rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qemu-7.0.0-10

Browse Source 
vga: avoid crash if no default vga card (rhbz#2095639)
lsi53c895a: Fix use-after-free in lsi_do_msgout (CVE-2022-0216)
vnc-clipboard: fix integer underflow (CVE-2022-3165)

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
This commit is contained in:
Mauro Matteo Cascella 2022-10-18 20:00:44 +02:00
parent 34254733fe
commit 1176069249
4 changed files with 231 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
0012-vga-avoid-crash-if-no-default-vga-card.patch Normal file
View File

@ -0,0 +1,32 @@
From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
Date: Tue, 3 May 2022 17:17:24 +0800
Subject: [PATCH] vga: avoid crash if no default vga card
QEMU in some arch will crash when executing -vga help command, because
there is no default vga model. Add check to this case and avoid crash.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/978
Signed-off-by: Guo Zhi <qtxuning1999@sjtu.edu.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220503091724.970009-1-qtxuning1999@sjtu.edu.cn>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
softmmu/vl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/softmmu/vl.c b/softmmu/vl.c
index 6f646531a0..b16c1c48fa 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
if (vga_interface_available(t) && ti->opt_name) {
printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
- g_str_equal(ti->opt_name, def) ? " (default)" : "");
+ (def && g_str_equal(ti->opt_name, def)) ?
+ " (default)" : "");
}
}
exit(0);

136
0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch Normal file
View File

@ -0,0 +1,136 @@
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Tue, 5 Jul 2022 22:05:43 +0200
Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
(CVE-2022-0216)
Set current_req to NULL to prevent reusing a free'd buffer in case of
repeated SCSI cancel requests. Also apply the fix to CLEAR QUEUE and BUS
DEVICE RESET messages as well, since they also cancel the request.
Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/lsi53c895a.c | 4 +-
tests/qtest/fuzz-lsi53c895a-test.c | 75 ++++++++++++++++++++++++++++++
2 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index c8773f73f7..ad5f5e5f39 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
case 0x0d:
/* The ABORT TAG message clears the current I/O process only. */
trace_lsi_do_msgout_abort(current_tag);
- if (current_req) {
+ if (current_req && current_req->req) {
scsi_req_cancel(current_req->req);
+ current_req = NULL;
}
lsi_disconnect(s);
break;
@@ -1055,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
/* clear the current I/O process */
if (s->current) {
scsi_req_cancel(s->current->req);
+ current_req = NULL;
}
/* As the current implemented devices scsi_disk and scsi_generic
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
index ba5d468970..0f968024c8 100644
--- a/tests/qtest/fuzz-lsi53c895a-test.c
+++ b/tests/qtest/fuzz-lsi53c895a-test.c
@@ -8,6 +8,79 @@
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
+/*
+ * This used to trigger a UAF in lsi_do_msgout()
+ * https://gitlab.com/qemu-project/qemu/-/issues/972
+ */
+static void test_lsi_do_msgout_cancel_req(void)
+{
+ QTestState *s;
+
+ if (sizeof(void *) == 4) {
+ g_test_skip("memory size too big for 32-bit build");
+ return;
+ }
+
+ s = qtest_init("-M q35 -m 4G -display none -nodefaults "
+ "-device lsi53c895a,id=scsi "
+ "-device scsi-hd,drive=disk0 "
+ "-drive file=null-co://,id=disk0,if=none,format=raw");
+
+ qtest_outl(s, 0xcf8, 0x80000810);
+ qtest_outl(s, 0xcf8, 0xc000);
+ qtest_outl(s, 0xcf8, 0x80000810);
+ qtest_outw(s, 0xcfc, 0x7);
+ qtest_outl(s, 0xcf8, 0x80000810);
+ qtest_outl(s, 0xcfc, 0xc000);
+ qtest_outl(s, 0xcf8, 0x80000804);
+ qtest_outw(s, 0xcfc, 0x05);
+ qtest_writeb(s, 0x69736c10, 0x08);
+ qtest_writeb(s, 0x69736c13, 0x58);
+ qtest_writeb(s, 0x69736c1a, 0x01);
+ qtest_writeb(s, 0x69736c1b, 0x06);
+ qtest_writeb(s, 0x69736c22, 0x01);
+ qtest_writeb(s, 0x69736c23, 0x07);
+ qtest_writeb(s, 0x69736c2b, 0x02);
+ qtest_writeb(s, 0x69736c48, 0x08);
+ qtest_writeb(s, 0x69736c4b, 0x58);
+ qtest_writeb(s, 0x69736c52, 0x04);
+ qtest_writeb(s, 0x69736c53, 0x06);
+ qtest_writeb(s, 0x69736c5b, 0x02);
+ qtest_outl(s, 0xc02d, 0x697300);
+ qtest_writeb(s, 0x5a554662, 0x01);
+ qtest_writeb(s, 0x5a554663, 0x07);
+ qtest_writeb(s, 0x5a55466a, 0x10);
+ qtest_writeb(s, 0x5a55466b, 0x22);
+ qtest_writeb(s, 0x5a55466c, 0x5a);
+ qtest_writeb(s, 0x5a55466d, 0x5a);
+ qtest_writeb(s, 0x5a55466e, 0x34);
+ qtest_writeb(s, 0x5a55466f, 0x5a);
+ qtest_writeb(s, 0x5a345a5a, 0x77);
+ qtest_writeb(s, 0x5a345a5b, 0x55);
+ qtest_writeb(s, 0x5a345a5c, 0x51);
+ qtest_writeb(s, 0x5a345a5d, 0x27);
+ qtest_writeb(s, 0x27515577, 0x41);
+ qtest_outl(s, 0xc02d, 0x5a5500);
+ qtest_writeb(s, 0x364001d0, 0x08);
+ qtest_writeb(s, 0x364001d3, 0x58);
+ qtest_writeb(s, 0x364001da, 0x01);
+ qtest_writeb(s, 0x364001db, 0x26);
+ qtest_writeb(s, 0x364001dc, 0x0d);
+ qtest_writeb(s, 0x364001dd, 0xae);
+ qtest_writeb(s, 0x364001de, 0x41);
+ qtest_writeb(s, 0x364001df, 0x5a);
+ qtest_writeb(s, 0x5a41ae0d, 0xf8);
+ qtest_writeb(s, 0x5a41ae0e, 0x36);
+ qtest_writeb(s, 0x5a41ae0f, 0xd7);
+ qtest_writeb(s, 0x5a41ae10, 0x36);
+ qtest_writeb(s, 0x36d736f8, 0x0c);
+ qtest_writeb(s, 0x36d736f9, 0x80);
+ qtest_writeb(s, 0x36d736fa, 0x0d);
+ qtest_outl(s, 0xc02d, 0x364000);
+
+ qtest_quit(s);
+}
+
/*
* This used to trigger the assert in lsi_do_dma()
* https://bugs.launchpad.net/qemu/+bug/697510
@@ -46,6 +119,8 @@ int main(int argc, char **argv)
if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
qtest_add_func("fuzz/lsi53c895a/lsi_do_dma_empty_queue",
test_lsi_do_dma_empty_queue);
+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
+ test_lsi_do_msgout_cancel_req);
}
return g_test_run();

51
0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch Normal file
View File

@ -0,0 +1,51 @@
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Sun, 25 Sep 2022 22:45:11 +0200
Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
vnc_client_cut_text_ext
Extended ClientCutText messages start with a 4-byte header. If len < 4,
an integer underflow occurs in vnc_client_cut_text_ext. The result is
used to decompress data in a while loop in inflate_buffer, leading to
CPU consumption and denial of service. Prevent this by checking dlen in
protocol_client_msg.
Fixes: CVE-2022-3165
Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
Reported-by: TangPeng <tangpeng@qianxin.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 310a873c21..8a2e176b64 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
if (len == 1) {
return 8;
}
+ uint32_t dlen = abs(read_s32(data, 4));
if (len == 8) {
- uint32_t dlen = abs(read_s32(data, 4));
if (dlen > (1 << 20)) {
error_report("vnc: client_cut_text msg payload has %u bytes"
" which exceeds our limit of 1MB.", dlen);
@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
}
if (read_s32(data, 4) < 0) {
- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
- read_u32(data, 8), data + 12);
+ if (dlen < 4) {
+ error_report("vnc: malformed payload (header less than 4 bytes)"
+ " in extended clipboard pseudo-encoding.");
+ vnc_client_error(vs);
+ break;
+ }
+ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
break;
}
vnc_client_cut_text(vs, read_u32(data, 4), data + 8);

13
qemu.spec
View File

@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
%endif
# To prevent rpmdev-bumpspec breakage
%global baserelease 9
%global baserelease 10
Summary: QEMU is a FAST! processor emulator
Name: qemu
@ -354,6 +354,12 @@ Patch: 0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch
Patch: 0010-Skip-iotests-entirely.patch
# Not yet upstream, fix glibc 2.36 compat
Patch: 0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch
# vga: avoid crash if no default vga card (rhbz#2095639)
Patch: 0012-vga-avoid-crash-if-no-default-vga-card.patch
# lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
Patch: 0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
# vnc-clipboard: fix integer underflow (CVE-2022-3165)
Patch: 0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch
BuildRequires: meson >= %{meson_version}
BuildRequires: zlib-devel
@ -2718,6 +2724,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Tue Oct 18 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-10
- vga: avoid crash if no default vga card (rhbz#2095639)
- lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) (rhbz#2070902)
- vnc-clipboard: fix integer underflow (CVE-2022-3165) (rhbz#2129759)
* Tue Aug 2 2022 Daniel P. Berrangé <berrange@redhat.com> - 7.0.0-9
- Fix compat with glibc 2.36 headers