Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
Could you send this one for kirkstone too? You just need to change qemu.inc diff in theory. Thanks, Davide -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166361): https://lists.openembedded.org/g/openembedded-core/message/166361 Mute This Topic: https://lists.openembedded.org/mt/91468556/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
This set of patches is for hardknott branch.
On 2022-05-31 18:08, Sakib Sajal wrote:
Backport appropriate patches to resolve CVE-2021-3750.
Signed-off-by: Sakib Sajal
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3750_1.patch | 60 +++
.../qemu/qemu/CVE-2021-3750_2.patch | 65
.../qemu/qemu/CVE-2021-3750_3.patch | 156 ++
4 files changed, 284 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index aa372810ce..5605ece5bb 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-20196_2.patch \
file://CVE-2021-4145_1.patch \
file://CVE-2021-4145_2.patch \
+ file://CVE-2021-3750_1.patch \
+ file://CVE-2021-3750_2.patch \
+ file://CVE-2021-3750_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
new file mode 100644
index 00..8381661886
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
@@ -0,0 +1,60 @@
+From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?=
+Date: Wed, 15 Dec 2021 19:24:19 +0100
+Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
+ MEMTX_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Quoting Peter Maydell:
+
+ "These MEMTX_* aren't from the memory transaction
+ API functions; they're just being used by gicd_readl() and
+ friends as a way to indicate a success/failure so that the
+ actual MemoryRegionOps read/write fns like gicv3_dist_read()
+ can log a guest error."
+
+We are going to introduce more MemTxResult bits, so it is
+safer to check for !MEMTX_OK rather than MEMTX_ERROR.
+
+Reviewed-by: Peter Xu
+Reviewed-by: David Hildenbrand
+Reviewed-by: Peter Maydell
+Reviewed-by: Stefan Hajnoczi
+Signed-off-by: Philippe Mathieu-Daudé
+Signed-off-by: Peter Maydell
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529]
+
+Signed-off-by: Sakib Sajal
+---
+ hw/intc/arm_gicv3_redist.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index 8645220d6..44368e285 100644
+--- a/hw/intc/arm_gicv3_redist.c
b/hw/intc/arm_gicv3_redist.c
+@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset,
uint64_t *data,
+ break;
+ }
+
+-if (r == MEMTX_ERROR) {
++if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr
offset, uint64_t data,
+ break;
+ }
+
+-if (r == MEMTX_ERROR) {
++if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
new file mode 100644
index 00..82d2675ab2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
@@ -0,0 +1,65 @@
+From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?=
+Date: Wed, 15 Dec 2021 19:24:20 +0100
+Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
+ address_space_access_valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove unuseful local 'result' variables.
+
+Reviewed-by: Peter Xu
+Reviewed-by: David Hildenbrand
+Reviewed-by: Alexander Bulekov
+Reviewed-by: Stefan Hajnoczi
+Signed-off-by: Philippe Mathieu-Daudé
+Message-Id: <20211215182421.418374-3-phi...@redhat.com>
+Signed-off-by: Thomas Huth
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
+
+Signed-off-by: Sakib Sajal
+---
+ softmmu/physmem.c | 11 +++
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 2cd1de4a2..68612afbd 100644
+--- a/softmmu/physmem.c
b/softmmu/physmem.c
+@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr
addr,
[OE-core] [PATCH 2/4] qemu: fix CVE-2021-3750
Backport appropriate patches to resolve CVE-2021-3750.
Signed-off-by: Sakib Sajal
---
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2021-3750_1.patch | 60 +++
.../qemu/qemu/CVE-2021-3750_2.patch | 65
.../qemu/qemu/CVE-2021-3750_3.patch | 156 ++
4 files changed, 284 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750_3.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index aa372810ce..5605ece5bb 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -77,6 +77,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-20196_2.patch \
file://CVE-2021-4145_1.patch \
file://CVE-2021-4145_2.patch \
+ file://CVE-2021-3750_1.patch \
+ file://CVE-2021-3750_2.patch \
+ file://CVE-2021-3750_3.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
new file mode 100644
index 00..8381661886
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_1.patch
@@ -0,0 +1,60 @@
+From d09eb9fc1459f5c8b623f3f2134c3c007b4e6344 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?=
+Date: Wed, 15 Dec 2021 19:24:19 +0100
+Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
+ MEMTX_ERROR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Quoting Peter Maydell:
+
+ "These MEMTX_* aren't from the memory transaction
+ API functions; they're just being used by gicd_readl() and
+ friends as a way to indicate a success/failure so that the
+ actual MemoryRegionOps read/write fns like gicv3_dist_read()
+ can log a guest error."
+
+We are going to introduce more MemTxResult bits, so it is
+safer to check for !MEMTX_OK rather than MEMTX_ERROR.
+
+Reviewed-by: Peter Xu
+Reviewed-by: David Hildenbrand
+Reviewed-by: Peter Maydell
+Reviewed-by: Stefan Hajnoczi
+Signed-off-by: Philippe Mathieu-Daudé
+Signed-off-by: Peter Maydell
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [b9d383ab797f54ae5fa8746117770709921dc529]
+
+Signed-off-by: Sakib Sajal
+---
+ hw/intc/arm_gicv3_redist.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index 8645220d6..44368e285 100644
+--- a/hw/intc/arm_gicv3_redist.c
b/hw/intc/arm_gicv3_redist.c
+@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset,
uint64_t *data,
+ break;
+ }
+
+-if (r == MEMTX_ERROR) {
++if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest read at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr
offset, uint64_t data,
+ break;
+ }
+
+-if (r == MEMTX_ERROR) {
++if (r != MEMTX_OK) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid guest write at offset " TARGET_FMT_plx
+ "size %u\n", __func__, offset, size);
+--
+2.33.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
new file mode 100644
index 00..82d2675ab2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750_2.patch
@@ -0,0 +1,65 @@
+From 13e82fe73aca591cc4160688597515c7fb6f9788 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?=
+Date: Wed, 15 Dec 2021 19:24:20 +0100
+Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
+ address_space_access_valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove unuseful local 'result' variables.
+
+Reviewed-by: Peter Xu
+Reviewed-by: David Hildenbrand
+Reviewed-by: Alexander Bulekov
+Reviewed-by: Stefan Hajnoczi
+Signed-off-by: Philippe Mathieu-Daudé
+Message-Id: <20211215182421.418374-3-phi...@redhat.com>
+Signed-off-by: Thomas Huth
+
+CVE: CVE-2021-3750
+Upstream-Status: Backport [58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
+
+Signed-off-by: Sakib Sajal
+---
+ softmmu/physmem.c | 11 +++
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index 2cd1de4a2..68612afbd 100644
+--- a/softmmu/physmem.c
b/softmmu/physmem.c
+@@ -2792,14 +2792,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr
addr, MemTxAttrs attrs,
+ hwaddr l;
+ hwaddr addr1;
+ MemoryRegion *mr;
+-MemTxResult result =
