new file mode 100644
@@ -0,0 +1,709 @@
+From 78eac7bcb279e1d1ebd82e7323dab25d9ac727db Mon Sep 17 00:00:00 2001
+From: Anton Antonov <Anton.Antonov@arm.com>
+Date: Sat, 24 Sep 2022 11:06:38 +0100
+Subject: [PATCH] Revert "qemu: Upgrade 7.0.0 -> 7.1.0"
+
+This reverts commit 9040d46f59643270695afdb093e8b403b89b898a.
+
+OPTEE kernel driver hangs during initialisation under qemu 7.1.0
+if CONFIG_ARM_FFA_TRANSPORT=y which is required for Trusted Services.
+
+This is a temporary workaround for CI pipelines until a proper fix is implemented.
+https://github.com/OP-TEE/optee_os/issues/5551
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+---
+ meta/conf/distro/include/tcmode-default.inc | 2 +-
+ ...u-native_7.1.0.bb => qemu-native_7.0.0.bb} | 0
+ ...e_7.1.0.bb => qemu-system-native_7.0.0.bb} | 3 +-
+ meta/recipes-devtools/qemu/qemu.inc | 19 +--
+ ...t-against-buggy-or-malicious-guest-d.patch | 47 ++++++
+ .../qemu/qemu/CVE-2021-3507_1.patch | 92 +++++++++++
+ .../qemu/qemu/CVE-2021-3507_2.patch | 115 ++++++++++++++
+ .../qemu/qemu/CVE-2022-0216_1.patch | 42 +++++
+ .../qemu/qemu/CVE-2022-0216_2.patch | 146 ++++++++++++++++++
+ .../qemu/qemu/CVE-2022-35414.patch | 53 +++++++
+ meta/recipes-devtools/qemu/qemu/cross.patch | 17 +-
+ .../qemu/{qemu_7.1.0.bb => qemu_7.0.0.bb} | 0
+ 12 files changed, 517 insertions(+), 19 deletions(-)
+ rename meta/recipes-devtools/qemu/{qemu-native_7.1.0.bb => qemu-native_7.0.0.bb} (100%)
+ rename meta/recipes-devtools/qemu/{qemu-system-native_7.1.0.bb => qemu-system-native_7.0.0.bb} (90%)
+ create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
+ create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
+ create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
+ create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
+ create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
+ rename meta/recipes-devtools/qemu/{qemu_7.1.0.bb => qemu_7.0.0.bb} (100%)
+
+diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc
+index 59b226e62f..9abd121e3a 100644
+--- a/meta/conf/distro/include/tcmode-default.inc
++++ b/meta/conf/distro/include/tcmode-default.inc
+@@ -22,7 +22,7 @@ BINUVERSION ?= "2.39%"
+ GDBVERSION ?= "12.%"
+ GLIBCVERSION ?= "2.36"
+ LINUXLIBCVERSION ?= "5.19%"
+-QEMUVERSION ?= "7.1%"
++QEMUVERSION ?= "7.0%"
+ GOVERSION ?= "1.19%"
+ # This can not use wildcards like 8.0.% since it is also used in mesa to denote
+ # llvm version being used, so always bump it with llvm recipe version bump
+diff --git a/meta/recipes-devtools/qemu/qemu-native_7.1.0.bb b/meta/recipes-devtools/qemu/qemu-native_7.0.0.bb
+similarity index 100%
+rename from meta/recipes-devtools/qemu/qemu-native_7.1.0.bb
+rename to meta/recipes-devtools/qemu/qemu-native_7.0.0.bb
+diff --git a/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb
+similarity index 90%
+rename from meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb
+rename to meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb
+index 04c7c2a6ac..5ccede5095 100644
+--- a/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb
++++ b/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb
+@@ -28,6 +28,5 @@ do_install:append() {
+ rm -rf ${D}${includedir}/qemu-plugin.h
+
+ # Install qmp.py to be used with testimage
+- install -d ${D}${libdir}/qemu-python/qmp/
+- install -D ${S}/python/qemu/qmp/* ${D}${libdir}/qemu-python/qmp/
++ install -D ${S}/python/qemu/qmp/__init__.py ${D}${libdir}/qemu-python/qmp.py
+ }
+diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
+index 659e70c0f4..cfcd96a207 100644
+--- a/meta/recipes-devtools/qemu/qemu.inc
++++ b/meta/recipes-devtools/qemu/qemu.inc
+@@ -27,11 +27,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
+ file://0008-tests-meson.build-use-relative-path-to-refer-to-file.patch \
+ file://0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \
+ file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
++ file://qemu-7.0.0-glibc-2.36.patch \
++ file://CVE-2022-35414.patch \
++ file://CVE-2021-3507_1.patch \
++ file://CVE-2021-3507_2.patch \
++ file://CVE-2022-0216_1.patch \
++ file://CVE-2022-0216_2.patch \
+ file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \
+ "
+ UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
+
+-SRC_URI[sha256sum] = "a0634e536bded57cf38ec8a751adb124b89c776fe0846f21ab6c6728f1cbbbe6"
++SRC_URI[sha256sum] = "f6b375c7951f728402798b0baabb2d86478ca53d44cedbefabbe1c46bf46f839"
+
+ SRC_URI:append:class-target = " file://cross.patch"
+ SRC_URI:append:class-nativesdk = " file://cross.patch"
+@@ -70,14 +76,8 @@ do_install_ptest() {
+ # Strip the paths from the QEMU variable, we can use PATH
+ sed -i -e "s#^QEMU=.*/qemu-#QEMU=qemu-#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
+
+- # Strip compiler flags as they break reproducibility
+- sed -i -e "s,^CC=.*,CC=gcc," \
+- -e "s,^CCAS=.*,CCAS=gcc," \
+- -e "s,^LD=.*,LD=ld," ${D}${PTEST_PATH}/tests/tcg/*.mak
+-
+- # Update SRC_PATH variable to the right place on target
+- sed -i -e "s#^SRC_PATH=.*#SRC_PATH=${PTEST_PATH}#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
+-
++ # Strip compiler flags as they break reproducibility
++ sed -i -e "s,CROSS_CC_GUEST=.*,CROSS_CC_GUEST=," ${D}${PTEST_PATH}/tests/tcg/*.mak
+ }
+
+ # QEMU_TARGETS is overridable variable
+@@ -152,6 +152,7 @@ PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburin
+ PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
+ PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
+ PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
++PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
+ PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl,"
+ PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss,"
+ PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
+diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
+index 810c74fabd..8ca9cae402 100644
+--- a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
++++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
+@@ -1,3 +1,4 @@
++<<<<<<< HEAD
+ CVE: CVE-2022-1050
+ Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/]
+ Signed-off-by: Ross Burton <ross.burton@arm.com>
+@@ -23,6 +24,33 @@ Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+
+ diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+ index da7ddfa548..89db963c46 100644
++=======
++From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001
++From: Yuval Shaia <yuval.shaia.ml@gmail.com>
++Date: Tue, 12 Apr 2022 11:01:51 +0100
++Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest
++ driver
++
++Guest driver might execute HW commands when shared buffers are not yet
++allocated.
++This might happen on purpose (malicious guest) or because some other
++guest/host address mapping.
++We need to protect againts such case.
++
++Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
++Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
++
++CVE: CVE-2022-1050
++Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]
++
++---
++ hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
++ hw/rdma/vmw/pvrdma_main.c | 3 ++-
++ 2 files changed, 8 insertions(+), 1 deletion(-)
++
++diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
++index da7ddfa54..89db963c4 100644
++>>>>>>> parent of 9040d46f59... qemu: Upgrade 7.0.0 -> 7.1.0
+ --- a/hw/rdma/vmw/pvrdma_cmd.c
+ +++ b/hw/rdma/vmw/pvrdma_cmd.c
+ @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
+@@ -38,6 +66,25 @@ index da7ddfa548..89db963c46 100644
+ if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
+ sizeof(struct cmd_handler)) {
+ rdma_error_report("Unsupported command");
++<<<<<<< HEAD
+ --
+ 2.34.1
++=======
++diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
++index 91206dbb8..0b7d908e2 100644
++--- a/hw/rdma/vmw/pvrdma_main.c
+++++ b/hw/rdma/vmw/pvrdma_main.c
++@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
++ {
++ struct pvrdma_device_shared_region *dsr;
++
++- if (dev->dsr_info.dsr == NULL) {
++ rdma_error_report("Can't initialized DSR");
++ return;
++ }
++--
++2.30.2
++>>>>>>> parent of 9040d46f59... qemu: Upgrade 7.0.0 -> 7.1.0
+
+diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
+new file mode 100644
+index 0000000000..24fd2c5ed3
+--- /dev/null
++++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch
+@@ -0,0 +1,92 @@
++From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
++Date: Thu, 18 Nov 2021 12:57:32 +0100
++Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun
++ (CVE-2021-3507)
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++Per the 82078 datasheet, if the end-of-track (EOT byte in
++the FIFO) is more than the number of sectors per side, the
++command is terminated unsuccessfully:
++
++* 5.2.5 DATA TRANSFER TERMINATION
++
++ The 82078 supports terminal count explicitly through
++ the TC pin and implicitly through the underrun/over-
++ run and end-of-track (EOT) functions. For full sector
++ transfers, the EOT parameter can define the last
++ sector to be transferred in a single or multisector
++ transfer. If the last sector to be transferred is a par-
++ tial sector, the host can stop transferring the data in
++ mid-sector, and the 82078 will continue to complete
++ the sector as if a hardware TC was received. The
++ only difference between these implicit functions and
++ TC is that they return "abnormal termination" result
++ status. Such status indications can be ignored if they
++ were expected.
++
++* 6.1.3 READ TRACK
++
++ This command terminates when the EOT specified
++ number of sectors have been read. If the 82078
++ does not find an I D Address Mark on the diskette
++ after the second· occurrence of a pulse on the
++ INDX# pin, then it sets the IC code in Status Regis-
++ ter 0 to "01" (Abnormal termination), sets the MA bit
++ in Status Register 1 to "1", and terminates the com-
++ mand.
++
++* 6.1.6 VERIFY
++
++ Refer to Table 6-6 and Table 6-7 for information
++ concerning the values of MT and EC versus SC and
++ EOT value.
++
++* Table 6·6. Result Phase Table
++
++* Table 6-7. Verify Command Result Phase Table
++
++Fix by aborting the transfer when EOT > # Sectors Per Side.
++
++Cc: qemu-stable@nongnu.org
++Cc: Hervé Poussineau <hpoussin@reactos.org>
++Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
++Reported-by: Alexander Bulekov <alxndr@bu.edu>
++Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
++Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
++Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
++Reviewed-by: Hanna Reitz <hreitz@redhat.com>
++Signed-off-by: Kevin Wolf <kwolf@redhat.com>
++
++Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367]
++CVE: CVE-2021-3507
++
++Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
++---
++ hw/block/fdc.c | 8 ++++++++
++ 1 file changed, 8 insertions(+)
++
++diff --git a/hw/block/fdc.c b/hw/block/fdc.c
++index 347875a0c..57bb35579 100644
++--- a/hw/block/fdc.c
+++++ b/hw/block/fdc.c
++@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
++ int tmp;
++ fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
++ tmp = (fdctrl->fifo[6] - ks + 1);
++ if (fdctrl->fifo[0] & 0x80)
++ tmp += fdctrl->fifo[6];
++ fdctrl->data_len *= tmp;
++--
++2.33.0
++
+diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
+new file mode 100644
+index 0000000000..acc93e897b
+--- /dev/null
++++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch
+@@ -0,0 +1,115 @@
++From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
++Date: Thu, 18 Nov 2021 12:57:33 +0100
++Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for
++ CVE-2021-3507
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339
++
++Without the previous commit, when running 'make check-qtest-i386'
++with QEMU configured with '--enable-sanitizers' we get:
++
++ ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0
++ READ of size 786432 at 0x619000062a00 thread T0
++ #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)
++ #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13
++ #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14
++ #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18
++ #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16
++ #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5
++ #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5
++ #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9
++ #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13
++ #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13
++ #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13
++ #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9
++ #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17
++
++ 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)
++ allocated by thread T0 here:
++ #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)
++ #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11
++ #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27
++ #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20
++ #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5
++ #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13
++
++ SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy
++ Shadow bytes around the buggy address:
++ 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
++ 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
++ 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
++ 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
++ 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
++ =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
++ 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
++ 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
++ 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
++ 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
++ 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
++ Shadow byte legend (one shadow byte represents 8 application bytes):
++ Addressable: 00
++ Heap left redzone: fa
++ Freed heap region: fd
++ ==4028352==ABORTING
++
++[ kwolf: Added snapshot=on to prevent write file lock failure ]
++
++Reported-by: Alexander Bulekov <alxndr@bu.edu>
++Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
++Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
++Signed-off-by: Kevin Wolf <kwolf@redhat.com>
++
++Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc]
++CVE: CVE-2021-3507
++
++Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
++---
++ tests/qtest/fdc-test.c | 21 +++++++++++++++++++++
++ 1 file changed, 21 insertions(+)
++
++diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
++index b0d40012e..1d4f85212 100644
++--- a/tests/qtest/fdc-test.c
+++++ b/tests/qtest/fdc-test.c
++@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void)
++ qtest_quit(s);
++ }
++
+++static void test_cve_2021_3507(void)
+++{
+++
+++}
+++
++ int main(int argc, char **argv)
++ {
++ int fd;
++@@ -614,6 +634,7 @@ int main(int argc, char **argv)
++ qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
++ qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
++ qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
++
++ ret = g_test_run();
++
++--
++2.33.0
++
+diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
+new file mode 100644
+index 0000000000..56fc34ce5a
+--- /dev/null
++++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
+@@ -0,0 +1,42 @@
++From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001
++From: Mauro Matteo Cascella <mcascell@redhat.com>
++Date: Tue, 5 Jul 2022 22:05:43 +0200
++Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
++ (CVE-2022-0216)
++
++Set current_req->req to NULL to prevent reusing a free'd buffer in case of
++repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
++
++Fixes: CVE-2022-0216
++Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
++Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
++Reviewed-by: Thomas Huth <thuth@redhat.com>
++Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
++Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
++
++Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
++CVE: CVE-2022-0216
++
++Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
++---
++ hw/scsi/lsi53c895a.c | 3 ++-
++ 1 file changed, 2 insertions(+), 1 deletion(-)
++
++diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
++index c8773f73f..99ea42d49 100644
++--- a/hw/scsi/lsi53c895a.c
+++++ b/hw/scsi/lsi53c895a.c
++@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
++ case 0x0d:
++ /* The ABORT TAG message clears the current I/O process only. */
++ trace_lsi_do_msgout_abort(current_tag);
++- if (current_req) {
++ scsi_req_cancel(current_req->req);
++ }
++ lsi_disconnect(s);
++ break;
++--
++2.33.0
++
+diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
+new file mode 100644
+index 0000000000..f332154b6a
+--- /dev/null
++++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
+@@ -0,0 +1,146 @@
++From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001
++From: Mauro Matteo Cascella <mcascell@redhat.com>
++Date: Mon, 11 Jul 2022 14:33:16 +0200
++Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in
++ lsi_do_msgout (CVE-2022-0216)
++
++Set current_req to NULL, not current_req->req, to prevent reusing a free'd
++buffer in case of repeated SCSI cancel requests. Also apply the fix to
++CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
++the request.
++
++Thanks to Alexander Bulekov for providing a reproducer.
++
++Fixes: CVE-2022-0216
++Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
++Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
++Tested-by: Alexander Bulekov <alxndr@bu.edu>
++Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
++Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
++
++Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
++CVE: CVE-2022-0216
++
++Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
++---
++ hw/scsi/lsi53c895a.c | 3 +-
++ tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++
++ 2 files changed, 78 insertions(+), 1 deletion(-)
++
++diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
++index 99ea42d49..ad5f5e5f3 100644
++--- a/hw/scsi/lsi53c895a.c
+++++ b/hw/scsi/lsi53c895a.c
++@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
++ trace_lsi_do_msgout_abort(current_tag);
++ if (current_req && current_req->req) {
++ scsi_req_cancel(current_req->req);
++- current_req->req = NULL;
++ }
++ lsi_disconnect(s);
++ break;
++@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
++ /* clear the current I/O process */
++ if (s->current) {
++ scsi_req_cancel(s->current->req);
++ }
++
++ /* As the current implemented devices scsi_disk and scsi_generic
++diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
++index ba5d46897..c1af0ab1c 100644
++--- a/tests/qtest/fuzz-lsi53c895a-test.c
+++++ b/tests/qtest/fuzz-lsi53c895a-test.c
++@@ -8,6 +8,79 @@
++ #include "qemu/osdep.h"
++ #include "libqos/libqtest.h"
++
+++/*
+++static void test_lsi_do_msgout_cancel_req(void)
+++{
+++
+++
+++
+++
+++}
+++
++ /*
++ * This used to trigger the assert in lsi_do_dma()
++ * https://bugs.launchpad.net/qemu/+bug/697510
++@@ -48,5 +121,8 @@ int main(int argc, char **argv)
++ test_lsi_do_dma_empty_queue);
++ }
++
+++
++ return g_test_run();
++ }
++--
++2.33.0
++
+diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
+new file mode 100644
+index 0000000000..fe79a749ae
+--- /dev/null
++++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
+@@ -0,0 +1,53 @@
++From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001
++From: Hitendra Prajapati <hprajapati@mvista.com>
++Date: Wed, 3 Aug 2022 10:11:11 +0530
++Subject: [PATCH] CVE-2022-35414
++
++Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c]
++CVE: CVE-2022-35414
++Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
++---
++ softmmu/physmem.c | 13 ++++++++++++-
++ 1 file changed, 12 insertions(+), 1 deletion(-)
++
++diff --git a/softmmu/physmem.c b/softmmu/physmem.c
++index 4e1b27a20..ad8a90dec 100644
++--- a/softmmu/physmem.c
+++++ b/softmmu/physmem.c
++@@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
++
++ /* Called from RCU critical section */
++ MemoryRegionSection *
++-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
++ hwaddr *xlat, hwaddr *plen,
++ MemTxAttrs attrs, int *prot)
++ {
++@@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++ IOMMUMemoryRegionClass *imrc;
++ IOMMUTLBEntry iotlb;
++ int iommu_idx;
++ AddressSpaceDispatch *d =
++ qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
++
++@@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++ return section;
++
++ translate_fail:
++ return &d->map.sections[PHYS_SECTION_UNASSIGNED];
++ }
++
++--
++2.25.1
++
+diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch
+index ca2ad361ef..d1256a1229 100644
+--- a/meta/recipes-devtools/qemu/qemu/cross.patch
++++ b/meta/recipes-devtools/qemu/qemu/cross.patch
+@@ -14,19 +14,19 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+ configure | 4 ----
+ 1 file changed, 4 deletions(-)
+
+-Index: qemu-7.1.0/configure
+-===================================================================
+---- qemu-7.1.0.orig/configure
+-+++ qemu-7.1.0/configure
+-@@ -2710,7 +2710,6 @@ if test "$skip_meson" = no; then
++diff --git a/configure b/configure
++index 7c08c1835..0613279f9 100755
++--- a/configure
+++++ b/configure
++@@ -3118,7 +3118,6 @@ if test "$skip_meson" = no; then
++ fi
+ echo "strip = [$(meson_quote $strip)]" >> $cross
+- echo "widl = [$(meson_quote $widl)]" >> $cross
+ echo "windres = [$(meson_quote $windres)]" >> $cross
+ - if test "$cross_compile" = "yes"; then
+ cross_arg="--cross-file config-meson.cross"
+ echo "[host_machine]" >> $cross
+ echo "system = '$targetos'" >> $cross
+-@@ -2728,9 +2727,6 @@ if test "$skip_meson" = no; then
++@@ -3136,9 +3135,6 @@ if test "$skip_meson" = no; then
+ else
+ echo "endian = 'little'" >> $cross
+ fi
+@@ -36,3 +36,6 @@ Index: qemu-7.1.0/configure
+ mv $cross config-meson.cross
+
+ rm -rf meson-private meson-info meson-logs
++--
++2.30.2
++
+diff --git a/meta/recipes-devtools/qemu/qemu_7.1.0.bb b/meta/recipes-devtools/qemu/qemu_7.0.0.bb
+similarity index 100%
+rename from meta/recipes-devtools/qemu/qemu_7.1.0.bb
+rename to meta/recipes-devtools/qemu/qemu_7.0.0.bb
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,40 @@
+From 7ec1129a1dd31197d1e0d0992f5c3386588cde11 Mon Sep 17 00:00:00 2001
+From: Anton Antonov <Anton.Antonov@arm.com>
+Date: Thu, 22 Sep 2022 10:45:27 +0100
+Subject: [PATCH] Revert "qemurunner: Update to match qmp changes"
+
+This reverts commit df89d59a19f3000d829ee6b18364260a4e5312e8.
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+---
+ meta/lib/oeqa/utils/qemurunner.py | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
+index 6a85f57e49..a70f3fd46a 100644
+--- a/meta/lib/oeqa/utils/qemurunner.py
++++ b/meta/lib/oeqa/utils/qemurunner.py
+@@ -191,8 +191,8 @@ class QemuRunner:
+ importlib.invalidate_caches()
+ try:
+ qmp = importlib.import_module("qmp")
+- except Exception as e:
+- self.logger.error("qemurunner: qmp.py missing, please ensure it's installed (%s)" % str(e))
++ except:
++ self.logger.error("qemurunner: qmp.py missing, please ensure it's installed")
+ return False
+ # Path relative to tmpdir used as cwd for qemu below to avoid unix socket path length issues
+ qmp_file = "." + next(tempfile._get_candidate_names())
+@@ -328,8 +328,7 @@ class QemuRunner:
+ try:
+ os.chdir(os.path.dirname(qmp_port))
+ try:
+- from qmp.legacy import QEMUMonitorProtocol
+- self.qmp = QEMUMonitorProtocol(os.path.basename(qmp_port))
++ self.qmp = qmp.QEMUMonitorProtocol(os.path.basename(qmp_port))
+ except OSError as msg:
+ self.logger.warning("Failed to initialize qemu monitor socket: %s File: %s" % (msg, msg.filename))
+ return False
+--
+2.25.1
+
@@ -9,6 +9,18 @@ header:
- ci/base.yml
- ci/meta-openembedded.yml
+# qemu image with optee and arm-ffa kernel drivers fails to boot under qemu 7.1.0
+# temporary use qemu 7.0.0 until a proper fix is implemented
+repos:
+ poky:
+ patches:
+ qemu:
+ repo: meta-arm
+ path: 0001-Revert-qemu-Upgrade-7.0.0-7.1.0.patch
+ qemurunner:
+ repo: meta-arm
+ path: 0001-Revert-qemurunner-Update-to-match-qmp-changes.patch
+
machine: qemuarm64-secureboot
local_conf_header:
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> --- 0001-Revert-qemu-Upgrade-7.0.0-7.1.0.patch | 709 ++++++++++++++++++ ...murunner-Update-to-match-qmp-changes.patch | 40 + ci/qemuarm64-secureboot-ts.yml | 12 + 3 files changed, 761 insertions(+) create mode 100644 0001-Revert-qemu-Upgrade-7.0.0-7.1.0.patch create mode 100644 0001-Revert-qemurunner-Update-to-match-qmp-changes.patch