From patchwork Fri Sep 9 11:25:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Purdie X-Patchwork-Id: 14287 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Richard Purdie" Subject: [PATCH 1/2] qemu: Upgrade 7.0.0 -> 7.1.0 Date: Fri, 9 Sep 2022 12:25:22 +0100 Message-Id: <20220909112523.648717-1-richard.purdie@linuxfoundation.org> MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org Drop CVE backports and backported patch for pvrdma which was also applied upstream. Refresh cross.patch. Drop vnc-png option removed upstream. Update ptest path manipulations for target. qmp now has consists of multiple files so install them all as a python module. The upgrade contains fixes for virtio block devices which we hope will address vda device tracebacks on the autobuilder from qemu. Signed-off-by: Richard Purdie --- meta/conf/distro/include/tcmode-default.inc | 2 +- ...u-native_7.0.0.bb => qemu-native_7.1.0.bb} | 0 ...e_7.0.0.bb => qemu-system-native_7.1.0.bb} | 3 +- meta/recipes-devtools/qemu/qemu.inc | 21 ++- ...t-against-buggy-or-malicious-guest-d.patch | 57 ------- .../qemu/qemu/CVE-2021-3507_1.patch | 92 ----------- .../qemu/qemu/CVE-2021-3507_2.patch | 115 -------------- .../qemu/qemu/CVE-2022-0216_1.patch | 42 ----- .../qemu/qemu/CVE-2022-0216_2.patch | 146 ------------------ .../qemu/qemu/CVE-2022-35414.patch | 53 ------- meta/recipes-devtools/qemu/qemu/cross.patch | 17 +- .../qemu/{qemu_7.0.0.bb => qemu_7.1.0.bb} | 0 12 files changed, 20 insertions(+), 528 deletions(-) rename meta/recipes-devtools/qemu/{qemu-native_7.0.0.bb => qemu-native_7.1.0.bb} (100%) rename meta/recipes-devtools/qemu/{qemu-system-native_7.0.0.bb => qemu-system-native_7.1.0.bb} (90%) delete mode 100644 meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch rename meta/recipes-devtools/qemu/{qemu_7.0.0.bb => qemu_7.1.0.bb} (100%) diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc index 9abd121e3a7..59b226e62fc 100644 --- a/meta/conf/distro/include/tcmode-default.inc +++ b/meta/conf/distro/include/tcmode-default.inc @@ -22,7 +22,7 @@ BINUVERSION ?= "2.39%" GDBVERSION ?= "12.%" GLIBCVERSION ?= "2.36" LINUXLIBCVERSION ?= "5.19%" -QEMUVERSION ?= "7.0%" +QEMUVERSION ?= "7.1%" GOVERSION ?= "1.19%" # This can not use wildcards like 8.0.% since it is also used in mesa to denote # llvm version being used, so always bump it with llvm recipe version bump diff --git a/meta/recipes-devtools/qemu/qemu-native_7.0.0.bb b/meta/recipes-devtools/qemu/qemu-native_7.1.0.bb similarity index 100% rename from meta/recipes-devtools/qemu/qemu-native_7.0.0.bb rename to meta/recipes-devtools/qemu/qemu-native_7.1.0.bb diff --git a/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb similarity index 90% rename from meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb rename to meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb index 5ccede5095c..04c7c2a6acf 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb @@ -28,5 +28,6 @@ do_install:append() { rm -rf ${D}${includedir}/qemu-plugin.h # Install qmp.py to be used with testimage - install -D ${S}/python/qemu/qmp/__init__.py ${D}${libdir}/qemu-python/qmp.py + install -d ${D}${libdir}/qemu-python/qmp/ + install -D ${S}/python/qemu/qmp/* ${D}${libdir}/qemu-python/qmp/ } diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 56fc7aaf55f..f22de74ea41 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -26,17 +26,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0007-qemu-Determinism-fixes.patch \ file://0008-tests-meson.build-use-relative-path-to-refer-to-file.patch \ file://0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \ - file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \ - file://qemu-7.0.0-glibc-2.36.patch \ - file://CVE-2022-35414.patch \ - file://CVE-2021-3507_1.patch \ - file://CVE-2021-3507_2.patch \ - file://CVE-2022-0216_1.patch \ - file://CVE-2022-0216_2.patch \ " +BAR = " file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" -SRC_URI[sha256sum] = "f6b375c7951f728402798b0baabb2d86478ca53d44cedbefabbe1c46bf46f839" +SRC_URI[sha256sum] = "a0634e536bded57cf38ec8a751adb124b89c776fe0846f21ab6c6728f1cbbbe6" SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" @@ -75,8 +69,14 @@ do_install_ptest() { # Strip the paths from the QEMU variable, we can use PATH sed -i -e "s#^QEMU=.*/qemu-#QEMU=qemu-#g" ${D}${PTEST_PATH}/tests/tcg/*.mak - # Strip compiler flags as they break reproducibility - sed -i -e "s,CROSS_CC_GUEST=.*,CROSS_CC_GUEST=," ${D}${PTEST_PATH}/tests/tcg/*.mak + # Strip compiler flags as they break reproducibility + sed -i -e "s,^CC=.*,CC=gcc," \ + -e "s,^CCAS=.*,CCAS=gcc," \ + -e "s,^LD=.*,LD=ld," ${D}${PTEST_PATH}/tests/tcg/*.mak + + # Update SRC_PATH variable to the right place on target + sed -i -e "s#^SRC_PATH=.*#SRC_PATH=${PTEST_PATH}#g" ${D}${PTEST_PATH}/tests/tcg/*.mak + } # QEMU_TARGETS is overridable variable @@ -151,7 +151,6 @@ PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburin PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," -PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl," PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss," PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses," diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch deleted file mode 100644 index 826d42fc203..00000000000 --- a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001 -From: Yuval Shaia -Date: Tue, 12 Apr 2022 11:01:51 +0100 -Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest - driver - -Guest driver might execute HW commands when shared buffers are not yet -allocated. -This might happen on purpose (malicious guest) or because some other -guest/host address mapping. -We need to protect againts such case. - -Reported-by: Mauro Matteo Cascella -Signed-off-by: Yuval Shaia - -CVE: CVE-2022-1050 -Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] - ---- - hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ - hw/rdma/vmw/pvrdma_main.c | 3 ++- - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c -index da7ddfa54..89db963c4 100644 ---- a/hw/rdma/vmw/pvrdma_cmd.c -+++ b/hw/rdma/vmw/pvrdma_cmd.c -@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) - - dsr_info = &dev->dsr_info; - -+ if (!dsr_info->dsr) { -+ /* Buggy or malicious guest driver */ -+ rdma_error_report("Exec command without dsr, req or rsp buffers"); -+ goto out; -+ } -+ - if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / - sizeof(struct cmd_handler)) { - rdma_error_report("Unsupported command"); -diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c -index 91206dbb8..0b7d908e2 100644 ---- a/hw/rdma/vmw/pvrdma_main.c -+++ b/hw/rdma/vmw/pvrdma_main.c -@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev) - { - struct pvrdma_device_shared_region *dsr; - -- if (dev->dsr_info.dsr == NULL) { -+ if (!dev->dsr_info.dsr) { -+ /* Buggy or malicious guest driver */ - rdma_error_report("Can't initialized DSR"); - return; - } --- -2.30.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch deleted file mode 100644 index 24fd2c5ed3e..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 18 Nov 2021 12:57:32 +0100 -Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun - (CVE-2021-3507) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Per the 82078 datasheet, if the end-of-track (EOT byte in -the FIFO) is more than the number of sectors per side, the -command is terminated unsuccessfully: - -* 5.2.5 DATA TRANSFER TERMINATION - - The 82078 supports terminal count explicitly through - the TC pin and implicitly through the underrun/over- - run and end-of-track (EOT) functions. For full sector - transfers, the EOT parameter can define the last - sector to be transferred in a single or multisector - transfer. If the last sector to be transferred is a par- - tial sector, the host can stop transferring the data in - mid-sector, and the 82078 will continue to complete - the sector as if a hardware TC was received. The - only difference between these implicit functions and - TC is that they return "abnormal termination" result - status. Such status indications can be ignored if they - were expected. - -* 6.1.3 READ TRACK - - This command terminates when the EOT specified - number of sectors have been read. If the 82078 - does not find an I D Address Mark on the diskette - after the second· occurrence of a pulse on the - INDX# pin, then it sets the IC code in Status Regis- - ter 0 to "01" (Abnormal termination), sets the MA bit - in Status Register 1 to "1", and terminates the com- - mand. - -* 6.1.6 VERIFY - - Refer to Table 6-6 and Table 6-7 for information - concerning the values of MT and EC versus SC and - EOT value. - -* Table 6·6. Result Phase Table - -* Table 6-7. Verify Command Result Phase Table - -Fix by aborting the transfer when EOT > # Sectors Per Side. - -Cc: qemu-stable@nongnu.org -Cc: Hervé Poussineau -Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") -Reported-by: Alexander Bulekov -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 -Signed-off-by: Philippe Mathieu-Daudé -Message-Id: <20211118115733.4038610-2-philmd@redhat.com> -Reviewed-by: Hanna Reitz -Signed-off-by: Kevin Wolf - -Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal ---- - hw/block/fdc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 347875a0c..57bb35579 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) - int tmp; - fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); - tmp = (fdctrl->fifo[6] - ks + 1); -+ if (tmp < 0) { -+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); -+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); -+ fdctrl->fifo[3] = kt; -+ fdctrl->fifo[4] = kh; -+ fdctrl->fifo[5] = ks; -+ return; -+ } - if (fdctrl->fifo[0] & 0x80) - tmp += fdctrl->fifo[6]; - fdctrl->data_len *= tmp; --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch deleted file mode 100644 index acc93e897b5..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Thu, 18 Nov 2021 12:57:33 +0100 -Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for - CVE-2021-3507 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 - -Without the previous commit, when running 'make check-qtest-i386' -with QEMU configured with '--enable-sanitizers' we get: - - ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 - READ of size 786432 at 0x619000062a00 thread T0 - #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) - #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 - #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 - #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 - #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 - #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 - #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 - #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 - #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 - #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 - #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 - #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 - #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 - - 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) - allocated by thread T0 here: - #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) - #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 - #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 - #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 - #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 - #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 - - SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy - Shadow bytes around the buggy address: - 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Heap left redzone: fa - Freed heap region: fd - ==4028352==ABORTING - -[ kwolf: Added snapshot=on to prevent write file lock failure ] - -Reported-by: Alexander Bulekov -Signed-off-by: Philippe Mathieu-Daudé -Reviewed-by: Alexander Bulekov -Signed-off-by: Kevin Wolf - -Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal ---- - tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c -index b0d40012e..1d4f85212 100644 ---- a/tests/qtest/fdc-test.c -+++ b/tests/qtest/fdc-test.c -@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) - qtest_quit(s); - } - -+static void test_cve_2021_3507(void) -+{ -+ QTestState *s; -+ -+ s = qtest_initf("-nographic -m 32M -nodefaults " -+ "-drive file=%s,format=raw,if=floppy,snapshot=on", -+ test_image); -+ qtest_outl(s, 0x9, 0x0a0206); -+ qtest_outw(s, 0x3f4, 0x1600); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_quit(s); -+} -+ - int main(int argc, char **argv) - { - int fd; -@@ -614,6 +634,7 @@ int main(int argc, char **argv) - qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); - qtest_add_func("/fdc/fuzz-registers", fuzz_registers); - qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); -+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); - - ret = g_test_run(); - --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch deleted file mode 100644 index 56fc34ce5af..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001 -From: Mauro Matteo Cascella -Date: Tue, 5 Jul 2022 22:05:43 +0200 -Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout - (CVE-2022-0216) - -Set current_req->req to NULL to prevent reusing a free'd buffer in case of -repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. - -Fixes: CVE-2022-0216 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 -Signed-off-by: Mauro Matteo Cascella -Reviewed-by: Thomas Huth -Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] -CVE: CVE-2022-0216 - -Signed-off-by: Sakib Sajal ---- - hw/scsi/lsi53c895a.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index c8773f73f..99ea42d49 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) - case 0x0d: - /* The ABORT TAG message clears the current I/O process only. */ - trace_lsi_do_msgout_abort(current_tag); -- if (current_req) { -+ if (current_req && current_req->req) { - scsi_req_cancel(current_req->req); -+ current_req->req = NULL; - } - lsi_disconnect(s); - break; --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch deleted file mode 100644 index f332154b6a9..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001 -From: Mauro Matteo Cascella -Date: Mon, 11 Jul 2022 14:33:16 +0200 -Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in - lsi_do_msgout (CVE-2022-0216) - -Set current_req to NULL, not current_req->req, to prevent reusing a free'd -buffer in case of repeated SCSI cancel requests. Also apply the fix to -CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel -the request. - -Thanks to Alexander Bulekov for providing a reproducer. - -Fixes: CVE-2022-0216 -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 -Signed-off-by: Mauro Matteo Cascella -Tested-by: Alexander Bulekov -Message-Id: <20220711123316.421279-1-mcascell@redhat.com> -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac] -CVE: CVE-2022-0216 - -Signed-off-by: Sakib Sajal ---- - hw/scsi/lsi53c895a.c | 3 +- - tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++ - 2 files changed, 78 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index 99ea42d49..ad5f5e5f3 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) - trace_lsi_do_msgout_abort(current_tag); - if (current_req && current_req->req) { - scsi_req_cancel(current_req->req); -- current_req->req = NULL; -+ current_req = NULL; - } - lsi_disconnect(s); - break; -@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) - /* clear the current I/O process */ - if (s->current) { - scsi_req_cancel(s->current->req); -+ current_req = NULL; - } - - /* As the current implemented devices scsi_disk and scsi_generic -diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c -index ba5d46897..c1af0ab1c 100644 ---- a/tests/qtest/fuzz-lsi53c895a-test.c -+++ b/tests/qtest/fuzz-lsi53c895a-test.c -@@ -8,6 +8,79 @@ - #include "qemu/osdep.h" - #include "libqos/libqtest.h" - -+/* -+ * This used to trigger a UAF in lsi_do_msgout() -+ * https://gitlab.com/qemu-project/qemu/-/issues/972 -+ */ -+static void test_lsi_do_msgout_cancel_req(void) -+{ -+ QTestState *s; -+ -+ if (sizeof(void *) == 4) { -+ g_test_skip("memory size too big for 32-bit build"); -+ return; -+ } -+ -+ s = qtest_init("-M q35 -m 4G -display none -nodefaults " -+ "-device lsi53c895a,id=scsi " -+ "-device scsi-hd,drive=disk0 " -+ "-drive file=null-co://,id=disk0,if=none,format=raw"); -+ -+ qtest_outl(s, 0xcf8, 0x80000810); -+ qtest_outl(s, 0xcf8, 0xc000); -+ qtest_outl(s, 0xcf8, 0x80000810); -+ qtest_outw(s, 0xcfc, 0x7); -+ qtest_outl(s, 0xcf8, 0x80000810); -+ qtest_outl(s, 0xcfc, 0xc000); -+ qtest_outl(s, 0xcf8, 0x80000804); -+ qtest_outw(s, 0xcfc, 0x05); -+ qtest_writeb(s, 0x69736c10, 0x08); -+ qtest_writeb(s, 0x69736c13, 0x58); -+ qtest_writeb(s, 0x69736c1a, 0x01); -+ qtest_writeb(s, 0x69736c1b, 0x06); -+ qtest_writeb(s, 0x69736c22, 0x01); -+ qtest_writeb(s, 0x69736c23, 0x07); -+ qtest_writeb(s, 0x69736c2b, 0x02); -+ qtest_writeb(s, 0x69736c48, 0x08); -+ qtest_writeb(s, 0x69736c4b, 0x58); -+ qtest_writeb(s, 0x69736c52, 0x04); -+ qtest_writeb(s, 0x69736c53, 0x06); -+ qtest_writeb(s, 0x69736c5b, 0x02); -+ qtest_outl(s, 0xc02d, 0x697300); -+ qtest_writeb(s, 0x5a554662, 0x01); -+ qtest_writeb(s, 0x5a554663, 0x07); -+ qtest_writeb(s, 0x5a55466a, 0x10); -+ qtest_writeb(s, 0x5a55466b, 0x22); -+ qtest_writeb(s, 0x5a55466c, 0x5a); -+ qtest_writeb(s, 0x5a55466d, 0x5a); -+ qtest_writeb(s, 0x5a55466e, 0x34); -+ qtest_writeb(s, 0x5a55466f, 0x5a); -+ qtest_writeb(s, 0x5a345a5a, 0x77); -+ qtest_writeb(s, 0x5a345a5b, 0x55); -+ qtest_writeb(s, 0x5a345a5c, 0x51); -+ qtest_writeb(s, 0x5a345a5d, 0x27); -+ qtest_writeb(s, 0x27515577, 0x41); -+ qtest_outl(s, 0xc02d, 0x5a5500); -+ qtest_writeb(s, 0x364001d0, 0x08); -+ qtest_writeb(s, 0x364001d3, 0x58); -+ qtest_writeb(s, 0x364001da, 0x01); -+ qtest_writeb(s, 0x364001db, 0x26); -+ qtest_writeb(s, 0x364001dc, 0x0d); -+ qtest_writeb(s, 0x364001dd, 0xae); -+ qtest_writeb(s, 0x364001de, 0x41); -+ qtest_writeb(s, 0x364001df, 0x5a); -+ qtest_writeb(s, 0x5a41ae0d, 0xf8); -+ qtest_writeb(s, 0x5a41ae0e, 0x36); -+ qtest_writeb(s, 0x5a41ae0f, 0xd7); -+ qtest_writeb(s, 0x5a41ae10, 0x36); -+ qtest_writeb(s, 0x36d736f8, 0x0c); -+ qtest_writeb(s, 0x36d736f9, 0x80); -+ qtest_writeb(s, 0x36d736fa, 0x0d); -+ qtest_outl(s, 0xc02d, 0x364000); -+ -+ qtest_quit(s); -+} -+ - /* - * This used to trigger the assert in lsi_do_dma() - * https://bugs.launchpad.net/qemu/+bug/697510 -@@ -48,5 +121,8 @@ int main(int argc, char **argv) - test_lsi_do_dma_empty_queue); - } - -+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req", -+ test_lsi_do_msgout_cancel_req); -+ - return g_test_run(); - } --- -2.33.0 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch deleted file mode 100644 index fe79a749ae0..00000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001 -From: Hitendra Prajapati -Date: Wed, 3 Aug 2022 10:11:11 +0530 -Subject: [PATCH] CVE-2022-35414 - -Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] -CVE: CVE-2022-35414 -Signed-off-by: Hitendra Prajapati ---- - softmmu/physmem.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/softmmu/physmem.c b/softmmu/physmem.c -index 4e1b27a20..ad8a90dec 100644 ---- a/softmmu/physmem.c -+++ b/softmmu/physmem.c -@@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) - - /* Called from RCU critical section */ - MemoryRegionSection * --address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, -+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, - hwaddr *xlat, hwaddr *plen, - MemTxAttrs attrs, int *prot) - { -@@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, - IOMMUMemoryRegionClass *imrc; - IOMMUTLBEntry iotlb; - int iommu_idx; -+ hwaddr addr = orig_addr; - AddressSpaceDispatch *d = - qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); - -@@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, - return section; - - translate_fail: -+ /* -+ * We should be given a page-aligned address -- certainly -+ * tlb_set_page_with_attrs() does so. The page offset of xlat -+ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. -+ * The page portion of xlat will be logged by memory_region_access_valid() -+ * when this memory access is rejected, so use the original untranslated -+ * physical address. -+ */ -+ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); -+ *xlat = orig_addr; - return &d->map.sections[PHYS_SECTION_UNASSIGNED]; - } - --- -2.25.1 - diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch index d1256a12294..ca2ad361efc 100644 --- a/meta/recipes-devtools/qemu/qemu/cross.patch +++ b/meta/recipes-devtools/qemu/qemu/cross.patch @@ -14,19 +14,19 @@ Signed-off-by: Richard Purdie configure | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/configure b/configure -index 7c08c1835..0613279f9 100755 ---- a/configure -+++ b/configure -@@ -3118,7 +3118,6 @@ if test "$skip_meson" = no; then - fi +Index: qemu-7.1.0/configure +=================================================================== +--- qemu-7.1.0.orig/configure ++++ qemu-7.1.0/configure +@@ -2710,7 +2710,6 @@ if test "$skip_meson" = no; then echo "strip = [$(meson_quote $strip)]" >> $cross + echo "widl = [$(meson_quote $widl)]" >> $cross echo "windres = [$(meson_quote $windres)]" >> $cross - if test "$cross_compile" = "yes"; then cross_arg="--cross-file config-meson.cross" echo "[host_machine]" >> $cross echo "system = '$targetos'" >> $cross -@@ -3136,9 +3135,6 @@ if test "$skip_meson" = no; then +@@ -2728,9 +2727,6 @@ if test "$skip_meson" = no; then else echo "endian = 'little'" >> $cross fi @@ -36,6 +36,3 @@ index 7c08c1835..0613279f9 100755 mv $cross config-meson.cross rm -rf meson-private meson-info meson-logs --- -2.30.2 - diff --git a/meta/recipes-devtools/qemu/qemu_7.0.0.bb b/meta/recipes-devtools/qemu/qemu_7.1.0.bb similarity index 100% rename from meta/recipes-devtools/qemu/qemu_7.0.0.bb rename to meta/recipes-devtools/qemu/qemu_7.1.0.bb From patchwork Fri Sep 9 11:25:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Purdie X-Patchwork-Id: 12540 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE751C6FA82 for ; Fri, 9 Sep 2022 11:25:35 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.web11.1.1662722727383369591 for ; Fri, 09 Sep 2022 04:25:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=QGFebugl; spf=pass (domain: linuxfoundation.org, ip: 209.85.221.50, mailfrom: richard.purdie@linuxfoundation.org) Received: by mail-wr1-f50.google.com with SMTP id b17so2225497wrq.3 for ; Fri, 09 Sep 2022 04:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=CPDLD6ehGGFD15TO1o5cweSo6L4+KfgGe+M6KcGFmas=; b=QGFebuglCT+5TOaXV7/X8+cAtrRxHeHZEvO84vMEpCVWC0yT/CgLzB5OWsIB4V0jhA 9jAqE40+lFba7FFPLlSfxygGXX+RMFcjDJyDn9KiUre+O49PhkXEKclxyCvaTaraOQ+U D5y9TEJpblwml0HV1w2KFMQIHXCIv1PiVvt+I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=CPDLD6ehGGFD15TO1o5cweSo6L4+KfgGe+M6KcGFmas=; b=rokRfErtyTLeA6y+8H6nBSOUtm1ygoizvvozM807U4h/xqDIE+Tq1yaTxJ4XVAbNT1 sd2g9mHkKmp7byTwt1BG6XIIsu6LqENd1qjZkbN052QN+HWpXl7DDMV00hbxkCINqLoL 7lb09zfEGCfhoP0sX437EID2ueBk9WPgGLx6ucfC0uC5BiSxPARsMRQJXlEuSE+3fFWC tQuOUfNQU9Nwts0b+i34B5ykleQb0HvW1/XfEqQimX5tCysrECfLVpviDP5qUkZhnf7s 8L46/xDOCQZY1R2dziRnjQ0gTF49UPaUR8KtDZFOFGOZuyZMs6z+d33vscIhGLy4iVRt AR/g== X-Gm-Message-State: ACgBeo1i/yWSRTqo3rnoPg5qNBdw6IcFbDs1LF1da3MKhd5cPNHbFpil CSvJ4pRb0AY0zFd2nJ01b2TE7vIrn8THvA== X-Google-Smtp-Source: AA6agR75mGL7rUwmmAtGbK+h/n+wV+n87crb59VbaF0098VQMUSvm4S3I/wE6KTFrGqNnb03EMkL6A== X-Received: by 2002:a5d:60ca:0:b0:228:d77e:4b25 with SMTP id x10-20020a5d60ca000000b00228d77e4b25mr7893554wrt.139.1662722725551; Fri, 09 Sep 2022 04:25:25 -0700 (PDT) Received: from max.int.rpsys.net ([2001:8b0:aba:5f3c:52ef:c9b0:71c9:e992]) by smtp.gmail.com with ESMTPSA id z5-20020a05600c0a0500b003a540fef440sm527625wmp.1.2022.09.09.04.25.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Sep 2022 04:25:25 -0700 (PDT) From: Richard Purdie To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/2] qemurunner: Update to match qmp changes Date: Fri, 9 Sep 2022 12:25:23 +0100 Message-Id: <20220909112523.648717-2-richard.purdie@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220909112523.648717-1-richard.purdie@linuxfoundation.org> References: <20220909112523.648717-1-richard.purdie@linuxfoundation.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Sep 2022 11:25:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170487 Upstream made changes to the qmp module. We need to use the legacy one for now since that matches the interface we use, ultimately we likely need to update our code. Also fix the generic exception handler to show the actual exception which helps debugging when something does break. Signed-off-by: Richard Purdie --- meta/lib/oeqa/utils/qemurunner.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py index 4c3d2010fb6..07018b7de8b 100644 --- a/meta/lib/oeqa/utils/qemurunner.py +++ b/meta/lib/oeqa/utils/qemurunner.py @@ -188,8 +188,8 @@ class QemuRunner: importlib.invalidate_caches() try: qmp = importlib.import_module("qmp") - except: - self.logger.error("qemurunner: qmp.py missing, please ensure it's installed") + except Exception as e: + self.logger.error("qemurunner: qmp.py missing, please ensure it's installed (%s)" % str(e)) return False # Path relative to tmpdir used as cwd for qemu below to avoid unix socket path length issues qmp_file = "." + next(tempfile._get_candidate_names()) @@ -325,7 +325,8 @@ class QemuRunner: try: os.chdir(os.path.dirname(qmp_port)) try: - self.qmp = qmp.QEMUMonitorProtocol(os.path.basename(qmp_port)) + from qmp.legacy import QEMUMonitorProtocol + self.qmp = QEMUMonitorProtocol(os.path.basename(qmp_port)) except OSError as msg: self.logger.warning("Failed to initialize qemu monitor socket: %s File: %s" % (msg, msg.filename)) return False