diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog --- qemu-5.2+dfsg/debian/changelog 2021-04-07 09:58:29.000000000 +0000 +++ qemu-5.2+dfsg/debian/changelog 2021-07-08 13:51:29.000000000 +0000 @@ -1,3 +1,94 @@ +qemu (1:5.2+dfsg-9ubuntu3.1) hirsute-security; urgency=medium + + * SECURITY UPDATE: NULL pointer dereference in MemoryRegionOps object + - debian/patches/CVE-2020-15469-1.patch: add pci-intack write method in + hw/pci-host/prep.c. + - debian/patches/CVE-2020-15469-2.patch: add pcie-msi read method in + hw/pci-host/designware.c. + - debian/patches/CVE-2020-15469-3.patch: add quirk device write method + in hw/vfio/pci-quirks.c. + - debian/patches/CVE-2020-15469-4.patch: add ppc-parity write method in + hw/ppc/prep_systemio.c. + - debian/patches/CVE-2020-15469-5.patch: add nrf51_soc flash read + method in hw/nvram/nrf51_nvm.c. + - debian/patches/CVE-2020-15469-6.patch: add spapr msi read method in + hw/ppc/spapr_pci.c. + - debian/patches/CVE-2020-15469-7.patch: add dummy read/write methods + in hw/misc/tz-ppc.c. + - debian/patches/CVE-2020-15469-8.patch: add digprog mmio write method + in hw/misc/imx7_ccm.c. + - CVE-2020-15469 + * SECURITY UPDATE: out of bounds read in ide_atapi_cmd_reply_end + - debian/patches/CVE-2020-29443-2.patch: check logical block address + and read size in hw/ide/atapi.c. + - CVE-2020-29443 + * SECURITY UPDATE: NULL pointer dereference flaw in SCSI emulation + - debian/patches/CVE-2020-35504.patch: always check current_req is not + NULL before use in DMA callbacks in hw/scsi/esp.c. + - CVE-2020-35504 + * SECURITY UPDATE: NULL pointer dereference flaw in am53c974 SCSI + - debian/patches/CVE-2020-35505.patch: ensure cmdfifo is not empty and + current_dev is non-NULL in hw/scsi/esp.c. + - CVE-2020-35505 + * SECURITY UPDATE: use-after-free flaw was found in the MegaRAID emulator + - debian/patches/CVE-2021-3392.patch: Remove unused MPTSASState pending + field in hw/scsi/mptsas.c, hw/scsi/mptsas.h. + - CVE-2021-3392 + * SECURITY UPDATE: out-of-bounds read/write in SDHCI controller emulation + - debian/patches/CVE-2021-3409-1.patch: don't transfer any data when + command time out in hw/sd/sdhci.c. + - debian/patches/CVE-2021-3409-2.patch: don't write to SDHC_SYSAD + register when transfer is in progress in hw/sd/sdhci.c. + - debian/patches/CVE-2021-3409-3.patch: correctly set the controller + status for ADMA in hw/sd/sdhci.c. + - debian/patches/CVE-2021-3409-4.patch: limit block size only when + SDHC_BLKSIZE register is writable in hw/sd/sdhci.c. + - debian/patches/CVE-2021-3409-5.patch: reset the data pointer of + s->fifo_buffer[] when a different block size is programmed in + hw/sd/sdhci.c. + - CVE-2021-3409 + * SECURITY UPDATE: DoS in USB redirector device + - debian/patches/CVE-2021-3527-1.patch: avoid dynamic stack allocation + in hw/usb/redirect.c. + - debian/patches/CVE-2021-3527-2.patch: limit combined packets to 1 MiB + in hw/usb/combined-packet.c. + - CVE-2021-3527 + * SECURITY UPDATE: multiple issues in virtio vhost-user GPU device + - debian/patches/CVE-2021-3544-1.patch: fix memory disclosure in + contrib/vhost-user-gpu/virgl.c. + - debian/patches/CVE-2021-3544-2.patch: fix resource leak in + contrib/vhost-user-gpu/vhost-user-gpu.c. + - debian/patches/CVE-2021-3544-3.patch: fix memory leak in + contrib/vhost-user-gpu/vhost-user-gpu.c. + - debian/patches/CVE-2021-3544-4.patch: fix memory leak in + contrib/vhost-user-gpu/vhost-user-gpu.c. + - debian/patches/CVE-2021-3544-5.patch: fix memory leak in + contrib/vhost-user-gpu/virgl.c. + - debian/patches/CVE-2021-3544-6.patch: fix memory leak in + contrib/vhost-user-gpu/virgl.c. + - debian/patches/CVE-2021-3544-7.patch: fix OOB write in + contrib/vhost-user-gpu/virgl.c. + - debian/patches/CVE-2021-3544-8.patch: abstract vg_cleanup_mapping_iov + in contrib/vhost-user-gpu/vhost-user-gpu.c, + contrib/vhost-user-gpu/virgl.c, contrib/vhost-user-gpu/vugpu.h. + - CVE-2021-3544 + - CVE-2021-3545 + - CVE-2021-3546 + * SECURITY UPDATE: mremap overflow in the pvrdma device + - debian/patches/CVE-2021-3582.patch: check lengths in + hw/rdma/vmw/pvrdma_cmd.c. + - CVE-2021-3582 + * SECURITY UPDATE: integer overflow in pvrdma device + - debian/patches/CVE-2021-3607.patch: ensure correct input on ring init + in hw/rdma/vmw/pvrdma_main.c. + - CVE-2021-3607 + * SECURITY UPDATE: uninitialized memory unmap in pvrdma device + - debian/patches/CVE-2021-3608.patch: fix the ring init error flow in + hw/rdma/vmw/pvrdma_dev_ring.c. + - CVE-2021-3608 + + -- Marc Deslauriers Thu, 08 Jul 2021 09:51:29 -0400 + qemu (1:5.2+dfsg-9ubuntu3) hirsute; urgency=medium * d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-1.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-1.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-1.patch 2021-07-08 13:11:45.000000000 +0000 @@ -0,0 +1,44 @@ +From 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:25 +0530 +Subject: [PATCH] hw/pci-host: add pci-intack write method + +Add pci-intack mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Reviewed-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Message-Id: <20200811114133.672647-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/pci-host/prep.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/hw/pci-host/prep.c ++++ b/hw/pci-host/prep.c +@@ -26,6 +26,7 @@ + #include "qemu/osdep.h" + #include "qemu-common.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qapi/error.h" + #include "hw/pci/pci.h" + #include "hw/pci/pci_bus.h" +@@ -120,8 +121,15 @@ static uint64_t raven_intack_read(void * + return pic_read_irq(isa_pic); + } + ++static void raven_intack_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++} ++ + static const MemoryRegionOps raven_intack_ops = { + .read = raven_intack_read, ++ .write = raven_intack_write, + .valid = { + .max_access_size = 1, + }, diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-2.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-2.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-2.patch 2021-07-08 13:11:48.000000000 +0000 @@ -0,0 +1,65 @@ +From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:26 +0530 +Subject: [PATCH] pci-host: designware: add pcie-msi read method + +Add pcie-msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Reviewed-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Message-Id: <20200811114133.672647-3-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/pci-host/designware.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c +index f9fb97a..bde3a34 100644 +--- a/hw/pci-host/designware.c ++++ b/hw/pci-host/designware.c +@@ -21,6 +21,7 @@ + #include "qemu/osdep.h" + #include "qapi/error.h" + #include "qemu/module.h" ++#include "qemu/log.h" + #include "hw/pci/msi.h" + #include "hw/pci/pci_bridge.h" + #include "hw/pci/pci_host.h" +@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) + return DESIGNWARE_PCIE_HOST(bus->parent); + } + ++static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, ++ unsigned size) ++{ ++ /* ++ * Attempts to read from the MSI address are undefined in ++ * the PCI specifications. For this hardware, the datasheet ++ * specifies that a read from the magic address is simply not ++ * intercepted by the MSI controller, and will go out to the ++ * AHB/AXI bus like any other PCI-device-initiated DMA read. ++ * This is not trivial to implement in QEMU, so since ++ * well-behaved guests won't ever ask a PCI device to DMA from ++ * this address we just log the missing functionality. ++ */ ++ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); ++ return 0; ++} ++ + static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + uint64_t val, unsigned len) + { +@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps designware_pci_host_msi_ops = { ++ .read = designware_pcie_root_msi_read, + .write = designware_pcie_root_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-3.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-3.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-3.patch 2021-07-08 13:11:52.000000000 +0000 @@ -0,0 +1,50 @@ +From 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:27 +0530 +Subject: [PATCH] vfio: add quirk device write method + +Add vfio quirk device mmio write method to avoid NULL pointer +dereference issue. + +Reported-by: Lei Sun +Reviewed-by: Li Qiang +Reviewed-by: Peter Maydell +Acked-by: Alex Williamson +Signed-off-by: Prasad J Pandit +Message-Id: <20200811114133.672647-4-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/vfio/pci-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c +index fc8d63c..c5c4c61 100644 +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -14,6 +14,7 @@ + #include CONFIG_DEVICES + #include "exec/memop.h" + #include "qemu/units.h" ++#include "qemu/log.h" + #include "qemu/error-report.h" + #include "qemu/main-loop.h" + #include "qemu/module.h" +@@ -264,8 +265,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque, + return data; + } + ++static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); ++} ++ + static const MemoryRegionOps vfio_ati_3c3_quirk = { + .read = vfio_ati_3c3_quirk_read, ++ .write = vfio_ati_3c3_quirk_write, + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-4.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-4.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-4.patch 2021-07-08 13:11:56.000000000 +0000 @@ -0,0 +1,49 @@ +From f867cebaedbc9c43189f102e4cdfdff05e88df7f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:28 +0530 +Subject: [PATCH] prep: add ppc-parity write method + +Add ppc-parity mmio write method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Acked-by: David Gibson +Signed-off-by: Prasad J Pandit +Reviewed-by: Li Qiang +Message-Id: <20200811114133.672647-5-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/ppc/prep_systemio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c +index 4e48ef2..b2bd783 100644 +--- a/hw/ppc/prep_systemio.c ++++ b/hw/ppc/prep_systemio.c +@@ -23,6 +23,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "hw/irq.h" + #include "hw/isa/isa.h" + #include "hw/qdev-properties.h" +@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, + return val; + } + ++static void ppc_parity_error_writel(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); ++} ++ + static const MemoryRegionOps ppc_parity_error_ops = { + .read = ppc_parity_error_readl, ++ .write = ppc_parity_error_writel, + .valid = { + .min_access_size = 4, + .max_access_size = 4, +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-5.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-5.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-5.patch 2021-07-08 13:12:00.000000000 +0000 @@ -0,0 +1,49 @@ +From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:29 +0530 +Subject: [PATCH] nvram: add nrf51_soc flash read method + +Add nrf51_soc mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Reviewed-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Reviewed-by: Li Qiang +Message-Id: <20200811114133.672647-6-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/nvram/nrf51_nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c +index f2283c1..7b3460d 100644 +--- a/hw/nvram/nrf51_nvm.c ++++ b/hw/nvram/nrf51_nvm.c +@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + }; + ++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) ++{ ++ /* ++ * This is a rom_device MemoryRegion which is always in ++ * romd_mode (we never put it in MMIO mode), so reads always ++ * go directly to RAM and never come here. ++ */ ++ g_assert_not_reached(); ++} + + static void flash_write(void *opaque, hwaddr offset, uint64_t value, + unsigned int size) +@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, + + + static const MemoryRegionOps flash_ops = { ++ .read = flash_read, + .write = flash_write, + .valid.min_access_size = 4, + .valid.max_access_size = 4, +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-6.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-6.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-6.patch 2021-07-08 13:12:04.000000000 +0000 @@ -0,0 +1,60 @@ +From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:30 +0530 +Subject: [PATCH] spapr_pci: add spapr msi read method + +Add spapr msi mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun +Acked-by: David Gibson +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <20200811114133.672647-7-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/ppc/spapr_pci.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c +index 76d7c91..b89f810 100644 +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -53,6 +53,7 @@ + #include "sysemu/hostmem.h" + #include "sysemu/numa.h" + #include "hw/ppc/spapr_numa.h" ++#include "qemu/log.h" + + /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ + #define RTAS_QUERY_FN 0 +@@ -739,6 +740,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin) + return route; + } + ++static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); ++ return 0; ++} ++ + /* + * MSI/MSIX memory region implementation. + * The handler handles both MSI and MSIX. +@@ -756,8 +763,11 @@ static void spapr_msi_write(void *opaque, hwaddr addr, + } + + static const MemoryRegionOps spapr_msi_ops = { +- /* There is no .read as the read result is undefined by PCI spec */ +- .read = NULL, ++ /* ++ * .read result is undefined by PCI spec. ++ * define .read method to avoid assert failure in memory_region_init_io ++ */ ++ .read = spapr_msi_read, + .write = spapr_msi_write, + .endianness = DEVICE_LITTLE_ENDIAN + }; +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-7.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-7.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-7.patch 2021-07-08 13:12:07.000000000 +0000 @@ -0,0 +1,46 @@ +From 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:31 +0530 +Subject: [PATCH] tz-ppc: add dummy read/write methods + +Add tz-ppc-dummy mmio read/write methods to avoid assert failure +during initialisation. + +Reviewed-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Reviewed-by: Li Qiang +Message-Id: <20200811114133.672647-8-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/misc/tz-ppc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c +index 6431257..36495c6 100644 +--- a/hw/misc/tz-ppc.c ++++ b/hw/misc/tz-ppc.c +@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, + g_assert_not_reached(); + } + ++static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ ++static void tz_ppc_dummy_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ g_assert_not_reached(); ++} ++ + static const MemoryRegionOps tz_ppc_dummy_ops = { ++ /* define r/w methods to avoid assert failure in memory_region_init_io */ ++ .read = tz_ppc_dummy_read, ++ .write = tz_ppc_dummy_write, + .valid.accepts = tz_ppc_dummy_accepts, + }; + +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-15469-8.patch qemu-5.2+dfsg/debian/patches/CVE-2020-15469-8.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-15469-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-15469-8.patch 2021-07-08 13:12:11.000000000 +0000 @@ -0,0 +1,40 @@ +From 735754aaa15a6ed46db51fd731e88331c446ea54 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 11 Aug 2020 17:11:32 +0530 +Subject: [PATCH] imx7-ccm: add digprog mmio write method + +Add digprog mmio write method to avoid assert failure during +initialisation. + +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <20200811114133.672647-9-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/misc/imx7_ccm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c +index 02fc1ae..075159e 100644 +--- a/hw/misc/imx7_ccm.c ++++ b/hw/misc/imx7_ccm.c +@@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { + }, + }; + ++static void imx7_digprog_write(void *opaque, hwaddr addr, ++ uint64_t data, unsigned size) ++{ ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Guest write to read-only ANALOG_DIGPROG register\n"); ++} ++ + static const struct MemoryRegionOps imx7_digprog_ops = { + .read = imx7_set_clr_tog_read, ++ .write = imx7_digprog_write, + .endianness = DEVICE_NATIVE_ENDIAN, + .impl = { + .min_access_size = 4, +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-29443-2.patch qemu-5.2+dfsg/debian/patches/CVE-2020-29443-2.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-29443-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-29443-2.patch 2021-07-08 13:12:38.000000000 +0000 @@ -0,0 +1,102 @@ +From b8d7f1bc59276fec85e4d09f1567613a3e14d31e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 18 Jan 2021 17:21:30 +0530 +Subject: [PATCH] ide: atapi: check logical block address and read size + (CVE-2020-29443) + +While processing ATAPI cmd_read/cmd_read_cd commands, +Logical Block Address (LBA) maybe invalid OR closer to the last block, +leading to an OOB access issues. Add range check to avoid it. + +Fixes: CVE-2020-29443 +Reported-by: Wenxiang Qian +Suggested-by: Paolo Bonzini +Reviewed-by: Paolo Bonzini +Signed-off-by: Prasad J Pandit +Message-Id: <20210118115130.457044-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/ide/atapi.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index e791578..b626199 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size) + static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors, + int sector_size) + { ++ assert(0 <= lba && lba < (s->nb_sectors >> 2)); ++ + s->lba = lba; + s->packet_transfer_size = nb_sectors * sector_size; + s->elementary_transfer_size = 0; +@@ -420,6 +422,8 @@ eot: + static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors, + int sector_size) + { ++ assert(0 <= lba && lba < (s->nb_sectors >> 2)); ++ + s->lba = lba; + s->packet_transfer_size = nb_sectors * sector_size; + s->io_buffer_size = 0; +@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf) + + static void cmd_read(IDEState *s, uint8_t* buf) + { +- int nb_sectors, lba; ++ unsigned int nb_sectors, lba; ++ ++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ ++ uint64_t total_sectors = s->nb_sectors >> 2; + + if (buf[0] == GPCMD_READ_10) { + nb_sectors = lduw_be_p(buf + 7); + } else { + nb_sectors = ldl_be_p(buf + 6); + } +- +- lba = ldl_be_p(buf + 2); + if (nb_sectors == 0) { + ide_atapi_cmd_ok(s); + return; + } + ++ lba = ldl_be_p(buf + 2); ++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { ++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); ++ return; ++ } ++ + ide_atapi_cmd_read(s, lba, nb_sectors, 2048); + } + + static void cmd_read_cd(IDEState *s, uint8_t* buf) + { +- int nb_sectors, lba, transfer_request; ++ unsigned int nb_sectors, lba, transfer_request; + +- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; +- lba = ldl_be_p(buf + 2); ++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ ++ uint64_t total_sectors = s->nb_sectors >> 2; + ++ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; + if (nb_sectors == 0) { + ide_atapi_cmd_ok(s); + return; + } + ++ lba = ldl_be_p(buf + 2); ++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { ++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); ++ return; ++ } ++ + transfer_request = buf[9] & 0xf8; + if (transfer_request == 0x00) { + /* nothing */ +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-35504.patch qemu-5.2+dfsg/debian/patches/CVE-2020-35504.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-35504.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-35504.patch 2021-07-08 13:41:23.000000000 +0000 @@ -0,0 +1,47 @@ +Backport of: + +From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Wed, 7 Apr 2021 20:57:50 +0100 +Subject: [PATCH] esp: always check current_req is not NULL before use in DMA + callbacks + +After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel +callback which resets both current_req and current_dev to NULL. If any data +is left in the transfer buffer (async_len != 0) then the next TI (Transfer +Information) command will attempt to reference the NULL pointer causing a +segfault. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 +Signed-off-by: Mark Cave-Ayland +Tested-by: Alexander Bulekov +Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> +--- + hw/scsi/esp.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s) + do_cmd(s, s->cmdbuf); + return; + } ++ ++ if (!s->current_req) { ++ return; ++ } ++ + s->dma_left -= len; + s->async_buf += len; + s->async_len -= len; +@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s) + do_cmd(s, s->cmdbuf); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-35505.patch qemu-5.2+dfsg/debian/patches/CVE-2020-35505.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-35505.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-35505.patch 2021-07-08 13:41:27.000000000 +0000 @@ -0,0 +1,38 @@ +Backport of: + +From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Wed, 7 Apr 2021 20:57:55 +0100 +Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +When about to execute a SCSI command, ensure that cmdfifo is not empty and +current_dev is non-NULL. This can happen if the guest tries to execute a TI +(Transfer Information) command without issuing one of the select commands +first. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 +Signed-off-by: Mark Cave-Ayland +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Alexander Bulekov +Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, ui + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3392.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3392.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3392.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3392.patch 2021-07-08 13:43:52.000000000 +0000 @@ -0,0 +1,81 @@ +From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001 +From: Michael Tokarev +Date: Mon, 19 Apr 2021 15:42:47 +0200 +Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field + (CVE-2021-3392) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While processing SCSI i/o requests in mptsas_process_scsi_io_request(), +the Megaraid emulator appends new MPTSASRequest object 'req' to +the 's->pending' queue. In case of an error, this same object gets +dequeued in mptsas_free_request() only if SCSIRequest object +'req->sreq' is initialised. This may lead to a use-after-free issue. + +Since s->pending is actually not used, simply remove it from +MPTSASState. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael Tokarev +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Philippe Mathieu-Daudé +Reported-by: Cheolwoo Myung +Message-id: 20210419134247.1467982-1-f4bug@amsat.org +Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru> +Suggested-by: Paolo Bonzini +Reported-by: Cheolwoo Myung +BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392) +Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device") +[PMD: Reworded description, added more tags] +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + hw/scsi/mptsas.c | 6 ------ + hw/scsi/mptsas.h | 1 - + 2 files changed, 7 deletions(-) + +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState + + static void mptsas_free_request(MPTSASRequest *req) + { +- MPTSASState *s = req->dev; +- + if (req->sreq != NULL) { + req->sreq->hba_private = NULL; + scsi_req_unref(req->sreq); + req->sreq = NULL; +- QTAILQ_REMOVE(&s->pending, req, next); + } + qemu_sglist_destroy(&req->qsg); + g_free(req); +@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_reques + } + + req = g_new0(MPTSASRequest, 1); +- QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; + +@@ -1318,8 +1314,6 @@ static void mptsas_scsi_realize(PCIDevic + + s->request_bh = qemu_bh_new(mptsas_fetch_requests, s); + +- QTAILQ_INIT(&s->pending); +- + scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL); + } + +--- a/hw/scsi/mptsas.h ++++ b/hw/scsi/mptsas.h +@@ -79,7 +79,6 @@ struct MPTSASState { + uint16_t reply_frame_size; + + SCSIBus bus; +- QTAILQ_HEAD(, MPTSASRequest) pending; + }; + + void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req); diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3409-1.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3409-1.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3409-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3409-1.patch 2021-07-08 13:44:00.000000000 +0000 @@ -0,0 +1,86 @@ +From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 3 Mar 2021 20:26:35 +0800 +Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +At the end of sdhci_send_command(), it starts a data transfer if the +command register indicates data is associated. But the data transfer +should only be initiated when the command execution has succeeded. + +With this fix, the following reproducer: + +outl 0xcf8 0x80001810 +outl 0xcfc 0xe1068000 +outl 0xcf8 0x80001804 +outw 0xcfc 0x7 +write 0xe106802c 0x1 0x0f +write 0xe1068004 0xc 0x2801d10101fffffbff28a384 +write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f +write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 +write 0xe1068003 0x1 0xfe + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ + -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive \ + -monitor none -serial none -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Acked-by: Alistair Francis +Tested-by: Alexander Bulekov +Tested-by: Philippe Mathieu-Daudé +Signed-off-by: Bin Meng +Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/sd/sdhci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 9acf446..f72d76c 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) + SDRequest request; + uint8_t response[16]; + int rlen; ++ bool timeout = false; + + s->errintsts = 0; + s->acmd12errsts = 0; +@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) + trace_sdhci_response16(s->rspreg[3], s->rspreg[2], + s->rspreg[1], s->rspreg[0]); + } else { ++ timeout = true; + trace_sdhci_error("timeout waiting for command response"); + if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { + s->errintsts |= SDHC_EIS_CMDTIMEOUT; +@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) + + sdhci_update_irq(s); + +- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { ++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + s->data_count = 0; + sdhci_data_transfer(s); + } +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3409-2.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3409-2.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3409-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3409-2.patch 2021-07-08 13:44:10.000000000 +0000 @@ -0,0 +1,99 @@ +From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 3 Mar 2021 20:26:36 +0800 +Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when + transfer is in progress +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Per "SD Host Controller Standard Specification Version 7.00" +chapter 2.2.1 SDMA System Address Register: + +This register can be accessed only if no transaction is executing +(i.e., after a transaction has stopped). + +With this fix, the following reproducer: + +outl 0xcf8 0x80001010 +outl 0xcfc 0xfbefff00 +outl 0xcf8 0x80001001 +outl 0xcfc 0x06000000 +write 0xfbefff2c 0x1 0x05 +write 0xfbefff0f 0x1 0x37 +write 0xfbefff0a 0x1 0x01 +write 0xfbefff0f 0x1 0x29 +write 0xfbefff0f 0x1 0x02 +write 0xfbefff0f 0x1 0x03 +write 0xfbefff04 0x1 0x01 +write 0xfbefff05 0x1 0x01 +write 0xfbefff07 0x1 0x02 +write 0xfbefff0c 0x1 0x33 +write 0xfbefff0e 0x1 0x20 +write 0xfbefff0f 0x1 0x00 +write 0xfbefff2a 0x1 0x01 +write 0xfbefff0c 0x1 0x00 +write 0xfbefff03 0x1 0x00 +write 0xfbefff05 0x1 0x00 +write 0xfbefff2a 0x1 0x02 +write 0xfbefff0c 0x1 0x32 +write 0xfbefff01 0x1 0x01 +write 0xfbefff02 0x1 0x01 +write 0xfbefff03 0x1 0x01 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov +Signed-off-by: Bin Meng +Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/sd/sdhci.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1122,15 +1122,17 @@ sdhci_write(void *opaque, hwaddr offset, + + switch (offset & ~0x3) { + case SDHC_SYSAD: +- s->sdmasysad = (s->sdmasysad & mask) | value; +- MASKED_WRITE(s->sdmasysad, mask, value); +- /* Writing to last byte of sdmasysad might trigger transfer */ +- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && +- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { +- if (s->trnmod & SDHC_TRNS_MULTI) { +- sdhci_sdma_transfer_multi_blocks(s); +- } else { +- sdhci_sdma_transfer_single_block(s); ++ if (!TRANSFERRING_DATA(s->prnsts)) { ++ s->sdmasysad = (s->sdmasysad & mask) | value; ++ MASKED_WRITE(s->sdmasysad, mask, value); ++ /* Writing to last byte of sdmasysad might trigger transfer */ ++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && ++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { ++ if (s->trnmod & SDHC_TRNS_MULTI) { ++ sdhci_sdma_transfer_multi_blocks(s); ++ } else { ++ sdhci_sdma_transfer_single_block(s); ++ } + } + } + break; diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3409-3.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3409-3.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3409-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3409-3.patch 2021-07-08 13:44:16.000000000 +0000 @@ -0,0 +1,64 @@ +From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 3 Mar 2021 20:26:37 +0800 +Subject: [PATCH] hw/sd: sdhci: Correctly set the controller status for ADMA +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +When an ADMA transfer is started, the codes forget to set the +controller status to indicate a transfer is in progress. + +With this fix, the following 2 reproducers: + +https://paste.debian.net/plain/1185136 +https://paste.debian.net/plain/1185141 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Bin Meng +Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/sd/sdhci.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -769,7 +769,9 @@ static void sdhci_do_adma(SDHCIState *s) + + switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { + case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ ++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; + if (s->trnmod & SDHC_TRNS_READ) { ++ s->prnsts |= SDHC_DOING_READ; + while (length) { + if (s->data_count == 0) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -797,6 +799,7 @@ static void sdhci_do_adma(SDHCIState *s) + } + } + } else { ++ s->prnsts |= SDHC_DOING_WRITE; + while (length) { + begin = s->data_count; + if ((length + begin) < block_size) { diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3409-4.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3409-4.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3409-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3409-4.patch 2021-07-08 13:44:21.000000000 +0000 @@ -0,0 +1,46 @@ +From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 3 Mar 2021 20:26:38 +0800 +Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE + register is writable +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The codes to limit the maximum block size is only necessary when +SDHC_BLKSIZE register is writable. + +Tested-by: Alexander Bulekov +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Bin Meng +Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/sd/sdhci.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1143,15 +1143,15 @@ sdhci_write(void *opaque, hwaddr offset, + if (!TRANSFERRING_DATA(s->prnsts)) { + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); +- } + +- /* Limit block size to the maximum buffer size */ +- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { +- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " +- "the maximum buffer 0x%x\n", __func__, s->blksize, +- s->buf_maxsz); ++ /* Limit block size to the maximum buffer size */ ++ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " ++ "the maximum buffer 0x%x\n", __func__, s->blksize, ++ s->buf_maxsz); + +- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ } + } + + break; diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3409-5.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3409-5.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3409-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3409-5.patch 2021-07-08 13:44:26.000000000 +0000 @@ -0,0 +1,89 @@ +From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 3 Mar 2021 20:26:39 +0800 +Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when + a different block size is programmed +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the block size is programmed to a different value from the +previous one, reset the data pointer of s->fifo_buffer[] so that +s->fifo_buffer[] can be filled in using the new block size in +the next transfer. + +With this fix, the following reproducer: + +outl 0xcf8 0x80001010 +outl 0xcfc 0xe0000000 +outl 0xcf8 0x80001001 +outl 0xcfc 0x06000000 +write 0xe000002c 0x1 0x05 +write 0xe0000005 0x1 0x02 +write 0xe0000007 0x1 0x01 +write 0xe0000028 0x1 0x10 +write 0x0 0x1 0x23 +write 0x2 0x1 0x08 +write 0xe000000c 0x1 0x01 +write 0xe000000e 0x1 0x20 +write 0xe000000f 0x1 0x00 +write 0xe000000c 0x1 0x32 +write 0xe0000004 0x2 0x0200 +write 0xe0000028 0x1 0x00 +write 0xe0000003 0x1 0x40 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov +Signed-off-by: Bin Meng +Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/sd/sdhci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1141,6 +1141,8 @@ sdhci_write(void *opaque, hwaddr offset, + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { ++ uint16_t blksize = s->blksize; ++ + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); + +@@ -1152,6 +1154,16 @@ sdhci_write(void *opaque, hwaddr offset, + + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + } ++ ++ /* ++ * If the block size is programmed to a different value from ++ * the previous one, reset the data pointer of s->fifo_buffer[] ++ * so that s->fifo_buffer[] can be filled in using the new block ++ * size in the next transfer. ++ */ ++ if (blksize != s->blksize) { ++ s->data_count = 0; ++ } + } + + break; diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3527-1.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3527-1.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3527-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3527-1.patch 2021-07-08 13:48:36.000000000 +0000 @@ -0,0 +1,48 @@ +From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:12 +0200 +Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Use autofree heap allocation instead. + +Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Gerd Hoffmann +Tested-by: Philippe Mathieu-Daudé +Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> +--- + hw/usb/redirect.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -619,7 +619,7 @@ static void usbredir_handle_iso_data(USB + .endpoint = ep, + .length = p->iov.size + }; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, +@@ -817,7 +817,7 @@ static void usbredir_handle_bulk_data(US + usbredirparser_send_bulk_packet(dev->parser, p->id, + &bulk_packet, NULL, 0); + } else { +- uint8_t buf[size]; ++ g_autofree uint8_t *buf = g_malloc(size); + usb_packet_copy(p, buf, size); + usbredir_log_data(dev, "bulk data out:", buf, size); + usbredirparser_send_bulk_packet(dev->parser, p->id, +@@ -922,7 +922,7 @@ static void usbredir_handle_interrupt_ou + USBPacket *p, uint8_t ep) + { + struct usb_redir_interrupt_packet_header interrupt_packet; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + + DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, + p->iov.size, p->id); diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3527-2.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3527-2.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3527-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3527-2.patch 2021-07-08 13:48:38.000000000 +0000 @@ -0,0 +1,36 @@ +From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann +Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e88..e56802f 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-1.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-1.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-1.patch 2021-07-08 13:48:55.000000000 +0000 @@ -0,0 +1,34 @@ +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:03:56 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: Li Qiang +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak +in getting capset info dispatch") + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -125,6 +125,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-2.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-2.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-2.patch 2021-07-08 13:49:00.000000000 +0000 @@ -0,0 +1,32 @@ +From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:03:57 -0700 +Subject: [PATCH] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang +Reviewed-by: Prasad J Pandit +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-3.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-3.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-3.patch 2021-07-08 13:49:05.000000000 +0000 @@ -0,0 +1,39 @@ +From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:03:58 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory leak in vg_resource_attach_backing + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang +virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-4.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-4.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-4.patch 2021-07-08 13:49:10.000000000 +0000 @@ -0,0 +1,41 @@ +From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:03:59 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") + +Reviewed-by: Prasad J Pandit +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-5.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-5.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-5.patch 2021-07-08 13:49:16.000000000 +0000 @@ -0,0 +1,49 @@ +From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:04:00 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/virgl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); ++ + virgl_renderer_resource_unref(unref.resource_id); + } + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-6.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-6.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-6.patch 2021-07-08 13:49:21.000000000 +0000 @@ -0,0 +1,40 @@ +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:04:01 -0700 +Subject: [PATCH] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -284,8 +284,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-7.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-7.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-7.patch 2021-07-08 13:49:29.000000000 +0000 @@ -0,0 +1,40 @@ +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:04:02 -0700 +Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: Li Qiang +Reviewed-by: Prasad J Pandit +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3544-8.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3544-8.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3544-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3544-8.patch 2021-07-08 13:49:33.000000000 +0000 @@ -0,0 +1,122 @@ +From 3ea32d1355d446057c17458238db2749c52ee8f0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 15 May 2021 20:04:03 -0700 +Subject: [PATCH] vhost-user-gpu: abstract vg_cleanup_mapping_iov +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Currently in vhost-user-gpu, we free resource directly in +the cleanup case of resource. If we change the cleanup logic +we need to change several places, also abstruct a +'vg_create_mapping_iov' can be symmetry with the +'vg_create_mapping_iov'. This is like what virtio-gpu does, +no function changed. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-Id: <20210516030403.107723-9-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 24 ++++++++++++++++++++---- + contrib/vhost-user-gpu/virgl.c | 9 +++++---- + contrib/vhost-user-gpu/vugpu.h | 2 +- + 3 files changed, 26 insertions(+), 9 deletions(-) + +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -49,6 +49,8 @@ static char *opt_render_node; + static gboolean opt_virgl; + + static void vg_handle_ctrl(VuDev *dev, int qidx); ++static void vg_cleanup_mapping(VuGpu *g, ++ struct virtio_gpu_simple_resource *res); + + static const char * + vg_cmd_to_string(int cmd) +@@ -379,7 +381,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); +- g_free(res->iov); ++ vg_cleanup_mapping(g, res); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +@@ -483,6 +485,22 @@ vg_resource_attach_backing(VuGpu *g, + res->iov_cnt = ab.nr_entries; + } + ++/* Though currently only free iov, maybe later will do more work. */ ++void vg_cleanup_mapping_iov(VuGpu *g, ++ struct iovec *iov, uint32_t count) ++{ ++ g_free(iov); ++} ++ ++static void ++vg_cleanup_mapping(VuGpu *g, ++ struct virtio_gpu_simple_resource *res) ++{ ++ vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt); ++ res->iov = NULL; ++ res->iov_cnt = 0; ++} ++ + static void + vg_resource_detach_backing(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) +@@ -501,9 +519,7 @@ vg_resource_detach_backing(VuGpu *g, + return; + } + +- g_free(res->iov); +- res->iov = NULL; +- res->iov_cnt = 0; ++ vg_cleanup_mapping(g, res); + } + + static void +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -113,8 +113,9 @@ virgl_cmd_resource_unref(VuGpu *g, + virgl_renderer_resource_detach_iov(unref.resource_id, + &res_iovs, + &num_iovs); +- g_free(res_iovs); +- ++ if (res_iovs != NULL && num_iovs != 0) { ++ vg_cleanup_mapping_iov(g, res_iovs, num_iovs); ++ } + virgl_renderer_resource_unref(unref.resource_id); + } + +@@ -291,7 +292,7 @@ virgl_resource_attach_backing(VuGpu *g, + ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); + if (ret != 0) { +- g_free(res_iovs); ++ vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries); + } + } + +@@ -311,7 +312,7 @@ virgl_resource_detach_backing(VuGpu *g, + if (res_iovs == NULL || num_iovs == 0) { + return; + } +- g_free(res_iovs); ++ vg_cleanup_mapping_iov(g, res_iovs, num_iovs); + } + + static void +--- a/contrib/vhost-user-gpu/vugpu.h ++++ b/contrib/vhost-user-gpu/vugpu.h +@@ -164,7 +164,7 @@ int vg_create_mapping_iov(VuGpu *g, + struct virtio_gpu_resource_attach_backing *ab, + struct virtio_gpu_ctrl_command *cmd, + struct iovec **iov); +- ++void vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count); + void vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd); + + void vg_wait_ok(VuGpu *g); diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3582.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3582.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3582.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3582.patch 2021-07-08 13:49:46.000000000 +0000 @@ -0,0 +1,43 @@ +From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum +Date: Wed, 16 Jun 2021 14:06:00 +0300 +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) + +Ensure mremap boundaries not trusting the guest kernel to +pass the correct buffer length. + +Fixes: CVE-2021-3582 +Reported-by: VictorV (Kunlun Lab) +Tested-by: VictorV (Kunlun Lab) +Signed-off-by: Marcel Apfelbaum +Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> +Reviewed-by: Yuval Shaia +Tested-by: Yuval Shaia +Reviewed-by: Prasad J Pandit +Signed-off-by: Marcel Apfelbaum +--- + hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index f59879e..da7ddfa 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, + return NULL; + } + ++ length = ROUND_UP(length, TARGET_PAGE_SIZE); ++ if (nchunks * TARGET_PAGE_SIZE != length) { ++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, ++ (unsigned long)length); ++ return NULL; ++ } ++ + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory"); +-- +1.8.3.1 + diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3607.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3607.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3607.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3607.patch 2021-07-08 13:50:09.000000000 +0000 @@ -0,0 +1,34 @@ +From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum +Date: Wed, 30 Jun 2021 14:46:34 +0300 +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) + +Check the guest passed a non zero page count +for pvrdma device ring buffers. + +Fixes: CVE-2021-3607 +Reported-by: VictorV (Kunlun Lab) +Reviewed-by: VictorV (Kunlun Lab) +Signed-off-by: Marcel Apfelbaum +Message-Id: <20210630114634.2168872-1-marcel@redhat.com> +Reviewed-by: Yuval Shaia +Tested-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +--- + hw/rdma/vmw/pvrdma_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,6 +91,11 @@ static int init_dev_ring(PvrdmaRing *rin + uint64_t *dir, *tbl; + int rc = 0; + ++ if (!num_pages) { ++ rdma_error_report("Ring pages count must be strictly positive"); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-3608.patch qemu-5.2+dfsg/debian/patches/CVE-2021-3608.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-3608.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-3608.patch 2021-07-08 13:50:17.000000000 +0000 @@ -0,0 +1,34 @@ +From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum +Date: Wed, 30 Jun 2021 14:52:46 +0300 +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Do not unmap uninitialized dma addresses. + +Fixes: CVE-2021-3608 +Reviewed-by: VictorV (Kunlun Lab) +Tested-by: VictorV (Kunlun Lab) +Signed-off-by: Marcel Apfelbaum +Message-Id: <20210630115246.2178219-1-marcel@redhat.com> +Tested-by: Yuval Shaia +Reviewed-by: Yuval Shaia +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Marcel Apfelbaum +--- + hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/hw/rdma/vmw/pvrdma_dev_ring.c ++++ b/hw/rdma/vmw/pvrdma_dev_ring.c +@@ -42,7 +42,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c + qatomic_set(&ring->ring_state->cons_head, 0); + */ + ring->npages = npages; +- ring->pages = g_malloc(npages * sizeof(void *)); ++ ring->pages = g_malloc0(npages * sizeof(void *)); + + for (i = 0; i < npages; i++) { + if (!tbl[i]) { diff -Nru qemu-5.2+dfsg/debian/patches/series qemu-5.2+dfsg/debian/patches/series --- qemu-5.2+dfsg/debian/patches/series 2021-04-07 09:58:29.000000000 +0000 +++ qemu-5.2+dfsg/debian/patches/series 2021-07-08 13:50:59.000000000 +0000 @@ -44,3 +44,33 @@ ubuntu/lp-1921880-x86-cpu-Populate-SVM-CPUID-feature-bits.patch ubuntu/lp-1921880-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch ubuntu/lp-1921754-Add-missing-cpu-feature-bits-in-EPYC-Rome-model.patch +CVE-2020-15469-1.patch +CVE-2020-15469-2.patch +CVE-2020-15469-3.patch +CVE-2020-15469-4.patch +CVE-2020-15469-5.patch +CVE-2020-15469-6.patch +CVE-2020-15469-7.patch +CVE-2020-15469-8.patch +CVE-2020-29443-2.patch +CVE-2020-35504.patch +CVE-2020-35505.patch +CVE-2021-3392.patch +CVE-2021-3409-1.patch +CVE-2021-3409-2.patch +CVE-2021-3409-3.patch +CVE-2021-3409-4.patch +CVE-2021-3409-5.patch +CVE-2021-3527-1.patch +CVE-2021-3527-2.patch +CVE-2021-3544-1.patch +CVE-2021-3544-2.patch +CVE-2021-3544-3.patch +CVE-2021-3544-4.patch +CVE-2021-3544-5.patch +CVE-2021-3544-6.patch +CVE-2021-3544-7.patch +CVE-2021-3544-8.patch +CVE-2021-3582.patch +CVE-2021-3607.patch +CVE-2021-3608.patch