Unfortunately this patch caused multiple instances of: AssertionError: False is not true : Failed: qemux86 does not shutdown within timeout(120)
See: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7063 Removing the patch resulted in a succesful a-full build. Steve On Fri, Jun 21, 2024 at 5:16 AM Urade, Yogita via lists.openembedded.org <[email protected]> wrote: > > From: Yogita Urade <[email protected]> > > CVE-2024-3446: > A double free vulnerability was found in QEMU virtio devices > (virtio-gpu, virtio-serial-bus, virtio-crypto), where the > mem_reentrancy_guard flag insufficiently protects against DMA > reentrancy issues. This issue could allow a malicious privileged > guest to crash the QEMU process on the host, resulting in a d > enial of service or allow arbitrary code execution within the > context of the QEMU process on the host. > > CVE-2024-3447: > QEMU: sdhci: heap buffer overflow in sdhci_write_dataport() > > Fix indent issue in qemu.inc file. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2024-3446 > https://security-tracker.debian.org/tracker/CVE-2024-3447 > > Signed-off-by: Yogita Urade <[email protected]> > --- > meta/recipes-devtools/qemu/qemu.inc | 23 +- > .../qemu/qemu/CVE-2024-3446-0001.patch | 136 +++++++++++ > .../qemu/qemu/CVE-2024-3446-0002.patch | 218 ++++++++++++++++++ > .../qemu/qemu/CVE-2024-3446-0003.patch | 68 ++++++ > .../qemu/qemu/CVE-2024-3446-0004.patch | 141 +++++++++++ > .../qemu/qemu/CVE-2024-3446-0005.patch | 41 ++++ > .../qemu/qemu/CVE-2024-3446-0006.patch | 42 ++++ > .../qemu/qemu/CVE-2024-3447.patch | 135 +++++++++++ > 8 files changed, 796 insertions(+), 8 deletions(-) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0001.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0002.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0003.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0004.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0005.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0006.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3447.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > b/meta/recipes-devtools/qemu/qemu.inc > index 4747310ae4..dba7c76f95 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -97,18 +97,25 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2023-3301.patch \ > file://CVE-2023-3255.patch \ > file://CVE-2023-2861.patch \ > - file://CVE-2020-14394.patch \ > - file://CVE-2023-3354.patch \ > - file://CVE-2023-3180.patch \ > - file://CVE-2021-3638.patch \ > - file://CVE-2023-1544.patch \ > - file://CVE-2023-5088.patch \ > - file://CVE-2024-24474.patch \ > - file://CVE-2023-6693.patch \ > + file://CVE-2020-14394.patch \ > + file://CVE-2023-3354.patch \ > + file://CVE-2023-3180.patch \ > + file://CVE-2021-3638.patch \ > + file://CVE-2023-1544.patch \ > + file://CVE-2023-5088.patch \ > + file://CVE-2024-24474.patch \ > + file://CVE-2023-6693.patch \ > > file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch > \ > > file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch > \ > file://CVE-2023-42467.patch \ > file://CVE-2023-6683.patch \ > + file://CVE-2024-3446-0001.patch \ > + file://CVE-2024-3446-0002.patch \ > + file://CVE-2024-3446-0003.patch \ > + file://CVE-2024-3446-0004.patch \ > + file://CVE-2024-3446-0005.patch \ > + file://CVE-2024-3446-0006.patch \ > + file://CVE-2024-3447.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0001.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0001.patch > new file mode 100644 > index 0000000000..6c27751fac > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0001.patch > @@ -0,0 +1,136 @@ > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 > +From: Alexander Bulekov <[email protected]> > +Date: Mon, 27 May 2024 10:12:28 +0000 > +Subject: [PATCH] memory: prevent dma-reentracy issues > + > +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. > +This flag is set/checked prior to calling a device's MemoryRegion > +handlers, and set when device code initiates DMA. The purpose of this > +flag is to prevent two types of DMA-based reentrancy issues: > + > +1.) mmio -> dma -> mmio case > +2.) bh -> dma write -> mmio case > + > +These issues have led to problems such as stack-exhaustion and > +use-after-frees. > + > +Summary of the problem from Peter Maydell: > +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > + > +Resolves: #62 > +Resolves: #540 > +Resolves: #541 > +Resolves: #556 > +Resolves: #557 > +Resolves: #827 > +Resolves: #1282 > + > +Resolves: CVE-2023-0330 > + > +Signed-off-by: Alexander Bulekov <[email protected]> > +Reviewed-by: Thomas Huth <[email protected]> > +Message-Id: <[email protected]> > +[thuth: Replace warn_report() with warn_report_once()] > +Signed-off-by: Thomas Huth <[email protected]> > + > +CVE: CVE-2024-3446 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + include/exec/memory.h | 5 +++++ > + include/hw/qdev-core.h | 7 +++++++ > + softmmu/memory.c | 16 ++++++++++++++++ > + 3 files changed, 28 insertions(+) > + > +diff --git a/include/exec/memory.h b/include/exec/memory.h > +index 20f1b2737..e089f90f9 100644 > +--- a/include/exec/memory.h > ++++ b/include/exec/memory.h > +@@ -734,6 +734,8 @@ struct MemoryRegion { > + bool is_iommu; > + RAMBlock *ram_block; > + Object *owner; > ++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access > hotpath */ > ++ DeviceState *dev; > + > + const MemoryRegionOps *ops; > + void *opaque; > +@@ -757,6 +759,9 @@ struct MemoryRegion { > + unsigned ioeventfd_nb; > + MemoryRegionIoeventfd *ioeventfds; > + RamDiscardManager *rdm; /* Only for RAM */ > ++ > ++ /* For devices designed to perform re-entrant IO into their own IO MRs > */ > ++ bool disable_reentrancy_guard; > + }; > + > + struct IOMMUMemoryRegion { > +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h > +index 20d306659..14226f860 100644 > +--- a/include/hw/qdev-core.h > ++++ b/include/hw/qdev-core.h > +@@ -162,6 +162,10 @@ struct NamedClockList { > + QLIST_ENTRY(NamedClockList) node; > + }; > + > ++typedef struct { > ++ bool engaged_in_io; > ++} MemReentrancyGuard; > ++ > + /** > + * DeviceState: > + * @realized: Indicates whether the device has been fully constructed. > +@@ -193,6 +197,9 @@ struct DeviceState { > + int instance_id_alias; > + int alias_required_for_version; > + ResettableState reset; > ++ > ++ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy > */ > ++ MemReentrancyGuard mem_reentrancy_guard; > + }; > + > + struct DeviceListener { > +diff --git a/softmmu/memory.c b/softmmu/memory.c > +index 7340e19ff..102f0a424 100644 > +--- a/softmmu/memory.c > ++++ b/softmmu/memory.c > +@@ -541,6 +541,18 @@ static MemTxResult access_with_adjusted_size(hwaddr > addr, > + access_size_max = 4; > + } > + > ++ /* Do not allow more than one simultaneous access to a device's IO > Regions */ > ++ if (mr->dev && !mr->disable_reentrancy_guard && > ++ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) { > ++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { > ++ warn_report_once("Blocked re-entrant IO on MemoryRegion: " > ++ "%s at addr: 0x%" HWADDR_PRIX, > ++ memory_region_name(mr), addr); > ++ return MEMTX_ACCESS_ERROR; > ++ } > ++ mr->dev->mem_reentrancy_guard.engaged_in_io = true; > ++ } > ++ > + /* FIXME: support unaligned access? */ > + access_size = MAX(MIN(size, access_size_max), access_size_min); > + access_mask = MAKE_64BIT_MASK(0, access_size * 8); > +@@ -555,6 +567,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, > + access_mask, attrs); > + } > + } > ++ if (mr->dev) { > ++ mr->dev->mem_reentrancy_guard.engaged_in_io = false; > ++ } > + return r; > + } > + > +@@ -1169,6 +1184,7 @@ static void memory_region_do_init(MemoryRegion *mr, > + } > + mr->name = g_strdup(name); > + mr->owner = owner; > ++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE); > + mr->ram_block = NULL; > + > + if (name) { > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0002.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0002.patch > new file mode 100644 > index 0000000000..f33934bf85 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0002.patch > @@ -0,0 +1,218 @@ > +From 9c86c97f12c060bf7484dd931f38634e166a81f0 Mon Sep 17 00:00:00 2001 > +From: Alexander Bulekov <[email protected]> > +Date: Mon, 27 May 2024 07:29:20 +0000 > +Subject: [PATCH] async: Add an optional reentrancy guard to the BH API > + > +Devices can pass their MemoryReentrancyGuard (from their DeviceState), > +when creating new BHes. Then, the async API will toggle the guard > +before/after calling the BH call-back. This prevents bh->mmio reentrancy > +issues. > + > +Signed-off-by: Alexander Bulekov <[email protected]> > +Reviewed-by: Darren Kenny <[email protected]> > +Message-Id: <[email protected]> > +[thuth: Fix "line over 90 characters" checkpatch.pl error] > +Signed-off-by: Thomas Huth <[email protected]> > + > +CVE: CVE-2024-3446 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/9c86c97f12c060bf7484dd931f38634e166a81f0] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + docs/devel/multiple-iothreads.txt | 7 +++++++ > + include/block/aio.h | 18 ++++++++++++++++-- > + include/qemu/main-loop.h | 8 +++++--- > + tests/unit/ptimer-test-stubs.c | 3 ++- > + util/async.c | 18 +++++++++++++++++- > + util/main-loop.c | 6 ++++-- > + util/trace-events | 1 + > + 7 files changed, 52 insertions(+), 9 deletions(-) > + > +diff --git a/docs/devel/multiple-iothreads.txt > b/docs/devel/multiple-iothreads.txt > +index aeb997bed..a11576bc7 100644 > +--- a/docs/devel/multiple-iothreads.txt > ++++ b/docs/devel/multiple-iothreads.txt > +@@ -61,6 +61,7 @@ There are several old APIs that use the main loop > AioContext: > + * LEGACY qemu_aio_set_event_notifier() - monitor an event notifier > + * LEGACY timer_new_ms() - create a timer > + * LEGACY qemu_bh_new() - create a BH > ++ * LEGACY qemu_bh_new_guarded() - create a BH with a device re-entrancy > guard > + * LEGACY qemu_aio_wait() - run an event loop iteration > + > + Since they implicitly work on the main loop they cannot be used in code that > +@@ -72,8 +73,14 @@ Instead, use the AioContext functions directly (see > include/block/aio.h): > + * aio_set_event_notifier() - monitor an event notifier > + * aio_timer_new() - create a timer > + * aio_bh_new() - create a BH > ++ * aio_bh_new_guarded() - create a BH with a device re-entrancy guard > + * aio_poll() - run an event loop iteration > + > ++The qemu_bh_new_guarded/aio_bh_new_guarded APIs accept a > "MemReentrancyGuard" > ++argument, which is used to check for and prevent re-entrancy problems. For > ++BHs associated with devices, the reentrancy-guard is contained in the > ++corresponding DeviceState and named "mem_reentrancy_guard". > ++ > + The AioContext can be obtained from the IOThread using > + iothread_get_aio_context() or for the main loop using > qemu_get_aio_context(). > + Code that takes an AioContext argument works both in IOThreads or the main > +diff --git a/include/block/aio.h b/include/block/aio.h > +index 47fbe9d81..c7da15298 100644 > +--- a/include/block/aio.h > ++++ b/include/block/aio.h > +@@ -22,6 +22,8 @@ > + #include "qemu/event_notifier.h" > + #include "qemu/thread.h" > + #include "qemu/timer.h" > ++#include "hw/qdev-core.h" > ++ > + > + typedef struct BlockAIOCB BlockAIOCB; > + typedef void BlockCompletionFunc(void *opaque, int ret); > +@@ -321,9 +323,11 @@ void aio_bh_schedule_oneshot_full(AioContext *ctx, > QEMUBHFunc *cb, void *opaque, > + * is opaque and must be allocated prior to its use. > + * > + * @name: A human-readable identifier for debugging purposes. > ++ * @reentrancy_guard: A guard set when entering a cb to prevent > ++ * device-reentrancy issues > + */ > + QEMUBH *aio_bh_new_full(AioContext *ctx, QEMUBHFunc *cb, void *opaque, > +- const char *name); > ++ const char *name, MemReentrancyGuard > *reentrancy_guard); > + > + /** > + * aio_bh_new: Allocate a new bottom half structure > +@@ -332,7 +336,17 @@ QEMUBH *aio_bh_new_full(AioContext *ctx, QEMUBHFunc > *cb, void *opaque, > + * string. > + */ > + #define aio_bh_new(ctx, cb, opaque) \ > +- aio_bh_new_full((ctx), (cb), (opaque), (stringify(cb))) > ++ aio_bh_new_full((ctx), (cb), (opaque), (stringify(cb)), NULL) > ++ > ++/** > ++ * aio_bh_new_guarded: Allocate a new bottom half structure with a > ++ * reentrancy_guard > ++ * > ++ * A convenience wrapper for aio_bh_new_full() that uses the cb as the name > ++ * string. > ++ */ > ++#define aio_bh_new_guarded(ctx, cb, opaque, guard) \ > ++ aio_bh_new_full((ctx), (cb), (opaque), (stringify(cb)), guard) > + > + /** > + * aio_notify: Force processing of pending events. > +diff --git a/include/qemu/main-loop.h b/include/qemu/main-loop.h > +index 8dbc6fcb8..0a8f512be 100644 > +--- a/include/qemu/main-loop.h > ++++ b/include/qemu/main-loop.h > +@@ -293,10 +293,12 @@ void qemu_cond_timedwait_iothread(QemuCond *cond, int > ms); > + /* internal interfaces */ > + > + void qemu_fd_register(int fd); > +- > ++#define qemu_bh_new_guarded(cb, opaque, guard) \ > ++ qemu_bh_new_full((cb), (opaque), (stringify(cb)), guard) > + #define qemu_bh_new(cb, opaque) \ > +- qemu_bh_new_full((cb), (opaque), (stringify(cb))) > +-QEMUBH *qemu_bh_new_full(QEMUBHFunc *cb, void *opaque, const char *name); > ++ qemu_bh_new_full((cb), (opaque), (stringify(cb)), NULL) > ++QEMUBH *qemu_bh_new_full(QEMUBHFunc *cb, void *opaque, const char *name, > ++ MemReentrancyGuard *reentrancy_guard); > + void qemu_bh_schedule_idle(QEMUBH *bh); > + > + enum { > +diff --git a/tests/unit/ptimer-test-stubs.c b/tests/unit/ptimer-test-stubs.c > +index 2a3ef5879..a7a2d08e7 100644 > +--- a/tests/unit/ptimer-test-stubs.c > ++++ b/tests/unit/ptimer-test-stubs.c > +@@ -108,7 +108,8 @@ int64_t qemu_clock_deadline_ns_all(QEMUClockType type, > int attr_mask) > + return deadline; > + } > + > +-QEMUBH *qemu_bh_new_full(QEMUBHFunc *cb, void *opaque, const char *name) > ++QEMUBH *qemu_bh_new_full(QEMUBHFunc *cb, void *opaque, const char *name, > ++ MemReentrancyGuard *reentrancy_guard) > + { > + QEMUBH *bh = g_new(QEMUBH, 1); > + > +diff --git a/util/async.c b/util/async.c > +index 6f6717a34..3eb6b5016 100644 > +--- a/util/async.c > ++++ b/util/async.c > +@@ -62,6 +62,7 @@ struct QEMUBH { > + void *opaque; > + QSLIST_ENTRY(QEMUBH) next; > + unsigned flags; > ++ MemReentrancyGuard *reentrancy_guard; > + }; > + > + /* Called concurrently from any thread */ > +@@ -123,7 +124,7 @@ void aio_bh_schedule_oneshot_full(AioContext *ctx, > QEMUBHFunc *cb, > + } > + > + QEMUBH *aio_bh_new_full(AioContext *ctx, QEMUBHFunc *cb, void *opaque, > +- const char *name) > ++ const char *name, MemReentrancyGuard > *reentrancy_guard) > + { > + QEMUBH *bh; > + bh = g_new(QEMUBH, 1); > +@@ -132,13 +133,28 @@ QEMUBH *aio_bh_new_full(AioContext *ctx, QEMUBHFunc > *cb, void *opaque, > + .cb = cb, > + .opaque = opaque, > + .name = name, > ++ .reentrancy_guard = reentrancy_guard, > + }; > + return bh; > + } > + > + void aio_bh_call(QEMUBH *bh) > + { > ++ bool last_engaged_in_io = false; > ++ > ++ if (bh->reentrancy_guard) { > ++ last_engaged_in_io = bh->reentrancy_guard->engaged_in_io; > ++ if (bh->reentrancy_guard->engaged_in_io) { > ++ trace_reentrant_aio(bh->ctx, bh->name); > ++ } > ++ bh->reentrancy_guard->engaged_in_io = true; > ++ } > ++ > + bh->cb(bh->opaque); > ++ > ++ if (bh->reentrancy_guard) { > ++ bh->reentrancy_guard->engaged_in_io = last_engaged_in_io; > ++ } > + } > + > + /* Multiple occurrences of aio_bh_poll cannot be called concurrently. */ > +diff --git a/util/main-loop.c b/util/main-loop.c > +index 06b18b195..1eacf0469 100644 > +--- a/util/main-loop.c > ++++ b/util/main-loop.c > +@@ -544,9 +544,11 @@ void main_loop_wait(int nonblocking) > + > + /* Functions to operate on the main QEMU AioContext. */ > + > +-QEMUBH *qemu_bh_new_full(QEMUBHFunc *cb, void *opaque, const char *name) > ++QEMUBH *qemu_bh_new_full(QEMUBHFunc *cb, void *opaque, const char *name, > ++ MemReentrancyGuard *reentrancy_guard) > + { > +- return aio_bh_new_full(qemu_aio_context, cb, opaque, name); > ++ return aio_bh_new_full(qemu_aio_context, cb, opaque, name, > ++ reentrancy_guard); > + } > + > + /* > +diff --git a/util/trace-events b/util/trace-events > +index c8f53d7d9..dc3b1eb3b 100644 > +--- a/util/trace-events > ++++ b/util/trace-events > +@@ -11,6 +11,7 @@ poll_remove(void *ctx, void *node, int fd) "ctx %p node %p > fd %d" > + # async.c > + aio_co_schedule(void *ctx, void *co) "ctx %p co %p" > + aio_co_schedule_bh_cb(void *ctx, void *co) "ctx %p co %p" > ++reentrant_aio(void *ctx, const char *name) "ctx %p name %s" > + > + # thread-pool.c > + thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p > opaque %p" > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0003.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0003.patch > new file mode 100644 > index 0000000000..8f7fa1a569 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0003.patch > @@ -0,0 +1,68 @@ > +From ec0504b989ca61e03636384d3602b7bf07ffe4da Mon Sep 17 00:00:00 2001 > +From: Philippe Mathieu-Daudé <[email protected]> > +Date: Mon, 27 May 2024 11:52:53 +0000 > +Subject: [PATCH] hw/virtio: Introduce virtio_bh_new_guarded() helper > + > +Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded() > +but using the transport memory guard, instead of the device one > +(there can only be one virtio device per virtio bus). > + > +Inspired-by: Gerd Hoffmann <[email protected]> > +Reviewed-by: Gerd Hoffmann <[email protected]> > +Acked-by: Michael S. Tsirkin <[email protected]> > +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > +Reviewed-by: Michael S. Tsirkin <[email protected]> > +Message-Id: <[email protected]> > + > +CVE: CVE-2024-3446 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/ec0504b989ca61e03636384d3602b7bf07ffe4da] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + hw/virtio/virtio.c | 10 ++++++++++ > + include/hw/virtio/virtio.h | 7 +++++++ > + 2 files changed, 17 insertions(+) > + > +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c > +index e11a8a0db..be0b3ff9d 100644 > +--- a/hw/virtio/virtio.c > ++++ b/hw/virtio/virtio.c > +@@ -3876,3 +3876,13 @@ static void virtio_register_types(void) > + } > + > + type_init(virtio_register_types) > ++ > ++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, > ++ QEMUBHFunc *cb, void *opaque, > ++ const char *name) > ++{ > ++ DeviceState *transport = qdev_get_parent_bus(dev)->parent; > ++ > ++ return qemu_bh_new_full(cb, opaque, name, > ++ &transport->mem_reentrancy_guard); > ++} > +diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h > +index 8bab9cfb7..731c631a8 100644 > +--- a/include/hw/virtio/virtio.h > ++++ b/include/hw/virtio/virtio.h > +@@ -22,6 +22,7 @@ > + #include "standard-headers/linux/virtio_config.h" > + #include "standard-headers/linux/virtio_ring.h" > + #include "qom/object.h" > ++#include "block/aio.h" > + > + /* A guest should never accept this. It implies negotiation is broken. */ > + #define VIRTIO_F_BAD_FEATURE 30 > +@@ -397,4 +398,10 @@ static inline bool virtio_device_disabled(VirtIODevice > *vdev) > + bool virtio_legacy_allowed(VirtIODevice *vdev); > + bool virtio_legacy_check_disabled(VirtIODevice *vdev); > + > ++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, > ++ QEMUBHFunc *cb, void *opaque, > ++ const char *name); > ++#define virtio_bh_new_guarded(dev, cb, opaque) \ > ++ virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb))) > ++ > + #endif > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0004.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0004.patch > new file mode 100644 > index 0000000000..8b209491d8 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0004.patch > @@ -0,0 +1,141 @@ > +From ba28e0ff4d95b56dc334aac2730ab3651ffc3132 Mon Sep 17 00:00:00 2001 > +From: Philippe Mathieu-Daudé <[email protected]> > +Date: Tue, 28 May 2024 05:50:35 +0000 > +Subject: [PATCH] hw/display/virtio-gpu: Protect from DMA re-entrancy bugs > + > +Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() > +so the bus and device use the same guard. Otherwise the > +DMA-reentrancy protection can be bypassed: > + > + $ cat << EOF | qemu-system-i386 -display none -nodefaults \ > + -machine q35,accel=qtest \ > + -m 512M \ > + -device virtio-gpu \ > + -qtest stdio > + outl 0xcf8 0x80000820 > + outl 0xcfc 0xe0004000 > + outl 0xcf8 0x80000804 > + outw 0xcfc 0x06 > + write 0xe0004030 0x4 0x024000e0 > + write 0xe0004028 0x1 0xff > + write 0xe0004020 0x4 0x00009300 > + write 0xe000401c 0x1 0x01 > + write 0x101 0x1 0x04 > + write 0x103 0x1 0x1c > + write 0x9301c8 0x1 0x18 > + write 0x105 0x1 0x1c > + write 0x107 0x1 0x1c > + write 0x109 0x1 0x1c > + write 0x10b 0x1 0x00 > + write 0x10d 0x1 0x00 > + write 0x10f 0x1 0x00 > + write 0x111 0x1 0x00 > + write 0x113 0x1 0x00 > + write 0x115 0x1 0x00 > + write 0x117 0x1 0x00 > + write 0x119 0x1 0x00 > + write 0x11b 0x1 0x00 > + write 0x11d 0x1 0x00 > + write 0x11f 0x1 0x00 > + write 0x121 0x1 0x00 > + write 0x123 0x1 0x00 > + write 0x125 0x1 0x00 > + write 0x127 0x1 0x00 > + write 0x129 0x1 0x00 > + write 0x12b 0x1 0x00 > + write 0x12d 0x1 0x00 > + write 0x12f 0x1 0x00 > + write 0x131 0x1 0x00 > + write 0x133 0x1 0x00 > + write 0x135 0x1 0x00 > + write 0x137 0x1 0x00 > + write 0x139 0x1 0x00 > + write 0xe0007003 0x1 0x00 > + EOF > + ... > + ================================================================= > + ==276099==ERROR: AddressSanitizer: heap-use-after-free on address > 0x60d000011178 > + at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58 > + READ of size 8 at 0x60d000011178 thread T0 > + #0 0x562cc3b736c6 in virtio_gpu_ctrl_response > hw/display/virtio-gpu.c:180:42 > + #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata > hw/display/virtio-gpu.c:192:5 > + #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd > hw/display/virtio-gpu.c:1015:13 > + #3 0x562cc3b82873 in virtio_gpu_process_cmdq > hw/display/virtio-gpu.c:1050:9 > + #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5 > + #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 > + #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 > + #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5 > + #8 0x7f36840547a8 in g_main_context_dispatch > (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) > + #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9 > + #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5 > + #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11 > + #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9 > + #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14 > + #14 0x7f3683a6c189 in __libc_start_call_main > csu/../sysdeps/nptl/libc_start_call_main.h:58:16 > + #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3 > + #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0) > + > + 0x60d000011178 is located 56 bytes inside of 136-byte region > [0x60d000011140,0x60d0000111c8) > + freed by thread T0 here: > + #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662) > + #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9 > + #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9 > + #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5 > + #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5 > + #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18 > + > + previously allocated by thread T0 here: > + #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e) > + #1 0x7f368405a678 in g_malloc > (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) > + #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12 > + #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16 > + #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl > hw/display/virtio-gpu.c:1112:15 > + #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5 > + #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 > + #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 > + > + SUMMARY: AddressSanitizer: heap-use-after-free > hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response > + > +With this change, the same reproducer triggers: > + > + qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: > virtio-pci-common-virtio-gpu at addr: 0x6 > + > +Fixes: CVE-2024-3446 > +Cc: [email protected] > +Reported-by: Alexander Bulekov <[email protected]> > +Reported-by: Yongkang Jia <[email protected]> > +Reported-by: Xiao Lei <[email protected]> > +Reported-by: Yiming Tao <[email protected]> > +Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 > + > +Reviewed-by: Gerd Hoffmann <[email protected]> > +Acked-by: Michael S. Tsirkin <[email protected]> > +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > +Reviewed-by: Michael S. Tsirkin <[email protected]> > +Message-Id: <[email protected]> > + > +CVE: CVE-2024-3446 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/ba28e0ff4d95b56dc334aac2730ab3651ffc3132] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + hw/display/virtio-gpu.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c > +index c6dc81898..5719ef6f1 100644 > +--- a/hw/display/virtio-gpu.c > ++++ b/hw/display/virtio-gpu.c > +@@ -1334,8 +1334,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, > Error **errp) > + > + g->ctrl_vq = virtio_get_queue(vdev, 0); > + g->cursor_vq = virtio_get_queue(vdev, 1); > +- g->ctrl_bh = qemu_bh_new(virtio_gpu_ctrl_bh, g); > +- g->cursor_bh = qemu_bh_new(virtio_gpu_cursor_bh, g); > ++ g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g); > ++ g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g); > + QTAILQ_INIT(&g->reslist); > + QTAILQ_INIT(&g->cmdq); > + QTAILQ_INIT(&g->fenceq); > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0005.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0005.patch > new file mode 100644 > index 0000000000..0fe9554820 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0005.patch > @@ -0,0 +1,41 @@ > +From b4295bff25f7b50de1d9cc94a9c6effd40056bca Mon Sep 17 00:00:00 2001 > +From: Philippe Mathieu-Daudé <[email protected]> > +Date: Tue, 28 May 2024 06:55:51 +0000 > +Subject: [PATCH] hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs > + > +Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() > +so the bus and device use the same guard. Otherwise the > +DMA-reentrancy protection can be bypassed. > + > +Fixes: CVE-2024-3446 > +Cc: [email protected] > +Suggested-by: Alexander Bulekov <[email protected]> > +Reviewed-by: Gerd Hoffmann <[email protected]> > +Acked-by: Michael S. Tsirkin <[email protected]> > +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > +Reviewed-by: Michael S. Tsirkin <[email protected]> > +Message-Id: <[email protected]> > + > +CVE: CVE-2024-3446 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/b4295bff25f7b50de1d9cc94a9c6effd40056bca] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + hw/char/virtio-serial-bus.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c > +index f01ec2137..791b7ac59 100644 > +--- a/hw/char/virtio-serial-bus.c > ++++ b/hw/char/virtio-serial-bus.c > +@@ -985,7 +985,7 @@ static void virtser_port_device_realize(DeviceState > *dev, Error **errp) > + return; > + } > + > +- port->bh = qemu_bh_new(flush_queued_data_bh, port); > ++ port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port); > + port->elem = NULL; > + } > + > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0006.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0006.patch > new file mode 100644 > index 0000000000..ad1a8fc202 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3446-0006.patch > @@ -0,0 +1,42 @@ > +From f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc Mon Sep 17 00:00:00 2001 > +From: Philippe Mathieu-Daudé <[email protected]> > +Date: Tue, 28 May 2024 09:22:58 +0000 > +Subject: [PATCH] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs > + > +Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() > +so the bus and device use the same guard. Otherwise the > +DMA-reentrancy protection can be bypassed. > + > +Fixes: CVE-2024-3446 > +Cc: [email protected] > +Suggested-by: Alexander Bulekov <[email protected]> > +Reviewed-by: Gerd Hoffmann <[email protected]> > +Acked-by: Michael S. Tsirkin <[email protected]> > +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > +Reviewed-by: Michael S. Tsirkin <[email protected]> > +Message-Id: <[email protected]> > + > +CVE: CVE-2024-3446 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + hw/virtio/virtio-crypto.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c > +index 274c7b4de..5b0b71008 100644 > +--- a/hw/virtio/virtio-crypto.c > ++++ b/hw/virtio/virtio-crypto.c > +@@ -822,7 +822,8 @@ static void virtio_crypto_device_realize(DeviceState > *dev, Error **errp) > + vcrypto->vqs[i].dataq = > + virtio_add_queue(vdev, 1024, > virtio_crypto_handle_dataq_bh); > + vcrypto->vqs[i].dataq_bh = > +- qemu_bh_new(virtio_crypto_dataq_bh, &vcrypto->vqs[i]); > ++ virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh, > ++ &vcrypto->vqs[i]); > + vcrypto->vqs[i].vcrypto = vcrypto; > + } > + > +-- > +2.40.0 > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-3447.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2024-3447.patch > new file mode 100644 > index 0000000000..174011c6b1 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-3447.patch > @@ -0,0 +1,135 @@ > +From: 35a67d2aa8caf8eb0bee7d38515924c95417047e Mon Sep 17 00:00:00 2001 > +From: Philippe Mathieu-Daudé <[email protected]> > +Date: Tue, 28 May 2024 11:04:06 +0000 > +Subject: [PATCH] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) > + is set Per "SD Host Controller Standard Specification Version 3.00": > + > + * 2.2.5 Transfer Mode Register (Offset 00Ch) > + > + Writes to this register shall be ignored when the Command > + Inhibit (DAT) in the Present State register is 1. > + > +Do not update the TRNMOD register when Command Inhibit (DAT) > +bit is set to avoid the present-status register going out of > +sync, leading to malicious guest using DMA mode and overflowing > +the FIFO buffer: > + > + $ cat << EOF | qemu-system-i386 \ > + -display none -nographic -nodefaults \ > + -machine accel=qtest -m 512M \ > + -device sdhci-pci,sd-spec-version=3 \ > + -device sd-card,drive=mydrive \ > + -drive > if=none,index=0,file=null-co://,format=raw,id=mydrive \ > + -qtest stdio > + outl 0xcf8 0x80001013 > + outl 0xcfc 0x91 > + outl 0xcf8 0x80001001 > + outl 0xcfc 0x06000000 > + write 0x9100002c 0x1 0x05 > + write 0x91000058 0x1 0x16 > + write 0x91000005 0x1 0x04 > + write 0x91000028 0x1 0x08 > + write 0x16 0x1 0x21 > + write 0x19 0x1 0x20 > + write 0x9100000c 0x1 0x01 > + write 0x9100000e 0x1 0x20 > + write 0x9100000f 0x1 0x00 > + write 0x9100000c 0x1 0x00 > + write 0x91000020 0x1 0x00 > + EOF > + > +Stack trace (part): > +================================================================= > +==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address > +0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 > +WRITE of size 1 at 0x615000029900 thread T0 > + #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 > + #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 > + #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 > + #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 > + #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 > + #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 > + #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 > + #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 > + ... > +0x615000029900 is located 0 bytes to the right of 512-byte region > +[0x615000029700,0x615000029900) allocated by thread T0 here: > + #0 0x55d5f7237b27 in __interceptor_calloc > + #1 0x7f9e36dd4c50 in g_malloc0 > + #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 > + #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 > + #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 > + #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 > + #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 > + #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 > + #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 > + #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 > + #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict > system/qdev-monitor.c:719:10 > + #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 > + #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 > + #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 > + #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 > + #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 > + #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 > + ... > +SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 > +in sdhci_write_dataport > + > +Add assertions to ensure the fifo_buffer[] is not overflowed by > +malicious accesses to the Buffer Data Port register. > + > +Fixes: CVE-2024-3447 > +Cc: [email protected] > +Fixes: d7dfca08 ("hw/sdhci: introduce standard SD host controller") > +Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 > + > +Reported-by: Alexander Bulekov <[email protected]> > +Reported-by: Chuhong Yuan <[email protected]> > +Signed-off-by: Peter Maydell <[email protected]> > +Message-Id: > <CAFEAcA9iLiv1XGTGKeopgMa8Y9+8kvptvsb8z2OBeuy+5=n...@mail.gmail.com> > +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> > +Message-Id: <[email protected]> > + > +CVE: CVE-2024-3447 > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/35a67d2aa8caf8eb0bee7d38515924c95417047e] > + > +Signed-off-by: Yogita Urade <[email protected]> > +--- > + hw/sd/sdhci.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c > +index e0bbc9034..211daa4bb 100644 > +--- a/hw/sd/sdhci.c > ++++ b/hw/sd/sdhci.c > +@@ -471,6 +471,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, > unsigned size) > + } > + > + for (i = 0; i < size; i++) { > ++ assert(s->data_count < s->buf_maxsz); > + value |= s->fifo_buffer[s->data_count] << i * 8; > + s->data_count++; > + /* check if we've read all valid data (blksize bytes) from buffer */ > +@@ -559,6 +560,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t > value, unsigned size) > + } > + > + for (i = 0; i < size; i++) { > ++ assert(s->data_count < s->buf_maxsz); > + s->fifo_buffer[s->data_count] = value & 0xFF; > + s->data_count++; > + value >>= 8; > +@@ -1184,6 +1186,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t > val, unsigned size) > + if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) { > + value &= ~SDHC_TRNS_DMA; > + } > ++ > ++ /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true > */ > ++ if (s->prnsts & SDHC_DATA_INHIBIT) { > ++ mask |= 0xffff; > ++ } > ++ > + MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK); > + MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16); > + > +-- > +2.40.0 > -- > 2.23.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201048): https://lists.openembedded.org/g/openembedded-core/message/201048 Mute This Topic: https://lists.openembedded.org/mt/106797289/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
