| Message ID | 20221011150505.36259-1-vkumbhar@mvista.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] qemu: fix CVE-2021-20196 | expand |
On Tue, Oct 11, 2022 at 5:05 AM vkumbhar <vkumbhar@mvista.com> wrote: > > Source: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 > MR: 111637 > Type: Security Fix > Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 > ChangeID: c1e435aa25bb60b362bb68ab253ff55504e0328d > Description: > hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 > > Guest might select another drive on the bus by setting the > DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). > The current controller model doesn't expect a BlockBackend > to be NULL. A simple way to fix CVE-2021-20196 is to create > an empty BlockBackend when it is missing. All further > accesses will be safely handled, and the controller state > machines keep behaving correctly. > > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 1 + > .../qemu/qemu/0001-CVE-2021-20196.patch | 40 +++++++++++++++++++ > 2 files changed, 41 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch Again, please name the file CVE-2021-20196.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc > index 7a963ad57c..2cdb718b1f 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -52,6 +52,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2019-20175.patch \ > file://CVE-2020-24352.patch \ > file://CVE-2020-25723.patch \ > + file://0001-CVE-2021-20196.patch \ Same issue here, you are not using current dunfell head so this patch doesn't apply. Please rebase on current dunfell head and send a V2. Thanks! Steve > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch > new file mode 100644 > index 0000000000..affc8ead58 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch > @@ -0,0 +1,40 @@ > +From a253e632aea9e0e3f3f2ad3d157f34908e9c2008 Mon Sep 17 00:00:00 2001 > +From: Vivek Kumbhar <vkumbhar@mvista.com> > +Date: Mon, 10 Oct 2022 10:00:53 +0530 > +Subject: [PATCH] CVE-2021-20196 > + > +Upstream-Status: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 > +CVE: CVE-2021-20196 > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > +--- > + hw/block/fdc.c | 14 +++++++++++++- > + 1 file changed, 13 insertions(+), 1 deletion(-) > + > +diff --git a/hw/block/fdc.c b/hw/block/fdc.c > +index ac5d31e8..a887369c 100644 > +--- a/hw/block/fdc.c > ++++ b/hw/block/fdc.c > +@@ -1356,7 +1356,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) > + > + static FDrive *get_cur_drv(FDCtrl *fdctrl) > + { > +- return get_drv(fdctrl, fdctrl->cur_drv); > ++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); > ++ > ++ if (!cur_drv->blk) { > ++ /* > ++ * Kludge: empty drive line selected. Create an anonymous > ++ * BlockBackend to avoid NULL deref with various BlockBackend > ++ * API calls within this model (CVE-2021-20196). > ++ * Due to the controller QOM model limitations, we don't > ++ * attach the created to the controller device. > ++ */ > ++ cur_drv->blk = blk_create_empty_drive(); > ++ } > ++ return cur_drv; > + } > + > + /* Status A register : 0x00 (read-only) */ > +-- > +2.25.1 > + > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#171629): https://lists.openembedded.org/g/openembedded-core/message/171629 > Mute This Topic: https://lists.openembedded.org/mt/94260757/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7a963ad57c..2cdb718b1f 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -52,6 +52,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2019-20175.patch \ file://CVE-2020-24352.patch \ file://CVE-2020-25723.patch \ + file://0001-CVE-2021-20196.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch new file mode 100644 index 0000000000..affc8ead58 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch @@ -0,0 +1,40 @@ +From a253e632aea9e0e3f3f2ad3d157f34908e9c2008 Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar <vkumbhar@mvista.com> +Date: Mon, 10 Oct 2022 10:00:53 +0530 +Subject: [PATCH] CVE-2021-20196 + +Upstream-Status: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 +CVE: CVE-2021-20196 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + hw/block/fdc.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index ac5d31e8..a887369c 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1356,7 +1356,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) + + static FDrive *get_cur_drv(FDCtrl *fdctrl) + { +- return get_drv(fdctrl, fdctrl->cur_drv); ++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv); ++ ++ if (!cur_drv->blk) { ++ /* ++ * Kludge: empty drive line selected. Create an anonymous ++ * BlockBackend to avoid NULL deref with various BlockBackend ++ * API calls within this model (CVE-2021-20196). ++ * Due to the controller QOM model limitations, we don't ++ * attach the created to the controller device. ++ */ ++ cur_drv->blk = blk_create_empty_drive(); ++ } ++ return cur_drv; + } + + /* Status A register : 0x00 (read-only) */ +-- +2.25.1 +
Source: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 MR: 111637 Type: Security Fix Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 ChangeID: c1e435aa25bb60b362bb68ab253ff55504e0328d Description: hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 Guest might select another drive on the bus by setting the DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). The current controller model doesn't expect a BlockBackend to be NULL. A simple way to fix CVE-2021-20196 is to create an empty BlockBackend when it is missing. All further accesses will be safely handled, and the controller state machines keep behaving correctly. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/0001-CVE-2021-20196.patch | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch