2..68612afbd 100644 > +--- a/softmmu/physmem.c > ++++ b/softmmu/physmem.c > +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, > + hwaddr l; > + hwaddr addr1; > + MemoryRegion *mr; > +- MemTxResult result = MEMTX_OK; > + > + l = len; > + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); > +- result = flatview_write_continue(fv, addr, attrs, buf, len, > +- addr1, l, mr); > +- > +- return result; > ++ return flatview_write_continue(fv, addr, attrs, buf, len, > ++ addr1, l, mr); > + } > + > + /* Called within RCU critical section. */ > +@@ -3096,12 +3093,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, > + MemTxAttrs attrs) > + { > + FlatView *fv; > +- bool result; > + > + RCU_READ_LOCK_GUARD(); > + fv = address_space_to_flatview(as); > +- result = flatview_access_valid(fv, addr, len, is_write, attrs); > +- return result; > ++ return flatview_access_valid(fv, addr, len, is_write, attrs); > + } > + > + static hwaddr > +-- > +2.33.0 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch > new file mode 100644 > index 0000000000..e5748b50ce > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch > @@ -0,0 +1,156 @@ > +From 9df520db8c1bf24f1ff1c9739b7870056f2bc991 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> > +Date: Wed, 15 Dec 2021 19:24:21 +0100 > +Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and > + MEMTX_ACCESS_ERROR > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Add the 'memory' bit to the memory attributes to restrict bus > +controller accesses to memories. > + > +Introduce flatview_access_allowed() to check bus permission > +before running any bus transaction. > + > +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is > +restricted. > + > +There is no change for the default case where 'memory' is not set. > + > +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > +Message-Id: <20211215182421.418374-4-philmd@redhat.com> > +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> > +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> > +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] > +Signed-off-by: Thomas Huth <thuth@redhat.com> > + > +CVE: CVE-2021-3750 > +Upstream-Status: Backport [3ab6fdc91b72e156da22848f0003ff4225690ced] > + > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + include/exec/memattrs.h | 9 +++++++++ > + softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++-- > + 2 files changed, 51 insertions(+), 2 deletions(-) > + > +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h > +index 95f2d20d5..9fb98bc1e 100644 > +--- a/include/exec/memattrs.h > ++++ b/include/exec/memattrs.h > +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { > + unsigned int secure:1; > + /* Memory access is usermode (unprivileged) */ > + unsigned int user:1; > ++ /* > ++ * Bus interconnect and peripherals can access anything (memories, > ++ * devices) by default. By setting the 'memory' bit, bus transaction > ++ * are restricted to "normal" memories (per the AMBA documentation) > ++ * versus devices. Access to devices will be logged and rejected > ++ * (see MEMTX_ACCESS_ERROR). > ++ */ > ++ unsigned int memory:1; > + /* Requester ID (for MSI for example) */ > + unsigned int requester_id:16; > + /* Invert endianness for this page */ > +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { > + #define MEMTX_OK 0 > + #define MEMTX_ERROR (1U << 0) /* device returned an error */ > + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ > ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ > + typedef uint32_t MemTxResult; > + > + #endif > +diff --git a/softmmu/physmem.c b/softmmu/physmem.c > +index 68612afbd..f15216da0 100644 > +--- a/softmmu/physmem.c > ++++ b/softmmu/physmem.c > +@@ -38,6 +38,7 @@ > + #include "qemu/config-file.h" > + #include "qemu/error-report.h" > + #include "qemu/qemu-print.h" > ++#include "qemu/log.h" > + #include "exec/memory.h" > + #include "exec/ioport.h" > + #include "sysemu/dma.h" > +@@ -2736,6 +2737,33 @@ static bool prepare_mmio_access(MemoryRegion *mr) > + return release_lock; > + } > + > ++/** > ++ * flatview_access_allowed > ++ * @mr: #MemoryRegion to be accessed > ++ * @attrs: memory transaction attributes > ++ * @addr: address within that memory region > ++ * @len: the number of bytes to access > ++ * > ++ * Check if a memory transaction is allowed. > ++ * > ++ * Returns: true if transaction is allowed, false if denied. > ++ */ > ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, > ++ hwaddr addr, hwaddr len) > ++{ > ++ if (likely(!attrs.memory)) { > ++ return true; > ++ } > ++ if (memory_region_is_ram(mr)) { > ++ return true; > ++ } > ++ qemu_log_mask(LOG_GUEST_ERROR, > ++ "Invalid access to non-RAM device at " > ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " > ++ "region '%s'\n", addr, len, memory_region_name(mr)); > ++ return false; > ++} > ++ > + /* Called within RCU critical section. */ > + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, > + MemTxAttrs attrs, > +@@ -2750,7 +2778,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, > + const uint8_t *buf = ptr; > + > + for (;;) { > +- if (!memory_access_is_direct(mr, true)) { > ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { > ++ result |= MEMTX_ACCESS_ERROR; > ++ /* Keep going. */ > ++ } else if (!memory_access_is_direct(mr, true)) { > + release_lock |= prepare_mmio_access(mr); > + l = memory_access_size(mr, l, addr1); > + /* XXX: could force current_cpu to NULL to avoid > +@@ -2795,6 +2826,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, > + > + l = len; > + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); > ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { > ++ return MEMTX_ACCESS_ERROR; > ++ } > + return flatview_write_continue(fv, addr, attrs, buf, len, > + addr1, l, mr); > + } > +@@ -2812,7 +2846,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, > + uint8_t *buf = ptr; > + > + for (;;) { > +- if (!memory_access_is_direct(mr, false)) { > ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { > ++ result |= MEMTX_ACCESS_ERROR; > ++ /* Keep going. */ > ++ } else if (!memory_access_is_direct(mr, false)) { > + /* I/O case */ > + release_lock |= prepare_mmio_access(mr); > + l = memory_access_size(mr, l, addr1); > +@@ -2856,6 +2893,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, > + > + l = len; > + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); > ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { > ++ return MEMTX_ACCESS_ERROR; > ++ } > + return flatview_read_continue(fv, addr, attrs, buf, len, > + addr1, l, mr); > + } > +-- > +2.33.0 > + > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#166342): https://lists.openembedded.org/g/openembedded-core/message/166342 > Mute This Topic: https://lists.openembedded.org/mt/91462670/4422444 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/4] qemu: fix CVE-2021-3750 2022-06-01 3:52 ` [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal @ 2022-06-01 8:00 ` Davide Gardenal 0 siblings, 0 replies; 6+ messages in thread From: Davide Gardenal @ 2022-06-01 8:00 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 113 bytes --] Could you send this one for kirkstone too? You just need to change qemu.inc diff in theory. Thanks, Davide [-- Attachment #2: Type: text/html, Size: 129 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-06-01 8:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-31 22:08 [PATCH 1/4] qemu: fix CVE-2021-4145 Sakib Sajal
2022-05-31 22:08 ` [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-05-31 22:08 ` [PATCH 3/4] qemu: fix CVE-2022-26353 Sakib Sajal
2022-05-31 22:08 ` [PATCH 4/4] qemu: fix CVE-2021-4206 Sakib Sajal
[not found] ` <16F44FFA6E0E788F.31706@lists.openembedded.org>
2022-06-01 3:52 ` [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750 Sakib Sajal
2022-06-01 8:00 ` Davide Gardenal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox