packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!315 Automatically generate code patches with openeuler !146

Browse Source 
From: @kuhnchen18
Reviewed-by: @imxcc,@imxcc
Signed-off-by: @imxcc,@imxcc
This commit is contained in:
openeuler-ci-bot 2021-06-21 15:09:54 +00:00 committed by Gitee
commit 3569d17e6f
4 changed files with 158 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch Normal file
View File

@ -0,0 +1,70 @@
From 3e28567104500238b89ea6b4d684c5350194fea9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Mon, 21 Jun 2021 10:12:41 +0800
Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix CVE-2021-20221
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:
- 4.3 Distributor register descriptions
- 4.3.15 Software Generated Interrupt Register, GICD_SG
- Table 4-21 GICD_SGIR bit assignments
The Interrupt ID of the SGI to forward to the specified CPU
interfaces. The value of this field is the Interrupt ID, in
the range 0-15, for example a value of 0b0011 specifies
Interrupt ID 3.
Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):
$ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
[I 1612088147.116987] OPENED
[R +0.278293] writel 0x8000f00 0xff4affb0
../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)
Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov's avatarAlexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé's avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
---
hw/intc/arm_gic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index 77427a4188..492dabaa1c 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -1454,7 +1454,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
int target_cpu;
cpu = gic_get_current_cpu(s);
- irq = value & 0x3ff;
+ irq = value & 0xf;
switch ((value >> 24) & 3) {
case 0:
mask = (value >> 16) & ALL_CPU_MASK;
--
2.27.0

40
ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch Normal file
View File

@ -0,0 +1,40 @@
From c7fd5f3841f14c24e442fb6968c9f2d9e016f28a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <address@hidden>
Date: Mon, 21 Jun 2021 09:22:35 +0800
Subject: [PATCH] ide: ahci: add check to avoid null dereference
(CVE-2019-12067)
Fix CVE-2019-12067
AHCI emulator while committing DMA buffer in ahci_commit_buf()
may do a NULL dereference if the command header 'ad->cur_cmd'
is null. Add check to avoid it.
Reported-by: Bugs SysSec <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
---
hw/ide/ahci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 6aaf66534a..a7be0ae4fe 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1455,8 +1455,10 @@ static void ahci_commit_buf(IDEDMA *dma, uint32_t tx_bytes)
{
AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
- tx_bytes += le32_to_cpu(ad->cur_cmd->status);
- ad->cur_cmd->status = cpu_to_le32(tx_bytes);
+ if (ad->cur_cmd) {
+ tx_bytes += le32_to_cpu(ad->cur_cmd->status);
+ ad->cur_cmd->status = cpu_to_le32(tx_bytes);
+ }
}
static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
--
2.27.0

10
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu Name: qemu
Version: 4.1.0 Version: 4.1.0
Release: 59 Release: 60
Epoch: 2 Epoch: 2
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -334,6 +334,9 @@ Patch0321: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
Patch0322: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch Patch0322: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
Patch0323: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch Patch0323: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
Patch0324: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch Patch0324: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
Patch0325: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
Patch0326: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
Patch0327: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: bison BuildRequires: bison
@ -727,6 +730,11 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
- ide: ahci: add check to avoid null dereference (CVE-2019-12067)
- hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
- usb: limit combined packets to 1 MiB (CVE-2021-3527)
* Tue Jun 15 2021 Chen Qun <kuhn.chenqun@huawei.com> * Tue Jun 15 2021 Chen Qun <kuhn.chenqun@huawei.com>
- vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) - vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
- vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) - vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)

39
usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch Normal file
View File

@ -0,0 +1,39 @@
From 93be5f3334394aa9a1794007aed79e75cf4d348b Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 21 Jun 2021 10:19:58 +0800
Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
Fix CVE-2021-3527
usb-host and usb-redirect try to batch bulk transfers by combining many
small usb packets into a single, large transfer request, to reduce the
overhead and improve performance.
This patch adds a size limit of 1 MiB for those combined packets to
restrict the host resources the guest can bind that way.
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
---
hw/usb/combined-packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
index 5d57e883dc..e56802f89a 100644
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
next == NULL ||
/* Work around for Linux usbfs bulk splitting + migration */
- (totalsize == (16 * KiB - 36) && p->int_req)) {
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
+ /* Next package may grow combined package over 1MiB */
+ totalsize > 1 * MiB - ep->max_packet_size) {
usb_device_handle_data(ep->dev, first);
assert(first->status == USB_RET_ASYNC);
if (first->combined) {
--
2.27.0