x86: Intel AVX512_BF16 feature enabling
i386: Add MSR feature bit for MDS-NO
i386: Add macro for stibp
i386: Add new CPU model Cooperlake
target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
target/i386: Add missed security features to Cooperlake CPU model
target/i386: add PSCHANGE_NO bit for the ARCH_CAPABILITIES MSR
target/i386: Export TAA_NO bit to guests
Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
TSX Async Abort (TAA) is a side channel attack on internal buffers in
some Intel processors similar to Microachitectural Data Sampling (MDS).
Some future Intel processors will use the ARCH_CAP_TAA_NO bit in the
IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable to
TAA. Make this bit available to guests.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
This is required to disable ITLB multihit mitigations in nested
hypervisors.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
It lacks two security feature bits in MSR_IA32_ARCH_CAPABILITIES in
current Cooperlake CPU model, so add them.
This is part of uptream commit 2dea9d9
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
The bit 6, 7 and 8 of MSR_IA32_ARCH_CAPABILITIES are recently disclosed
for some security issues. Add the definitions for them to be used by named
CPU models.
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-Id: <20191225063018.20038-2-xiaoyao.li@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
Cooper Lake is intel's successor to Cascade Lake, the new
CPU model inherits features from Cascadelake-Server, while
add one platform associated new feature: AVX512_BF16. Meanwhile,
add STIBP for speculative execution.
Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Tao Xu <tao3.xu@intel.com>
Message-Id: <1571729728-23284-4-git-send-email-cathy.zhang@intel.com>
Reviewed-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
stibp feature is already added through the following commit.
0e89165829
Add a macro for it to allow CPU models to report it when host supports.
Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Tao Xu <tao3.xu@intel.com>
Message-Id: <1571729728-23284-3-git-send-email-cathy.zhang@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
Define MSR_ARCH_CAP_MDS_NO in the IA32_ARCH_CAPABILITIES MSR to allow
CPU models to report the feature when host supports it.
Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Tao Xu <tao3.xu@intel.com>
Message-Id: <1571729728-23284-2-git-send-email-cathy.zhang@intel.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
Intel CooperLake cpu adds AVX512_BF16 instruction, defining as
CPUID.(EAX=7,ECX=1):EAX[bit 05].
The patch adds a property for setting the subleaf of CPUID leaf 7 in
case that people would like to specify it.
The release spec link as follows,
https://software.intel.com/sites/default/files/managed/c5/15/\
architecture-instruction-set-extensions-programming-reference.pdf
Signed-off-by: Jing Liu <jing2.liu@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jingyi Wang <wangjingyi11@huawei.com>
The of_dpa_cmd_add_l2_flood function of the rocker device
releases the memory of group->l2_flood.group_ids before
applying for new memory. If the l2_group configured by
the guest does not match the input group->l2_flood.group_ids,
the err_out branch is redirected to release the memory of the
group->l2_flood.group_ids branch. The pointer is not set to
NULL after the memory is freed. When the guest accesses the
of_dpa_cmd_add_l2_flood function again, the memory of
group->l2_flood.group_ids is released again. As a result,
the memory is double free.
Fix that by setting group->l2_flood.group_ids to NULL after free.
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
Fix CVE-2021-3527
usb-host and usb-redirect try to batch bulk transfers by combining many
small usb packets into a single, large transfer request, to reduce the
overhead and improve performance.
This patch adds a size limit of 1 MiB for those combined packets to
restrict the host resources the guest can bind that way.
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Fix CVE-2021-20221
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:
- 4.3 Distributor register descriptions
- 4.3.15 Software Generated Interrupt Register, GICD_SG
- Table 4-21 GICD_SGIR bit assignments
The Interrupt ID of the SGI to forward to the specified CPU
interfaces. The value of this field is the Interrupt ID, in
the range 0-15, for example a value of 0b0011 specifies
Interrupt ID 3.
Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):
$ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
[I 1612088147.116987] OPENED
[R +0.278293] writel 0x8000f00 0xff4affb0
../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)
Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov's avatarAlexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé's avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell's avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Fix CVE-2019-12067
AHCI emulator while committing DMA buffer in ahci_commit_buf()
may do a NULL dereference if the command header 'ad->cur_cmd'
is null. Add check to avoid it.
Reported-by: Bugs SysSec <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Fix CVE-2021-3544
If 'virgl_cmd_get_capset' set 'max_size' to 0,
the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
This patch avoid this by checking the returned 'max_size'.
virtio-gpu fix: abd7f08b
("display: virtio-gpu-3d: check
virgl capabilities max_size")
Fixes: CVE-2021-3546
Reported-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-8-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Currently, if guest has workloads, IO thread will acquire aio_context
lock before do io_submit, it leads to segmentfault when do block commit
after snapshot. Just like below:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7c7d91f700 (LWP 99907)]
0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1437 ../block/mirror.c: No such file or directory.
(gdb) p s->job
$17 = (MirrorBlockJob *) 0x0
(gdb) p s->stop
$18 = false
Call trace of IO thread:
0 0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1 0x00005576d0f7f3ab in bdrv_driver_pwritev at ../block/io.c:1174
2 0x00005576d0f8139d in bdrv_aligned_pwritev at ../block/io.c:1988
3 0x00005576d0f81b65 in bdrv_co_pwritev_part at ../block/io.c:2156
4 0x00005576d0f8e6b7 in blk_do_pwritev_part at ../block/block-backend.c:1260
5 0x00005576d0f8e84d in blk_aio_write_entry at ../block/block-backend.c:1476
...
Switch to qemu main thread:
0 0x00007f903be704ed in __lll_lock_wait at
/lib/../lib64/libpthread.so.0
1 0x00007f903be6bde6 in _L_lock_941 at /lib/../lib64/libpthread.so.0
2 0x00007f903be6bcdf in pthread_mutex_lock at
/lib/../lib64/libpthread.so.0
3 0x0000564b21456889 in qemu_mutex_lock_impl at
../util/qemu-thread-posix.c:79
4 0x0000564b213af8a5 in block_job_add_bdrv at ../blockjob.c:224
5 0x0000564b213b00ad in block_job_create at ../blockjob.c:440
6 0x0000564b21357c0a in mirror_start_job at ../block/mirror.c:1622
7 0x0000564b2135a9af in commit_active_start at ../block/mirror.c:1867
8 0x0000564b2133d132 in qmp_block_commit at ../blockdev.c:2768
9 0x0000564b2141fef3 in qmp_marshal_block_commit at
qapi/qapi-commands-block-core.c:346
10 0x0000564b214503c9 in do_qmp_dispatch_bh at
../qapi/qmp-dispatch.c:110
11 0x0000564b21451996 in aio_bh_poll at ../util/async.c:164
12 0x0000564b2146018e in aio_dispatch at ../util/aio-posix.c:381
13 0x0000564b2145187e in aio_ctx_dispatch at ../util/async.c:306
14 0x00007f9040239049 in g_main_context_dispatch at
/lib/../lib64/libglib-2.0.so.0
15 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:232
16 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:255
17 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:531
18 0x0000564b212304e1 in qemu_main_loop at ../softmmu/runstate.c:721
19 0x0000564b20f7975e in main at ../softmmu/main.c:50
In IO thread when do bdrv_mirror_top_pwritev, the job is NULL, and stop field
is false, this means the MirrorBDSOpaque "s" object has not been initialized
yet, and this object is initialized by block_job_create(), but the initialize
process is stuck in acquiring the lock.
In this situation, IO thread come to bdrv_mirror_top_pwritev(),which means that
mirror-top node is already inserted into block graph, but its bs->opaque->job
is not initialized.
The root cause is that qemu main thread do release/acquire when hold the lock,
at the same time, IO thread get the lock after release stage, and the crash
occured.
Actually, in this situation, job->job.aio_context will not equal to
qemu_get_aio_context(), and will be the same as bs->aio_context,
thus, no need to release the lock, becasue bdrv_root_attach_child()
will not change the context.
This patch fix this issue.
Fixes: 132ada80 "block: Adjust AioContexts when attaching nodes"
Signed-off-by: Michael Qiu <qiudayu@huayun.com>
Message-Id: <20210203024059.52683-1-08005325@163.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
