!604 fix CVE-2022-35414

From: @cenhuilin 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan

qemu.spec

@@ -1,6 +1,6 @@
 Name: qemu
 Version: 6.2.0
-Release: 42
+Release: 43
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -282,6 +282,7 @@ Patch0268: tests-qtest-intel-hda-test-Add-reproducer-for-issue-.patch
 Patch0269: hw-nvme-fix-CVE-2021-3929.patch
 Patch0270: acpi-validate-hotplug-selector-on-access.patch
 Patch0271: virtiofsd-Drop-membership-of-all-supplementary-group.patch
+Patch0272: softmmu-Always-initialize-xlat-in-address_space_tran.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -784,6 +785,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Jul 19 2022 cenhuilin <cenhuilin@kylinos.cn> - 2:6.2.0-43
+- softmmu Always initialize xlat in address_space_tran (CVE-2022-35414)
+
 * Tue Jul 12 2022 liuxiangdong <liuxiangdong5@huawei.com> - 2:6.2.0-42
 - acpi: validate hotplug selector on access
 - virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)

softmmu-Always-initialize-xlat-in-address_space_tran.patch

@@ -0,0 +1,68 @@
+From e6b719bf79d00dddde0b0371075a41890a8f95a4 Mon Sep 17 00:00:00 2001
+From: cenhuilin <cenhuilin@kylinos.cn>
+Date: Tue, 19 Jul 2022 09:53:31 +0000
+Subject: [PATCH] softmmu Always initialize xlat in
+ address_space_translate_for_iotlb
+
+The bug is an uninitialized memory read, along the translate_fail
+path, which results in garbage being read from iotlb_to_section,
+which can lead to a crash in io_readx/io_writex.
+
+The bug may be fixed by writing any value with zero
+in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using
+the xlat'ed address returns io_mem_unassigned, as desired by the
+translate_fail path.
+
+It is most useful to record the original physical page address,
+which will eventually be logged by memory_region_access_valid
+when the access is rejected by unassigned_mem_accepts.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20220621153829.366423-1-richard.henderson@linaro.org>
+---
+ softmmu/physmem.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index ae26f7290..be39a49ce 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -668,7 +668,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
+ 
+ /* Called from RCU critical section */
+ MemoryRegionSection *
+-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
+                                   hwaddr *xlat, hwaddr *plen,
+                                   MemTxAttrs attrs, int *prot)
+ {
+@@ -677,6 +677,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     IOMMUMemoryRegionClass *imrc;
+     IOMMUTLBEntry iotlb;
+     int iommu_idx;
++    hwaddr addr = orig_addr;
+     AddressSpaceDispatch *d =
+         qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
+ 
+@@ -721,6 +722,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     return section;
+ 
+ translate_fail:
++    /*
++     * We should be given a page-aligned address -- certainly
++     * tlb_set_page_with_attrs() does so.  The page offset of xlat
++     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
++     * The page portion of xlat will be logged by memory_region_access_valid()
++     * when this memory access is rejected, so use the original untranslated
++     * physical address.
++     */
++    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
++    *xlat = orig_addr;
+     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
+ }
+ 
+-- 
+2.33.0
+