Re: [OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330
Hi Steve, Same patch I've submitted for dunfell. Please revert it, if it is failing. Thanks & Regards, Vijay On Fri, Sep 15, 2023 at 8:56 PM Steve Sakoman wrote: > On Wed, Sep 13, 2023 at 4:44 AM Steve Sakoman via > lists.openembedded.org > wrote: > > > > Unfortunately this change breaks the qemux86 and qemux86-64 tests on > > the autobuilder: > > The versions of this patch for both mickledore and kirkstone break > qemux86 and qemux86-64 in the same way, so I can't take the patch for > either branch. > > Steve > > > > > https://errors.yoctoproject.org/Errors/Details/736394/ > > https://errors.yoctoproject.org/Errors/Details/736395/ > > > > In both cases: > > > > Failed: qemux86-64 does not shutdown within timeout(120) > > > > There was recently an issue fixed in the master branch where x86 was > > broken after a version upgrade: > > > > > https://git.openembedded.org/openembedded-core/commit/?id=3d3fa94ee6d7ea58e3ec64d28bd6414437806cfd > > > > Not sure if it is related, since the commit message indicates "won't > > boot" as the symptom and this appears to be a shutdown issue. Perhaps > > Richard can comment. > > > > Steve > > > > On Tue, Sep 12, 2023 at 10:02 PM Urade, Yogita via > > lists.openembedded.org > > wrote: > > > > > > From: Yogita Urade > > > > > > A DMA-MMIO reentrancy problem may lead to memory corruption bugs > > > like stack overflow or use-after-free. > > > > > > Summary of the problem from Peter Maydell: > > > > https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > > > > > Reference: > > > https://gitlab.com/qemu-project/qemu/-/issues/556 > > > > > > qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 > > > b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI > controller (CVE-2023-0330) > > > a2e1753b80 memory: prevent dma-reentracy issues > > > > > > Included second commit as well as commit log of a2e1753b80 says it > > > resolves CVE-2023-0330 > > > > > > Signed-off-by: Yogita Urade > > > --- > > > meta/recipes-devtools/qemu/qemu.inc | 3 +- > > > ...23-0330.patch => CVE-2023-0330-0001.patch} | 0 > > > .../qemu/qemu/CVE-2023-0330-0002.patch| 136 ++ > > > 3 files changed, 138 insertions(+), 1 deletion(-) > > > rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => > CVE-2023-0330-0001.patch} (100%) > > > create mode 100644 > meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > b/meta/recipes-devtools/qemu/qemu.inc > > > index 2efe63cdc0..1a50e4d524 100644 > > > --- a/meta/recipes-devtools/qemu/qemu.inc > > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > > @@ -36,7 +36,8 @@ SRC_URI = " > https://download.qemu.org/${BPN}-${PV}.tar.xz \ > > > file://qemu-guest-agent.init \ > > > file://qemu-guest-agent.udev \ > > > file://ppc.patch \ > > > - file://CVE-2023-0330.patch \ > > > + file://CVE-2023-0330-0001.patch \ > > > + file://CVE-2023-0330-0002.patch \ > > >file://CVE-2023-3301.patch \ > > >file://CVE-2023-3255.patch \ > > >file://CVE-2023-2861.patch \ > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > > > similarity index 100% > > > rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > > > rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > new file mode 100644 > > > index 00..a21b01bd25 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > @@ -0,0 +1,136 @@ > > > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 > > > +From: Alexander Bulekov > > > +Date: Tue, 12 Sep 2023 10:49:46 + > > > +Subject: [PATCH] memory: prevent dma-reentracy issues > > > + > > > +Add a flag to the DeviceState, when a device is engaged in > PIO/MMIO/DMA. > > > +This flag is set/checked prior to calling a device's MemoryRegion > > > +handlers, and set when device code initiates DMA. The purpose of this > > > +flag is to prevent two types of DMA-based reentrancy issues: > > > + > > > +1.) mmio -> dma -> mmio case > > > +2.) bh -> dma write -> mmio case > > > + > > > +These issues have led to problems such as stack-exhaustion and > > > +use-after-frees. > > > + > > > +Summary of the problem from Peter Maydell: > > > + > https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > > + > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 > > >
Re: [OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330
On Wed, Sep 13, 2023 at 4:44 AM Steve Sakoman via lists.openembedded.org wrote: > > Unfortunately this change breaks the qemux86 and qemux86-64 tests on > the autobuilder: The versions of this patch for both mickledore and kirkstone break qemux86 and qemux86-64 in the same way, so I can't take the patch for either branch. Steve > > https://errors.yoctoproject.org/Errors/Details/736394/ > https://errors.yoctoproject.org/Errors/Details/736395/ > > In both cases: > > Failed: qemux86-64 does not shutdown within timeout(120) > > There was recently an issue fixed in the master branch where x86 was > broken after a version upgrade: > > https://git.openembedded.org/openembedded-core/commit/?id=3d3fa94ee6d7ea58e3ec64d28bd6414437806cfd > > Not sure if it is related, since the commit message indicates "won't > boot" as the symptom and this appears to be a shutdown issue. Perhaps > Richard can comment. > > Steve > > On Tue, Sep 12, 2023 at 10:02 PM Urade, Yogita via > lists.openembedded.org > wrote: > > > > From: Yogita Urade > > > > A DMA-MMIO reentrancy problem may lead to memory corruption bugs > > like stack overflow or use-after-free. > > > > Summary of the problem from Peter Maydell: > > https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > > > Reference: > > https://gitlab.com/qemu-project/qemu/-/issues/556 > > > > qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 > > b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller > > (CVE-2023-0330) > > a2e1753b80 memory: prevent dma-reentracy issues > > > > Included second commit as well as commit log of a2e1753b80 says it > > resolves CVE-2023-0330 > > > > Signed-off-by: Yogita Urade > > --- > > meta/recipes-devtools/qemu/qemu.inc | 3 +- > > ...23-0330.patch => CVE-2023-0330-0001.patch} | 0 > > .../qemu/qemu/CVE-2023-0330-0002.patch| 136 ++ > > 3 files changed, 138 insertions(+), 1 deletion(-) > > rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => > > CVE-2023-0330-0001.patch} (100%) > > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > > b/meta/recipes-devtools/qemu/qemu.inc > > index 2efe63cdc0..1a50e4d524 100644 > > --- a/meta/recipes-devtools/qemu/qemu.inc > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > @@ -36,7 +36,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > > file://qemu-guest-agent.init \ > > file://qemu-guest-agent.udev \ > > file://ppc.patch \ > > - file://CVE-2023-0330.patch \ > > + file://CVE-2023-0330-0001.patch \ > > + file://CVE-2023-0330-0002.patch \ > >file://CVE-2023-3301.patch \ > >file://CVE-2023-3255.patch \ > >file://CVE-2023-2861.patch \ > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > > similarity index 100% > > rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > > rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > new file mode 100644 > > index 00..a21b01bd25 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > @@ -0,0 +1,136 @@ > > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 > > +From: Alexander Bulekov > > +Date: Tue, 12 Sep 2023 10:49:46 + > > +Subject: [PATCH] memory: prevent dma-reentracy issues > > + > > +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. > > +This flag is set/checked prior to calling a device's MemoryRegion > > +handlers, and set when device code initiates DMA. The purpose of this > > +flag is to prevent two types of DMA-based reentrancy issues: > > + > > +1.) mmio -> dma -> mmio case > > +2.) bh -> dma write -> mmio case > > + > > +These issues have led to problems such as stack-exhaustion and > > +use-after-frees. > > + > > +Summary of the problem from Peter Maydell: > > +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > + > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 > > +Resolves: CVE-2023-0330 > > + > > +Signed-off-by: Alexander Bulekov > > +Reviewed-by: Thomas Huth > > +Message-Id: <20230427211013.2994127-2-alx...@bu.edu> > > +[thuth: Replace
Re: [OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330
Unfortunately this change breaks the qemux86 and qemux86-64 tests on the autobuilder: https://errors.yoctoproject.org/Errors/Details/736394/ https://errors.yoctoproject.org/Errors/Details/736395/ In both cases: Failed: qemux86-64 does not shutdown within timeout(120) There was recently an issue fixed in the master branch where x86 was broken after a version upgrade: https://git.openembedded.org/openembedded-core/commit/?id=3d3fa94ee6d7ea58e3ec64d28bd6414437806cfd Not sure if it is related, since the commit message indicates "won't boot" as the symptom and this appears to be a shutdown issue. Perhaps Richard can comment. Steve On Tue, Sep 12, 2023 at 10:02 PM Urade, Yogita via lists.openembedded.org wrote: > > From: Yogita Urade > > A DMA-MMIO reentrancy problem may lead to memory corruption bugs > like stack overflow or use-after-free. > > Summary of the problem from Peter Maydell: > https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > Reference: > https://gitlab.com/qemu-project/qemu/-/issues/556 > > qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 > b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller > (CVE-2023-0330) > a2e1753b80 memory: prevent dma-reentracy issues > > Included second commit as well as commit log of a2e1753b80 says it > resolves CVE-2023-0330 > > Signed-off-by: Yogita Urade > --- > meta/recipes-devtools/qemu/qemu.inc | 3 +- > ...23-0330.patch => CVE-2023-0330-0001.patch} | 0 > .../qemu/qemu/CVE-2023-0330-0002.patch| 136 ++ > 3 files changed, 138 insertions(+), 1 deletion(-) > rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => > CVE-2023-0330-0001.patch} (100%) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > b/meta/recipes-devtools/qemu/qemu.inc > index 2efe63cdc0..1a50e4d524 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -36,7 +36,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://qemu-guest-agent.init \ > file://qemu-guest-agent.udev \ > file://ppc.patch \ > - file://CVE-2023-0330.patch \ > + file://CVE-2023-0330-0001.patch \ > + file://CVE-2023-0330-0002.patch \ >file://CVE-2023-3301.patch \ >file://CVE-2023-3255.patch \ >file://CVE-2023-2861.patch \ > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > similarity index 100% > rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > new file mode 100644 > index 00..a21b01bd25 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > @@ -0,0 +1,136 @@ > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 > +From: Alexander Bulekov > +Date: Tue, 12 Sep 2023 10:49:46 + > +Subject: [PATCH] memory: prevent dma-reentracy issues > + > +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. > +This flag is set/checked prior to calling a device's MemoryRegion > +handlers, and set when device code initiates DMA. The purpose of this > +flag is to prevent two types of DMA-based reentrancy issues: > + > +1.) mmio -> dma -> mmio case > +2.) bh -> dma write -> mmio case > + > +These issues have led to problems such as stack-exhaustion and > +use-after-frees. > + > +Summary of the problem from Peter Maydell: > +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > + > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 > +Resolves: CVE-2023-0330 > + > +Signed-off-by: Alexander Bulekov > +Reviewed-by: Thomas Huth > +Message-Id: <20230427211013.2994127-2-alx...@bu.edu> > +[thuth: Replace warn_report() with warn_report_once()] > +Signed-off-by: Thomas Huth > + > +CVE: CVE-2023-0330 > + > +Upstream-Status: Backport > [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] > + > +Signed-off-by: Yogita Urade > +--- > + include/exec/memory.h | 5 + > + include/hw/qdev-core.h | 7 +++ > + softmmu/memory.c | 16 > + 3 files changed, 28 insertions(+) > + > +diff --git a/include/exec/memory.h
[OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330
From: Yogita Urade A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com Reference: https://gitlab.com/qemu-project/qemu/-/issues/556 qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) a2e1753b80 memory: prevent dma-reentracy issues Included second commit as well as commit log of a2e1753b80 says it resolves CVE-2023-0330 Signed-off-by: Yogita Urade --- meta/recipes-devtools/qemu/qemu.inc | 3 +- ...23-0330.patch => CVE-2023-0330-0001.patch} | 0 .../qemu/qemu/CVE-2023-0330-0002.patch| 136 ++ 3 files changed, 138 insertions(+), 1 deletion(-) rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330-0001.patch} (100%) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2efe63cdc0..1a50e4d524 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -36,7 +36,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://ppc.patch \ - file://CVE-2023-0330.patch \ + file://CVE-2023-0330-0001.patch \ + file://CVE-2023-0330-0002.patch \ file://CVE-2023-3301.patch \ file://CVE-2023-3255.patch \ file://CVE-2023-2861.patch \ diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch similarity index 100% rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch new file mode 100644 index 00..a21b01bd25 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch @@ -0,0 +1,136 @@ +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Tue, 12 Sep 2023 10:49:46 + +Subject: [PATCH] memory: prevent dma-reentracy issues + +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. +This flag is set/checked prior to calling a device's MemoryRegion +handlers, and set when device code initiates DMA. The purpose of this +flag is to prevent two types of DMA-based reentrancy issues: + +1.) mmio -> dma -> mmio case +2.) bh -> dma write -> mmio case + +These issues have led to problems such as stack-exhaustion and +use-after-frees. + +Summary of the problem from Peter Maydell: +https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 +Resolves: CVE-2023-0330 + +Signed-off-by: Alexander Bulekov +Reviewed-by: Thomas Huth +Message-Id: <20230427211013.2994127-2-alx...@bu.edu> +[thuth: Replace warn_report() with warn_report_once()] +Signed-off-by: Thomas Huth + +CVE: CVE-2023-0330 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] + +Signed-off-by: Yogita Urade +--- + include/exec/memory.h | 5 + + include/hw/qdev-core.h | 7 +++ + softmmu/memory.c | 16 + 3 files changed, 28 insertions(+) + +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 91f8a2395..124628ada 100644 +--- a/include/exec/memory.h b/include/exec/memory.h +@@ -741,6 +741,8 @@ struct MemoryRegion { + bool is_iommu; + RAMBlock *ram_block; + Object *owner; ++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ ++DeviceState *dev; + + const MemoryRegionOps *ops; + void *opaque; +@@ -765,6 +767,9 @@ struct MemoryRegion { + unsigned ioeventfd_nb; + MemoryRegionIoeventfd *ioeventfds; + RamDiscardManager *rdm; /* Only for RAM */ ++ ++/* For devices designed to perform re-entrant IO into their own IO MRs */ ++bool disable_reentrancy_guard; + }; + + struct IOMMUMemoryRegion { +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h +index 785dd5a56..886f6bb79 100644 +--- a/include/hw/qdev-core.h b/include/hw/qdev-core.h +@@ -162,6 +162,10 @@ struct NamedClockList { +