From patchwork Wed Sep 14 06:04:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 12835 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8F11ECAAD3 for ; Wed, 14 Sep 2022 06:04:21 +0000 (UTC) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web09.3022.1663135454287556282 for ; Tue, 13 Sep 2022 23:04:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=dHr//Lnh; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663135454; x=1694671454; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=88FuXmytRxaQp0FkAvv2BBEBoNV2pGrj13zILDOL8m4=; b=dHr//Lnh33vc32zx5VZXADs6dbZCo//bZZlL0ds8sUxxeaRtChpCDpRz gDmZ8fxCTdUhkMDUtD3FSltF0wD7HWaFmxBJZ1VSAdTHKCGS/I4Pn7HJo t7WHPhNRlZaL86gn6bbyixZ/06N+KyoViN8xBvb4xdbQizGFeopbIrLvM 5VOMnLcWomkC6ZY4IhTxzN3wLEOfkbSlRNsH+9DQyD/saf9tuTQ5N7u4v okP3L5vC+uMBUvBl+j1a/lwqkwGW3s56BFPGpRMnBdMGMOWSq6bgEOAUx qBeM3Bz4i8ll8+U0WJdKCrYrBqlgYusSiDmSM0z1X7Cre0JBZtUOvRCPp A==; X-IronPort-AV: E=McAfee;i="6500,9779,10469"; a="278073657" X-IronPort-AV: E=Sophos;i="5.93,313,1654585200"; d="scan'208";a="278073657" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Sep 2022 23:04:13 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,313,1654585200"; d="scan'208";a="742442665" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga004.jf.intel.com with ESMTP; 13 Sep 2022 23:04:12 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][dunfell 1/2] gst-plugins-good: fix several CVE Date: Wed, 14 Sep 2022 14:04:10 +0800 Message-Id: <20220914060411.20436-1-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 06:04:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170634 From: Chee Yang Lee backport fix for: CVE-2022-1920 CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122 also set ignore at gstreamer1.0_1.16.3.bb Signed-off-by: Chee Yang Lee --- .../CVE-2022-1920.patch | 59 +++++ .../CVE-2022-1921.patch | 69 ++++++ .../CVE-2022-1922-1923-1924-1925.patch | 214 ++++++++++++++++++ .../CVE-2022-2122.patch | 60 +++++ .../gstreamer1.0-plugins-good_1.16.3.bb | 4 + .../gstreamer/gstreamer1.0_1.16.3.bb | 7 + 6 files changed, 413 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch @@ -0,0 +1,59 @@ +From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 18 May 2022 10:23:15 +0300 +Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap + corruption in WavPack header handling code + +blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then +results in allocating a very small buffer. Into that buffer blocksize +data is memcpy'd later which then causes out of bound writes and can +potentially lead to anything from crashes to remote code execution. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1920 + +https://gstreamer.freedesktop.org/security/sa-2022-0004.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 + +Part-of: + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + .../gst/matroska/matroska-demux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 64cc6be60be..01d754c3eb9 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } else { + guint8 *outdata = NULL; + gsize buf_size, size; +- guint32 block_samples, flags, crc, blocksize; ++ guint32 block_samples, flags, crc; ++ gsize blocksize; + GstAdapter *adapter; + + adapter = gst_adapter_new (); +@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + return GST_FLOW_ERROR; + } + ++ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { ++ GST_ERROR_OBJECT (element, "Too big wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); ++ return GST_FLOW_ERROR; ++ } ++ + g_assert (newbuf == NULL); + + newbuf = +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch @@ -0,0 +1,69 @@ +From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 18 May 2022 12:00:48 +0300 +Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption + in DIB buffer inversion code + +Check that width*bpp/8 doesn't overflow a guint and also that +height*stride fits into the provided buffer without overflowing. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1921 + +See https://gstreamer.freedesktop.org/security/sa-2022-0001.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 + +Part-of: + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c +index eafe865494c..0d18a6495c7 100644 +--- a/gst/avi/gstavidemux.c ++++ b/gst/avi/gstavidemux.c +@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) + static GstBuffer * + gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) + { +- gint y, w, h; +- gint bpp, stride; ++ guint y, w, h; ++ guint bpp, stride; + guint8 *tmp = NULL; + GstMapInfo map; + guint32 fourcc; +@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) + h = stream->strf.vids->height; + w = stream->strf.vids->width; + bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; ++ ++ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { ++ GST_WARNING ("Width x stride overflows"); ++ return buf; ++ } ++ ++ if (w == 0 || h == 0) { ++ GST_WARNING ("Zero width or height"); ++ return buf; ++ } ++ + stride = GST_ROUND_UP_4 (w * (bpp / 8)); + + buf = gst_buffer_make_writable (buf); + + gst_buffer_map (buf, &map, GST_MAP_READWRITE); +- if (map.size < (stride * h)) { ++ if (map.size < ((guint64) stride * (guint64) h)) { + GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); + gst_buffer_unmap (buf, &map); + return buf; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch @@ -0,0 +1,214 @@ +From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 18 May 2022 11:24:37 +0300 +Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc + decompression code + +Various variables were of smaller types than needed and there were no +checks for any overflows when doing additions on the sizes. This is all +checked now. + +In addition the size of the decompressed data is limited to 120MB now as +any larger sizes are likely pathological and we can avoid out of memory +situations in many cases like this. + +Also fix a bug where the available output size on the next iteration in +the zlib/bz2 decompression code was provided too large and could +potentially lead to out of bound writes. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + +https://gstreamer.freedesktop.org/security/sa-2022-0002.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 + +Part-of: + +CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- + 1 file changed, 61 insertions(+), 15 deletions(-) + +diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c +index eb317644cc5..6fadbba9567 100644 +--- a/gst/matroska/matroska-read-common.c ++++ b/gst/matroska/matroska-read-common.c +@@ -70,6 +70,10 @@ typedef struct + gboolean audio_only; + } TargetTypeContext; + ++/* 120MB as maximum decompressed data size. Anything bigger is likely ++ * pathological, and like this we avoid out of memory situations in many cases ++ */ ++#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) + + static gboolean + gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, +@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + GstMatroskaTrackCompressionAlgorithm algo) + { + guint8 *new_data = NULL; +- guint new_size = 0; ++ gsize new_size = 0; + guint8 *data = *data_out; +- guint size = *size_out; ++ const gsize size = *size_out; + gboolean ret = TRUE; + ++ if (size > G_MAXUINT32) { ++ GST_WARNING ("too large compressed data buffer."); ++ ret = FALSE; ++ goto out; ++ } ++ + if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { + #ifdef HAVE_ZLIB + /* zlib encoded data */ + z_stream zstream; +- guint orig_size; + int result; + +- orig_size = size; + zstream.zalloc = (alloc_func) 0; + zstream.zfree = (free_func) 0; + zstream.opaque = (voidpf) 0; +@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + goto out; + } + zstream.next_in = (Bytef *) data; +- zstream.avail_in = orig_size; +- new_size = orig_size; ++ zstream.avail_in = size; ++ new_size = size; + new_data = g_malloc (new_size); + zstream.avail_out = new_size; + zstream.next_out = (Bytef *) new_data; +@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + break; + } + ++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = Z_MEM_ERROR; ++ break; ++ } ++ + new_size += 4096; + new_data = g_realloc (new_data, new_size); + zstream.next_out = (Bytef *) (new_data + zstream.total_out); +- zstream.avail_out += 4096; ++ /* avail_out is an unsigned int */ ++ g_assert (new_size - zstream.total_out <= G_MAXUINT); ++ zstream.avail_out = new_size - zstream.total_out; + } while (zstream.avail_in > 0); + + if (result != Z_STREAM_END) { +@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + #ifdef HAVE_BZ2 + /* bzip2 encoded data */ + bz_stream bzstream; +- guint orig_size; + int result; + + bzstream.bzalloc = NULL; + bzstream.bzfree = NULL; + bzstream.opaque = NULL; +- orig_size = size; + + if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { + GST_WARNING ("bzip2 initialization failed."); +@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } + + bzstream.next_in = (char *) data; +- bzstream.avail_in = orig_size; +- new_size = orig_size; ++ bzstream.avail_in = size; ++ new_size = size; + new_data = g_malloc (new_size); + bzstream.avail_out = new_size; + bzstream.next_out = (char *) new_data; +@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + break; + } + ++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = BZ_MEM_ERROR; ++ break; ++ } ++ + new_size += 4096; + new_data = g_realloc (new_data, new_size); +- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); +- bzstream.avail_out += 4096; ++ bzstream.next_out = ++ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32); ++ /* avail_out is an unsigned int */ ++ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32 <= G_MAXUINT); ++ bzstream.avail_out = ++ new_size - ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32; + } while (bzstream.avail_in > 0); + + if (result != BZ_STREAM_END) { + ret = FALSE; + g_free (new_data); + } else { +- new_size = bzstream.total_out_lo32; ++ new_size = ++ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; + } + BZ2_bzDecompressEnd (&bzstream); + +@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { + /* lzo encoded data */ + int result; +- int orig_size, out_size; ++ gint orig_size, out_size; ++ ++ if (size > G_MAXINT) { ++ GST_WARNING ("too large compressed data buffer."); ++ ret = FALSE; ++ goto out; ++ } + + orig_size = size; + out_size = size; +@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + result = lzo1x_decode (new_data, &out_size, data, &orig_size); + + if (orig_size > 0) { ++ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = LZO_ERROR; ++ break; ++ } + new_size += 4096; + new_data = g_realloc (new_data, new_size); + } +@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { + /* header stripped encoded data */ + if (enc->comp_settings_length > 0) { ++ if (size > G_MAXSIZE - enc->comp_settings_length ++ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ ret = FALSE; ++ goto out; ++ } ++ + new_data = g_malloc (size + enc->comp_settings_length); + new_size = size + enc->comp_settings_length; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch @@ -0,0 +1,60 @@ +From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 May 2022 10:15:37 +0300 +Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code + +Various variables were of smaller types than needed and there were no +checks for any overflows when doing additions on the sizes. This is all +checked now. + +In addition the size of the decompressed data is limited to 200MB now as +any larger sizes are likely pathological and we can avoid out of memory +situations in many cases like this. + +Also fix a bug where the available output size on the next iteration in +the zlib decompression code was provided too large and could +potentially lead to out of bound writes. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: tbd + +https://gstreamer.freedesktop.org/security/sa-2022-0003.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 + +Part-of: + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 +CVE: CVE-2022-2122 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + gst/isomp4/qtdemux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 7cc346b1e63..97ba0799a8d 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) + break; + } + ++ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ ret = Z_MEM_ERROR; ++ break; ++ } ++ + *length += 4096; + buffer = (guint8 *) g_realloc (buffer, *length); + z.next_out = (Bytef *) (buffer + z.total_out); +- z.avail_out += 4096; ++ z.avail_out += *length - z.total_out; + } while (z.avail_in > 0); + + if (ret != Z_STREAM_END) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 1038cbf224..831a317a82 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb @@ -10,6 +10,10 @@ SRC_URI = " \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ file://CVE-2021-3497.patch \ file://CVE-2021-3498.patch \ + file://CVE-2022-1920.patch \ + file://CVE-2022-1921.patch \ + file://CVE-2022-1922-1923-1924-1925.patch \ + file://CVE-2022-2122.patch \ " SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 966a904eef..14793b7fdf 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb @@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522" # so we need to ignore the false hits CVE_CHECK_WHITELIST += "CVE-2021-3497" CVE_CHECK_WHITELIST += "CVE-2021-3498" +CVE_CHECK_WHITELIST += "CVE-2022-1920" +CVE_CHECK_WHITELIST += "CVE-2022-1921" +CVE_CHECK_WHITELIST += "CVE-2022-1922" +CVE_CHECK_WHITELIST += "CVE-2022-1923" +CVE_CHECK_WHITELIST += "CVE-2022-1924" +CVE_CHECK_WHITELIST += "CVE-2022-1925" +CVE_CHECK_WHITELIST += "CVE-2022-2122" require gstreamer1.0-ptest.inc From patchwork Wed Sep 14 06:04:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 14291 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Lee Chee Yang" Subject: [PATCH][dunfell 2/2] qemu: fix and ignore several CVEs Date: Wed, 14 Sep 2022 14:04:11 +0800 Message-Id: <20220914060411.20436-2-chee.yang.lee@intel.com> In-Reply-To: <20220914060411.20436-1-chee.yang.lee@intel.com> References: <20220914060411.20436-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org From: Chee Yang Lee backport fixes: CVE-2020-13754, backport patches as debian security tracker notes https://security-tracker.debian.org/tracker/CVE-2020-13754 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930 CVE-2021-4206 CVE-2021-4207 CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2. Ignore: CVE-2020-27661, issue introduced in v5.1.0-rc0 https://security-tracker.debian.org/tracker/CVE-2020-27661 Signed-off-by: Chee Yang Lee --- meta/recipes-devtools/qemu/qemu.inc | 14 ++ .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++ .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++ .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++ .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++ .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++ .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++ .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++ .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++ .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++ .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++ .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++ 12 files changed, 748 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a773068499..c1db723e90 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13791.patch \ file://CVE-2022-35414.patch \ file://CVE-2020-27821.patch \ + file://CVE-2020-13754-1.patch \ + file://CVE-2020-13754-2.patch \ + file://CVE-2020-13754-3.patch \ + file://CVE-2020-13754-4.patch \ + file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ + file://CVE-2021-3930.patch \ + file://CVE-2021-4206.patch \ + file://CVE-2021-4207.patch \ + file://CVE-2022-0216-1.patch \ + file://CVE-2022-0216-2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_WHITELIST += "CVE-2018-18438" +# the issue introduced in v5.1.0-rc0 +CVE_CHECK_WHITELIST += "CVE-2020-27661" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch @@ -0,0 +1,91 @@ +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 10 Jun 2020 09:47:49 -0400 +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in + memory_region_access_valid" + +Memory API documentation documents valid .min_access_size and .max_access_size +fields and explains that any access outside these boundaries is blocked. + +This is what devices seem to assume. + +However this is not what the implementation does: it simply +ignores the boundaries unless there's an "accepts" callback. + +Naturally, this breaks a bunch of devices. + +Revert to the documented behaviour. + +Devices that want to allow any access can just drop the valid field, +or add the impl field to have accesses converted to appropriate +length. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson +Fixes: CVE-2020-13754 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") +Signed-off-by: Michael S. Tsirkin +Message-Id: <20200610134731.1514409-1-mst@redhat.com> +Signed-off-by: Paolo Bonzini + +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + memory.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/memory.c b/memory.c +index 2f15a4b..9200b20 100644 +--- a/memory.c ++++ b/memory.c +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, + bool is_write, + MemTxAttrs attrs) + { +- int access_size_min, access_size_max; +- int access_size, i; +- +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ if (mr->ops->valid.accepts ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + return false; + } + +- if (!mr->ops->valid.accepts) { +- return true; +- } +- +- access_size_min = mr->ops->valid.min_access_size; +- if (!mr->ops->valid.min_access_size) { +- access_size_min = 1; ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ return false; + } + +- access_size_max = mr->ops->valid.max_access_size; ++ /* Treat zero as compatibility all valid */ + if (!mr->ops->valid.max_access_size) { +- access_size_max = 4; ++ return true; + } + +- access_size = MAX(MIN(size, access_size_max), access_size_min); +- for (i = 0; i < size; i += access_size) { +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, +- is_write, attrs)) { +- return false; +- } ++ if (size > mr->ops->valid.max_access_size ++ || size < mr->ops->valid.min_access_size) { ++ return false; + } +- + return true; + } + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch @@ -0,0 +1,69 @@ +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 +From: Michael Tokarev +Date: Mon, 20 Jul 2020 19:06:27 +0300 +Subject: [PATCH] acpi: accept byte and word access to core ACPI registers + +All ISA registers should be accessible as bytes, words or dwords +(if wide enough). Fix the access constraints for acpi-pm-evt, +acpi-pm-tmr & acpi-cnt registers. + +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") +Fixes: afafe4bbe0 (apci: switch cnt to memory api) +Fixes: 77d58b1e47 (apci: switch timer to memory api) +Fixes: b5a7c024d2 (apci: switch evt to memory api) +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ +Buglink: https://bugs.debian.org/964793 +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 +BugLink: https://bugs.launchpad.net/bugs/1886318 +Reported-By: Simon John +Signed-off-by: Michael Tokarev +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/acpi/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index f6d9ec4..ac06db3 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_evt_ops = { + .read = acpi_pm_evt_read, + .write = acpi_pm_evt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_tmr_ops = { + .read = acpi_pm_tmr_read, + .write = acpi_pm_tmr_write, +- .valid.min_access_size = 4, ++ .impl.min_access_size = 4, ++ .valid.min_access_size = 1, + .valid.max_access_size = 4, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_cnt_ops = { + .read = acpi_pm_cnt_read, + .write = acpi_pm_cnt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch @@ -0,0 +1,65 @@ +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Tue, 21 Jul 2020 10:33:22 +0200 +Subject: [PATCH] xhci: fix valid.max_access_size to access address registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow +64-bit mode access in "runtime" and "operational" MemoryRegionOps. + +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. + +XHCI specs: +"If the xHC supports 64-bit addressing (AC64 = â1â), then software +should write 64-bit registers using only Qword accesses. If a +system is incapable of issuing Qword accesses, then writes to the +64-bit address fields shall be performed using 2 Dword accesses; +low Dword-first, high-Dword second. If the xHC supports 32-bit +addressing (AC64 = â0â), then the high Dword of registers containing +64-bit address fields are unused and software should write addresses +using only Dword accesses" + +The problem has been detected with SLOF, as linux kernel always accesses +registers using 32-bit access even if AC64 is set and revealed by +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") + +Suggested-by: Alexey Kardashevskiy +Signed-off-by: Laurent Vivier +Message-id: 20200721083322.90651-1-lvivier@redhat.com +Signed-off-by: Gerd Hoffmann + +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/usb/hcd-xhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index b330e36..67a18fe 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { + .read = xhci_oper_read, + .write = xhci_oper_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { + .read = xhci_runtime_read, + .write = xhci_runtime_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch new file mode 100644 index 0000000000..6bad07d03f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch @@ -0,0 +1,39 @@ +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Tue, 30 Jun 2020 13:12:11 -0700 +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT + +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 +"memory: Revert "memory: accept mismatching sizes in +memory_region_access_valid"" broke most RISC-V boards as they do 64 bit +accesses to the CLINT and QEMU would trigger a fault. Fix this failure +by allowing 8 byte accesses. + +Signed-off-by: Alistair Francis +Reviewed-by: LIU Zhiwei +Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/riscv/sifive_clint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c +index b11ffa0..669c21a 100644 +--- a/hw/riscv/sifive_clint.c ++++ b/hw/riscv/sifive_clint.c +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, +- .max_access_size = 4 ++ .max_access_size = 8 + } + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,67 @@ +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann +Reported-by: Chen Zhe +Reported-by: Tan Jingguo +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a +CVE: CVE-2021-3713 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/usb/dev-uas.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index 6d6d1073..0b8cd4dd 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + QTAILQ_FOREACH(st, &uas->results, next) { + if (st->stream == p->stream) { +@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++ error_report("%s: invalid stream %d", __func__, p->stream); ++ p->status = USB_RET_STALL; ++ return; + } + + static void usb_uas_unrealize(USBDevice *dev, Error **errp) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..b291ade4e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,124 @@ +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang + +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 +CVE: CVE-2021-3748 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 16d20cdee52a..f205331dcf8c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++ size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +- size_t offset, i, guest_offset; ++ size_t offset, i, guest_offset, j; ++ ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++ if (i == VIRTQUEUE_MAX_SIZE) { ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++ err = size; ++ goto err; ++ } ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +- return -1; ++ err = -1; ++ goto err; + } + + if (elem->in_num < 1) { +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +- return -1; ++ err = -1; ++ goto err; + } + + sg = elem->in_sg; +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +- return size; ++ err = size; ++ goto err; + } + +- /* signal other side */ +- virtqueue_fill(q->rx_vq, elem, total, i++); +- g_free(elem); ++ elems[i] = elem; ++ lens[i] = total; ++ i++; + } + + if (mhdr_cnt) { +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + &mhdr.num_buffers, sizeof mhdr.num_buffers); + } + ++ for (j = 0; j < i; j++) { ++ /* signal other side */ ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++ g_free(elems[j]); ++ } ++ + virtqueue_flush(q->rx_vq, i); + virtio_notify(vdev, q->rx_vq); + + return size; ++ ++err: ++ for (j = 0; j < i; j++) { ++ g_free(elems[j]); ++ } ++ ++ return err; + } + + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..b1b5558647 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 +CVE: CVE-2021-3930 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/scsi-disk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e8a547dbb7..d4914178ea 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++ assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++ if (page == MODE_PAGE_ALLS) { ++ return -1; ++ } ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, &p, 0); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a +CVE: CVE-2021-4206 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 98c83474ad..45d06cbe25 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..8418246247 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch @@ -0,0 +1,43 @@ +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb +CVE: CVE-2021-4207 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch new file mode 100644 index 0000000000..6a7ce0e26c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch @@ -0,0 +1,42 @@ +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index c8773f73f7..99ea42d49b 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch @@ -0,0 +1,52 @@ +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/lsi53c895a.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 99ea42d49b..ad5f5e5f39 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +GitLab +