!315 Automatically generate code patches with openeuler !146

From: @kuhnchen18 Reviewed-by: @imxcc,@imxcc Signed-off-by: @imxcc,@imxcc
2021-06-21 15:09:54 +00:00 · 2021-06-21 15:09:54 +00:00 · 3569d17e6f
commit 3569d17e6f
parent 15f03c48a1 230bdff72e
4 changed files with 158 additions and 1 deletions
--- a/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
+++ b/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
@ -0,0 +1,70 @@
+From 3e28567104500238b89ea6b4d684c5350194fea9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Mon, 21 Jun 2021 10:12:41 +0800
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix CVE-2021-20221
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+  - 4.3 Distributor register descriptions
+  - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+    - Table 4-21 GICD_SGIR bit assignments
+
+    The Interrupt ID of the SGI to forward to the specified CPU
+    interfaces. The value of this field is the Interrupt ID, in
+    the range 0-15, for example a value of 0b0011 specifies
+    Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+   [I 1612088147.116987] OPENED
+  [R +0.278293] writel 0x8000f00 0xff4affb0
+  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+
+Reported-by: Alexander Bulekov's avatarAlexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé's avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+index 77427a4188..492dabaa1c 100644
+--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
+@@ -1454,7 +1454,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
+         int target_cpu;
+ 
+         cpu = gic_get_current_cpu(s);
+-        irq = value & 0x3ff;
+        irq = value & 0xf;
+         switch ((value >> 24) & 3) {
+         case 0:
+             mask = (value >> 16) & ALL_CPU_MASK;
+-- 
+2.27.0
+
--- a/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
+++ b/ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
@ -0,0 +1,40 @@
+From c7fd5f3841f14c24e442fb6968c9f2d9e016f28a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <address@hidden>
+Date: Mon, 21 Jun 2021 09:22:35 +0800
+Subject: [PATCH] ide: ahci: add check to avoid null dereference
+ (CVE-2019-12067)
+
+Fix CVE-2019-12067
+
+AHCI emulator while committing DMA buffer in ahci_commit_buf()
+may do a NULL dereference if the command header 'ad->cur_cmd'
+is null. Add check to avoid it.
+
+Reported-by: Bugs SysSec <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/ide/ahci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index 6aaf66534a..a7be0ae4fe 100644
+--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
+@@ -1455,8 +1455,10 @@ static void ahci_commit_buf(IDEDMA *dma, uint32_t tx_bytes)
+ {
+     AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+ 
+-    tx_bytes += le32_to_cpu(ad->cur_cmd->status);
+-    ad->cur_cmd->status = cpu_to_le32(tx_bytes);
+    if (ad->cur_cmd) {
+        tx_bytes += le32_to_cpu(ad->cur_cmd->status);
+        ad->cur_cmd->status = cpu_to_le32(tx_bytes);
+    }
+ }
+ 
+ static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+-- 
+2.27.0
+
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 59
+Release: 60
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -334,6 +334,9 @@ Patch0321: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
 Patch0322: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
 Patch0323: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
 Patch0324: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
+Patch0325: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
+Patch0326: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
+Patch0327: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch

 BuildRequires: flex
 BuildRequires: bison
@ -727,6 +730,11 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- ide: ahci: add check to avoid null dereference (CVE-2019-12067)
+- hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+- usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
 * Tue Jun 15 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
 - vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
--- a/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
+++ b/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
@ -0,0 +1,39 @@
+From 93be5f3334394aa9a1794007aed79e75cf4d348b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 21 Jun 2021 10:19:58 +0800
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+Fix CVE-2021-3527
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
+                (totalsize == (16 * KiB - 36) && p->int_req) ||
+                /* Next package may grow combined package over 1MiB */
+                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {
+-- 
+2.27.0
+