QEMU update to version 8.2.0-20:

- Added CoDA feature support in the context of CVM. When virtcca cvm is enabled, the iommu is tagged as secure.
- hw/block: fix uint32 overflow
- hw/ufs: add basic info of query response upiu
- crypto: avoid leak of ctx when bad cipher mode is given Fixes: Coverity CID 1546884

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>

Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch

@@ -0,0 +1,107 @@
+From 1f0c212191d0f63744ef61e0725ab4c859b1d189 Mon Sep 17 00:00:00 2001
+From: yangxiangkai <yangxiangkai@huawei.com>
+Date: Mon, 23 Sep 2024 19:23:37 +0800
+Subject: [PATCH] Added CoDA feature support in the context of CVM. When
+ virtcca cvm is enabled, the iommu is tagged as secure.
+
+---
+ hw/vfio/container.c        | 15 +++++++++++++++
+ hw/virtio/virtio-bus.c     |  7 +++++++
+ linux-headers/linux/vfio.h |  2 ++
+ 3 files changed, 24 insertions(+)
+
+diff --git a/hw/vfio/container.c b/hw/vfio/container.c
+index d8b9117f4f..422235a221 100644
+--- a/hw/vfio/container.c
++++ b/hw/vfio/container.c
+@@ -33,6 +33,7 @@
+ #include "trace.h"
+ #include "qapi/error.h"
+ #include "migration/migration.h"
++#include "sysemu/kvm.h"
+ 
+ VFIOGroupList vfio_group_list =
+     QLIST_HEAD_INITIALIZER(vfio_group_list);
+@@ -399,6 +400,14 @@ static int vfio_get_iommu_type(VFIOContainer *container,
+                           VFIO_SPAPR_TCE_v2_IOMMU, VFIO_SPAPR_TCE_IOMMU };
+     int i;
+ 
++    if (virtcca_cvm_enabled()) {
++        if (ioctl(container->fd, VFIO_CHECK_EXTENSION, VFIO_TYPE1v2_S_IOMMU)) {
++            return VFIO_TYPE1v2_S_IOMMU;
++        } else {
++            return -errno;
++        }
++    }
++
+     for (i = 0; i < ARRAY_SIZE(iommu_types); i++) {
+         if (ioctl(container->fd, VFIO_CHECK_EXTENSION, iommu_types[i])) {
+             return iommu_types[i];
+@@ -625,6 +634,7 @@ static int vfio_connect_container(VFIOGroup *group, AddressSpace *as,
+     switch (container->iommu_type) {
+     case VFIO_TYPE1v2_IOMMU:
+     case VFIO_TYPE1_IOMMU:
++    case VFIO_TYPE1v2_S_IOMMU:
+     {
+         struct vfio_iommu_type1_info *info;
+ 
+@@ -857,6 +867,11 @@ static int vfio_get_device(VFIOGroup *group, const char *name,
+         return -1;
+     }
+ 
++    if (!virtcca_cvm_enabled() && (info->flags & VFIO_DEVICE_FLAGS_SECURE)) {
++        error_setg(errp, "Normal vm cannot use confidential device.");
++        return -1;
++    }
++
+     /*
+      * Set discarding of RAM as not broken for this group if the driver knows
+      * the device operates compatibly with discarding.  Setting must be
+diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c
+index 4f16e7ef77..749df6478e 100644
+--- a/hw/virtio/virtio-bus.c
++++ b/hw/virtio/virtio-bus.c
+@@ -30,6 +30,7 @@
+ #include "hw/virtio/virtio-bus.h"
+ #include "hw/virtio/virtio.h"
+ #include "exec/address-spaces.h"
++#include "sysemu/kvm.h"
+ 
+ /* #define DEBUG_VIRTIO_BUS */
+ 
+@@ -71,6 +72,12 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp)
+         return;
+     }
+ 
++    if (virtcca_cvm_enabled() && (strcmp(vdev->name, "vhost-user-fs") == 0)) {
++        /* VIRTIO_F_IOMMU_PLATFORM should be enabled for vhost-user-fs using swiotlb */
++        error_setg(errp, "iommu_platform is not supported by this device");
++        return;
++    } 
++
+     if (klass->device_plugged != NULL) {
+         klass->device_plugged(qbus->parent, &local_err);
+     }
+diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
+index 956154e509..c27a43d74b 100644
+--- a/linux-headers/linux/vfio.h
++++ b/linux-headers/linux/vfio.h
+@@ -25,6 +25,7 @@
+ #define VFIO_TYPE1_IOMMU		1
+ #define VFIO_SPAPR_TCE_IOMMU		2
+ #define VFIO_TYPE1v2_IOMMU		3
++#define VFIO_TYPE1v2_S_IOMMU		12
+ /*
+  * IOMMU enforces DMA cache coherence (ex. PCIe NoSnoop stripping).  This
+  * capability is subject to change as groups are added or removed.
+@@ -224,6 +225,7 @@ struct vfio_device_info {
+ #define VFIO_DEVICE_FLAGS_FSL_MC (1 << 6)	/* vfio-fsl-mc device */
+ #define VFIO_DEVICE_FLAGS_CAPS	(1 << 7)	/* Info supports caps */
+ #define VFIO_DEVICE_FLAGS_CDX	(1 << 8)	/* vfio-cdx device */
++#define VFIO_DEVICE_FLAGS_SECURE	(1 << 9)	/* secure pci device */
+ 	__u32	num_regions;	/* Max region index + 1 */
+ 	__u32	num_irqs;	/* Max IRQ index + 1 */
+ 	__u32   cap_offset;	/* Offset within info struct of first cap */
+-- 
+2.41.0.windows.1
+

crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch

@@ -0,0 +1,48 @@
+From a0c5ce95e94a4621b12262423bfa021accb07625 Mon Sep 17 00:00:00 2001
+From: dinglimin <dinglimin@cmss.chinamobile.com>
+Date: Mon, 16 Sep 2024 17:22:02 +0800
+Subject: [PATCH] =?UTF-8?q?crypto:=20avoid=20leak=20of=20ctx=20when=20bad?=
+ =?UTF-8?q?=20cipher=20mode=20is=20given=20Fixes:=20Coverity=20CID=2015468?=
+ =?UTF-8?q?84=20cherry=20picked=20from=20586ac2c67d707c2588766c5195d94fa55?=
+ =?UTF-8?q?3cc25af=20Reviewed-by:=20Peter=20Maydell=20<peter.maydell@linar?=
+ =?UTF-8?q?o.org>=20Reviewed-by:=20Philippe=20Mathieu-Daud=C3=A9=20<philmd?=
+ =?UTF-8?q?@linaro.org>=20Signed-off-by:=20Daniel=20P.=20Berrang=C3=A9=20<?=
+ =?UTF-8?q?berrange@redhat.com>=20Signed-off-by:=20dinglimin=20<dinglimin@?=
+ =?UTF-8?q?cmss.chinamobile.com>?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ crypto/cipher-nettle.c.inc | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/cipher-nettle.c.inc b/crypto/cipher-nettle.c.inc
+index 42b39e18a2..766de036ba 100644
+--- a/crypto/cipher-nettle.c.inc
++++ b/crypto/cipher-nettle.c.inc
+@@ -734,16 +734,19 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
+ #ifdef CONFIG_CRYPTO_SM4
+     case QCRYPTO_CIPHER_ALG_SM4:
+         {
+-            QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1);
++            QCryptoNettleSm4 *ctx;
++            const QCryptoCipherDriver *drv;
+ 
+             switch (mode) {
+             case QCRYPTO_CIPHER_MODE_ECB:
+-                ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb;
++                drv = &qcrypto_nettle_sm4_driver_ecb;
+                 break;
+             default:
+                 goto bad_cipher_mode;
+             }
+ 
++            ctx = g_new0(QCryptoNettleSm4, 1);
++            ctx->base.driver = drv;
+             sm4_set_encrypt_key(&ctx->key[0], key);
+             sm4_set_decrypt_key(&ctx->key[1], key);
+ 
+-- 
+2.41.0.windows.1
+

hw-block-fix-uint32-overflow.patch

@@ -0,0 +1,36 @@
+From fc5b9cb39257527568911f65c64d80e23f9f6ae3 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Wed, 18 Sep 2024 10:32:42 -0400
+Subject: [PATCH] hw/block: fix uint32 overflow
+
+cheery-pick from 89cd6254b80784a1b3f574407192493ef92fe65f
+
+The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
+uint32.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
+Message-id: 20240917080356.270576-2-frolov@swemel.ru
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ hw/block/virtio-blk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
+index 2eb096a6dc..beedc0cf5f 100644
+--- a/hw/block/virtio-blk.c
++++ b/hw/block/virtio-blk.c
+@@ -860,7 +860,7 @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op)
+     } else {
+         if (bs->bl.zone_size > capacity - offset) {
+             /* The zoned device allows the last smaller zone. */
+-            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1);
++            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull);
+         } else {
+             len = bs->bl.zone_size;
+         }
+-- 
+2.41.0.windows.1
+

hw-ufs-add-basic-info-of-query-response-upiu.patch

@@ -0,0 +1,71 @@
+From 450b67a5dd3954db8441a1ad65a5e4594ba2e405 Mon Sep 17 00:00:00 2001
+From: dinglimin <dinglimin@cmss.chinamobile.com>
+Date: Mon, 16 Sep 2024 17:34:34 +0800
+Subject: [PATCH] hw/ufs: add basic info of query response upiu cherry picked
+ from de2cc4078240f8b745a7caeed461b02f2577e2d2 Modify to fill the opcode, idn,
+ index, selector information of all Query Response UPIU. because attr and flag
+ operation of query response upiu need these information too.
+
+Signed-off-by: KyoungrulKim <k831.kim@samsung.com>
+Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
+Reviewed-by: Jeuk Kim <jeuk20.kim@samsung.com>
+Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
+Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
+---
+ hw/ufs/ufs.c | 13 +++++++++----
+ hw/ufs/ufs.h |  1 +
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
+index bac78a32bb..068895b27b 100644
+--- a/hw/ufs/ufs.c
++++ b/hw/ufs/ufs.c
+@@ -455,6 +455,14 @@ void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type, uint8_t flags,
+     req->rsp_upiu.header.data_segment_length = cpu_to_be16(data_segment_length);
+ }
+ 
++void ufs_build_query_response(UfsRequest *req)
++{
++    req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode;
++    req->rsp_upiu.qr.idn = req->req_upiu.qr.idn;
++    req->rsp_upiu.qr.index = req->req_upiu.qr.index;
++    req->rsp_upiu.qr.selector = req->req_upiu.qr.selector;
++}
++
+ static UfsReqResult ufs_exec_scsi_cmd(UfsRequest *req)
+ {
+     UfsHc *u = req->hc;
+@@ -931,10 +939,6 @@ static QueryRespCode ufs_read_desc(UfsRequest *req)
+     if (length > req->rsp_upiu.qr.data[0]) {
+         length = req->rsp_upiu.qr.data[0];
+     }
+-    req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode;
+-    req->rsp_upiu.qr.idn = req->req_upiu.qr.idn;
+-    req->rsp_upiu.qr.index = req->req_upiu.qr.index;
+-    req->rsp_upiu.qr.selector = req->req_upiu.qr.selector;
+     req->rsp_upiu.qr.length = cpu_to_be16(length);
+ 
+     return status;
+@@ -1015,6 +1019,7 @@ static UfsReqResult ufs_exec_query_cmd(UfsRequest *req)
+     data_segment_length = be16_to_cpu(req->rsp_upiu.qr.length);
+     ufs_build_upiu_header(req, UFS_UPIU_TRANSACTION_QUERY_RSP, 0, status, 0,
+                           data_segment_length);
++    ufs_build_query_response(req);
+ 
+     if (status != UFS_QUERY_RESULT_SUCCESS) {
+         return UFS_REQUEST_FAIL;
+diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h
+index 8fda94f4ef..8a74b4c2ab 100644
+--- a/hw/ufs/ufs.h
++++ b/hw/ufs/ufs.h
+@@ -132,6 +132,7 @@ static inline bool is_wlun(uint8_t lun)
+ void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type, uint8_t flags,
+                            uint8_t response, uint8_t scsi_status,
+                            uint16_t data_segment_length);
++void ufs_build_query_response(UfsRequest *req);
+ void ufs_complete_req(UfsRequest *req, UfsReqResult req_result);
+ void ufs_init_wlu(UfsLu *wlu, uint8_t wlun);
+ #endif /* HW_UFS_UFS_H */
+-- 
+2.41.0.windows.1
+

qemu.spec

@@ -3,7 +3,7 @@
 
 Name: qemu
 Version: 8.2.0
-Release: 19
+Release: 20
 Epoch: 11
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -359,6 +359,10 @@ Patch0342: system-physmem-Propagate-AddressSpace-to-MapClient-h.patch
 Patch0343: system-physmem-Per-AddressSpace-bounce-buffering.patch
 Patch0344: softmmu-Support-concurrent-bounce-buffers-CVE-2024-8.patch
 Patch0345: mac_dbdma-Remove-leftover-dma_memory_unmap-calls-CVE.patch
+Patch0346: crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch
+Patch0347: hw-ufs-add-basic-info-of-query-response-upiu.patch
+Patch0348: hw-block-fix-uint32-overflow.patch
+Patch0349: Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -956,6 +960,12 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Mon Oct 21 2024 Jiabo Feng <fengjiabo1@huawei.com> - 11:8.2.0-20
+- Added CoDA feature support in the context of CVM. When virtcca cvm is enabled, the iommu is tagged as secure.
+- hw/block: fix uint32 overflow
+- hw/ufs: add basic info of query response upiu
+- crypto: avoid leak of ctx when bad cipher mode is given Fixes: Coverity CID 1546884
+
 * Mon Oct 14 2024 Jiabo Feng <fengjiabo1@huawei.com> - 11:8.2.0-19
 - mac_dbdma: Remove leftover `dma_memory_unmap` calls(CVE-2024-8612)
 - softmmu: Support concurrent bounce buffers(CVE-2024-8612)