On Tue, Feb 14, 2023 at 4:22 PM Kai Kang <[email protected]> wrote: > > On 2/14/23 22:30, Martin Jansa wrote: > > Thanks Kai, > > this should fix what I've reported in: > https://lists.openembedded.org/g/openembedded-core/message/176508 > > once this is merged, can you please add both oe-core changes (3 qemu patches) > to dunfell as well, so that similar patch is included in both branches? The > broken version wasn't merged to dunfell after my report. > > You mean CVE-2022-4144.patch and this commit, right? OK, will do.
Hi Kai, Do you still plan to submit the above referenced patches for dunfell? Thanks, Steve > Regards, > > On Tue, Feb 14, 2023 at 3:22 PM Kai Kang <[email protected]> wrote: >> >> From: Kai Kang <[email protected]> >> >> Backport 2 patches and rebase >> 0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch to fix >> compile error: >> >> ../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': >> ../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use >> in this function); did you mean 'gsize'? >> 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, >> size)) { >> | >> ^~~~ >> | >> gsize >> ../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is >> reported only once for each function it appears in >> >> Signed-off-by: Kai Kang <[email protected]> >> --- >> meta/recipes-devtools/qemu/qemu.inc | 2 + >> ...ave-qxl_log_command-Return-early-if-.patch | 57 +++++ >> ...ass-requested-buffer-size-to-qxl_phy.patch | 217 ++++++++++++++++++ >> 3 files changed, 276 insertions(+) >> create mode 100644 >> meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch >> create mode 100644 >> meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch >> >> diff --git a/meta/recipes-devtools/qemu/qemu.inc >> b/meta/recipes-devtools/qemu/qemu.inc >> index b68be447f1..5430718f75 100644 >> --- a/meta/recipes-devtools/qemu/qemu.inc >> +++ b/meta/recipes-devtools/qemu/qemu.inc >> @@ -93,6 +93,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ >> >> file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ >> file://CVE-2022-3165.patch \ >> file://CVE-2022-4144.patch \ >> + >> file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \ >> + >> file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ >> " >> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" >> >> diff --git >> a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch >> >> b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch >> new file mode 100644 >> index 0000000000..cd846222c9 >> --- /dev/null >> +++ >> b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch >> @@ -0,0 +1,57 @@ >> +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc] >> + >> +Signed-off-by: Kai Kang <[email protected]> >> + >> +From 61c34fc194b776ecadc39fb26b061331107e5599 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> >> +Date: Mon, 28 Nov 2022 21:27:37 +0100 >> +Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no >> + log_cmd handler >> +MIME-Version: 1.0 >> +Content-Type: text/plain; charset=UTF-8 >> +Content-Transfer-Encoding: 8bit >> + >> +Only 3 command types are logged: no need to call qxl_phys2virt() >> +for the other types. Using different cases will help to pass >> +different structure sizes to qxl_phys2virt() in a pair of commits. >> + >> +Reviewed-by: Marc-André Lureau <[email protected]> >> +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> >> +Signed-off-by: Stefan Hajnoczi <[email protected]> >> +Message-Id: <[email protected]> >> +--- >> + hw/display/qxl-logger.c | 11 +++++++++++ >> + 1 file changed, 11 insertions(+) >> + >> +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c >> +index 68bfa47568..1bcf803db6 100644 >> +--- a/hw/display/qxl-logger.c >> ++++ b/hw/display/qxl-logger.c >> +@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char >> *ring, QXLCommandExt *ext) >> + qxl_name(qxl_type, ext->cmd.type), >> + compat ? "(compat)" : ""); >> + >> ++ switch (ext->cmd.type) { >> ++ case QXL_CMD_DRAW: >> ++ break; >> ++ case QXL_CMD_SURFACE: >> ++ break; >> ++ case QXL_CMD_CURSOR: >> ++ break; >> ++ default: >> ++ goto out; >> ++ } >> + data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); >> + if (!data) { >> + return 1; >> +@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char >> *ring, QXLCommandExt *ext) >> + qxl_log_cmd_cursor(qxl, data, ext->group_id); >> + break; >> + } >> ++out: >> + fprintf(stderr, "\n"); >> + return 0; >> + } >> +-- >> +2.34.1 >> + >> diff --git >> a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch >> >> b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch >> new file mode 100644 >> index 0000000000..ac51cf567a >> --- /dev/null >> +++ >> b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch >> @@ -0,0 +1,217 @@ >> +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/8efec0e] >> + >> +Backport and rebase patch to fix compile error which imported by >> CVE-2022-4144.patch: >> + >> +../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': >> +../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use >> in this function); did you mean 'gsize'? >> + 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, >> &offset, size)) { >> + | >> ^~~~ >> + | >> gsize >> +../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is >> reported only once for each function it appears in >> + >> +Signed-off-by: Kai Kang <[email protected]> >> + >> +From 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> >> +Date: Mon, 28 Nov 2022 21:27:39 +0100 >> +Subject: [PATCH] hw/display/qxl: Pass requested buffer size to >> qxl_phys2virt() >> +MIME-Version: 1.0 >> +Content-Type: text/plain; charset=UTF-8 >> +Content-Transfer-Encoding: 8bit >> + >> +Currently qxl_phys2virt() doesn't check for buffer overrun. >> +In order to do so in the next commit, pass the buffer size >> +as argument. >> + >> +For QXLCursor in qxl_render_cursor() -> qxl_cursor() we >> +verify the size of the chunked data ahead, checking we can >> +access 'sizeof(QXLCursor) + chunk->data_size' bytes. >> +Since in the SPICE_CURSOR_TYPE_MONO case the cursor is >> +assumed to fit in one chunk, no change are required. >> +In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in >> +qxl_unpack_chunks(). >> + >> +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> >> +Acked-by: Gerd Hoffmann <[email protected]> >> +Signed-off-by: Stefan Hajnoczi <[email protected]> >> +Message-Id: <[email protected]> >> +--- >> + hw/display/qxl-logger.c | 11 ++++++++--- >> + hw/display/qxl-render.c | 20 ++++++++++++++++---- >> + hw/display/qxl.c | 14 +++++++++----- >> + hw/display/qxl.h | 3 ++- >> + 4 files changed, 35 insertions(+), 13 deletions(-) >> + >> +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c >> +index 1bcf803..35c38f6 100644 >> +--- a/hw/display/qxl-logger.c >> ++++ b/hw/display/qxl-logger.c >> +@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL >> addr, int group_id) >> + QXLImage *image; >> + QXLImageDescriptor *desc; >> + >> +- image = qxl_phys2virt(qxl, addr, group_id); >> ++ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); >> + if (!image) { >> + return 1; >> + } >> +@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd >> *cmd, int group_id) >> + cmd->u.set.position.y, >> + cmd->u.set.visible ? "yes" : "no", >> + cmd->u.set.shape); >> +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); >> ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, >> ++ sizeof(QXLCursor)); >> + if (!cursor) { >> + return 1; >> + } >> +@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char >> *ring, QXLCommandExt *ext) >> + { >> + bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; >> + void *data; >> ++ size_t datasz; >> + int ret; >> + >> + if (!qxl->cmdlog) { >> +@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char >> *ring, QXLCommandExt *ext) >> + >> + switch (ext->cmd.type) { >> + case QXL_CMD_DRAW: >> ++ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); >> + break; >> + case QXL_CMD_SURFACE: >> ++ datasz = sizeof(QXLSurfaceCmd); >> + break; >> + case QXL_CMD_CURSOR: >> ++ datasz = sizeof(QXLCursorCmd); >> + break; >> + default: >> + goto out; >> + } >> +- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); >> ++ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); >> + if (!data) { >> + return 1; >> + } >> +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c >> +index ca21700..fcfd40c 100644 >> +--- a/hw/display/qxl-render.c >> ++++ b/hw/display/qxl-render.c >> +@@ -107,7 +107,9 @@ static void >> qxl_render_update_area_unlocked(PCIQXLDevice *qxl) >> + qxl->guest_primary.resized = 0; >> + qxl->guest_primary.data = qxl_phys2virt(qxl, >> + >> qxl->guest_primary.surface.mem, >> +- MEMSLOT_GROUP_GUEST); >> ++ MEMSLOT_GROUP_GUEST, >> ++ >> qxl->guest_primary.abs_stride >> ++ * height); >> + if (!qxl->guest_primary.data) { >> + goto end; >> + } >> +@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, >> PCIQXLDevice *qxl, >> + if (offset == size) { >> + return; >> + } >> +- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); >> ++ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, >> ++ sizeof(QXLDataChunk) + chunk->data_size); >> + if (!chunk) { >> + return; >> + } >> +@@ -295,7 +298,8 @@ fail: >> + /* called from spice server thread context only */ >> + int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) >> + { >> +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); >> ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, >> ++ sizeof(QXLCursorCmd)); >> + QXLCursor *cursor; >> + QEMUCursor *c; >> + >> +@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt >> *ext) >> + } >> + switch (cmd->type) { >> + case QXL_CURSOR_SET: >> +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id); >> ++ /* First read the QXLCursor to get QXLDataChunk::data_size ... */ >> ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, >> ++ sizeof(QXLCursor)); >> ++ if (!cursor) { >> ++ return 1; >> ++ } >> ++ /* Then read including the chunked data following QXLCursor. */ >> ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, >> ++ sizeof(QXLCursor) + >> cursor->chunk.data_size); >> + if (!cursor) { >> + return 1; >> + } >> +diff --git a/hw/display/qxl.c b/hw/display/qxl.c >> +index ae8aa07..2a4b2d4 100644 >> +--- a/hw/display/qxl.c >> ++++ b/hw/display/qxl.c >> +@@ -274,7 +274,8 @@ static void >> qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) >> + QXL_IO_MONITORS_CONFIG_ASYNC)); >> + } >> + >> +- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, >> MEMSLOT_GROUP_GUEST); >> ++ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, >> MEMSLOT_GROUP_GUEST, >> ++ sizeof(QXLMonitorsConfig)); >> + if (cfg != NULL && cfg->count == 1) { >> + qxl->guest_primary.resized = 1; >> + qxl->guest_head0_width = cfg->heads[0].width; >> +@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct >> QXLCommandExt *ext) >> + switch (le32_to_cpu(ext->cmd.type)) { >> + case QXL_CMD_SURFACE: >> + { >> +- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, >> ext->group_id); >> ++ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, >> ext->group_id, >> ++ sizeof(QXLSurfaceCmd)); >> + >> + if (!cmd) { >> + return 1; >> +@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct >> QXLCommandExt *ext) >> + } >> + case QXL_CMD_CURSOR: >> + { >> +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, >> ext->group_id); >> ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, >> ext->group_id, >> ++ sizeof(QXLCursorCmd)); >> + >> + if (!cmd) { >> + return 1; >> +@@ -1463,7 +1466,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice >> *qxl, QXLPHYSICAL pqxl, >> + } >> + >> + /* can be also called from spice server thread context */ >> +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) >> ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, >> ++ size_t size) >> + { >> + uint64_t offset; >> + uint32_t slot; >> +@@ -1971,7 +1975,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl) >> + } >> + >> + cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i], >> +- MEMSLOT_GROUP_GUEST); >> ++ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd)); >> + assert(cmd); >> + assert(cmd->type == QXL_SURFACE_CMD_CREATE); >> + qxl_dirty_one_surface(qxl, cmd->u.surface_create.data, >> +diff --git a/hw/display/qxl.h b/hw/display/qxl.h >> +index 30d21f4..4551c23 100644 >> +--- a/hw/display/qxl.h >> ++++ b/hw/display/qxl.h >> +@@ -147,7 +147,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL) >> + #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1) >> + >> + /* qxl.c */ >> +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); >> ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id, >> ++ size_t size); >> + void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) >> + GCC_FMT_ATTR(2, 3); >> + >> +-- >> +2.34.1 >> + >> -- >> 2.17.1 >> >> >> >> > > -- > Kai Kang > Wind River Linux > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178454): https://lists.openembedded.org/g/openembedded-core/message/178454 Mute This Topic: https://lists.openembedded.org/mt/96960641/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
