Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
Could you send this one for kirkstone too? You just need to change qemu.inc diff in theory. Thanks, Davide -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166361): https://lists.openembedded.org/g/openembedded-core/message/166361 Mute This Topic: https://lists.openembedded.org/mt/91468556/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
This set of patches is for hardknott branch. On 2022-05-31 18:08, Sakib Sajal wrote: Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65 .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++ 4 files changed, 284 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..5605ece5bb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2021-3750_1.patch \ + file://CVE-2021-3750_2.patch \ + file://CVE-2021-3750_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch new file mode 100644 index 00..8381661886 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch @@ -0,0 +1,60 @@ +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Peter Maydell + +CVE: CVE-2021-3750 +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] + +Signed-off-by: Sakib Sajal +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d6..44368e285 100644 +--- a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch new file mode 100644 index 00..82d2675ab2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch @@ -0,0 +1,65 @@ +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Alexander Bulekov +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-3-phi...@redhat.com> +Signed-off-by: Thomas Huth + +CVE: CVE-2021-3750 +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] + +Signed-off-by: Sakib Sajal +--- + softmmu/physmem.c | 11 +++ + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 2cd1de4a2..68612afbd 100644 +--- a/softmmu/physmem.c b/softmmu/physmem.c +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr,
[OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
Backport appropriate patches to resolve CVE-2021-3750. Signed-off-by: Sakib Sajal --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750_1.patch | 60 +++ .../qemu/qemu/CVE-2021-3750_2.patch | 65 .../qemu/qemu/CVE-2021-3750_3.patch | 156 ++ 4 files changed, 284 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index aa372810ce..5605ece5bb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-20196_2.patch \ file://CVE-2021-4145_1.patch \ file://CVE-2021-4145_2.patch \ + file://CVE-2021-3750_1.patch \ + file://CVE-2021-3750_2.patch \ + file://CVE-2021-3750_3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch new file mode 100644 index 00..8381661886 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch @@ -0,0 +1,60 @@ +From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Peter Maydell + +CVE: CVE-2021-3750 +Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529] + +Signed-off-by: Sakib Sajal +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index 8645220d6..44368e285 100644 +--- a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +-if (r == MEMTX_ERROR) { ++if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + "size %u\n", __func__, offset, size); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch new file mode 100644 index 00..82d2675ab2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch @@ -0,0 +1,65 @@ +From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Alexander Bulekov +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-3-phi...@redhat.com> +Signed-off-by: Thomas Huth + +CVE: CVE-2021-3750 +Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] + +Signed-off-by: Sakib Sajal +--- + softmmu/physmem.c | 11 +++ + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 2cd1de4a2..68612afbd 100644 +--- a/softmmu/physmem.c b/softmmu/physmem.c +@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +-MemTxResult result =