diff -Nru qemu-2.11+dfsg/debian/changelog qemu-2.11+dfsg/debian/changelog --- qemu-2.11+dfsg/debian/changelog 2022-06-09 15:37:25.000000000 +0000 +++ qemu-2.11+dfsg/debian/changelog 2022-12-08 09:08:49.000000000 +0000 @@ -1,3 +1,16 @@ +qemu (1:2.11+dfsg-1ubuntu7.41) bionic-security; urgency=medium + + * SECURITY UPDATE: DMA reentrancy issue + - debian/patches/CVE-2021-3750.patch: Introduce MemTxAttrs::memory + field and MEMTX_ACCESS_ERROR + - CVE-2021-3750 + * SECURITY UPDATE: use-after-free vulnerability + - debian/patches/CVE-2022-0216-*.patch: fix use-after-free in + lsi_do_msgout + - CVE-2022-0216 + + -- Nishit Majithia Thu, 08 Dec 2022 14:38:49 +0530 + qemu (1:2.11+dfsg-1ubuntu7.40) bionic-security; urgency=medium * SECURITY UPDATE: heap overflow in floppy disk emulator diff -Nru qemu-2.11+dfsg/debian/patches/CVE-2021-3750.patch qemu-2.11+dfsg/debian/patches/CVE-2021-3750.patch --- qemu-2.11+dfsg/debian/patches/CVE-2021-3750.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/CVE-2021-3750.patch 2022-12-07 11:29:41.000000000 +0000 @@ -0,0 +1,176 @@ +Backport of https://gitlab.com/qemu-project/qemu/-/commit/3ab6fdc9 + +From 3ab6fdc91b72e156da22848f0003ff4225690ced Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:21 +0100 +Subject: [PATCH] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add the 'memory' bit to the memory attributes to restrict bus +controller accesses to memories. + +Introduce flatview_access_allowed() to check bus permission +before running any bus transaction. + +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is +restricted. + +There is no change for the default case where 'memory' is not set. + +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-4-philmd@redhat.com> +Reviewed-by: Richard Henderson +Reviewed-by: Stefan Hajnoczi +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] +Signed-off-by: Thomas Huth +--- + +Backport of https://gitlab.com/qemu-project/qemu/-/commit/3ab6fdc9 + +From 3ab6fdc91b72e156da22848f0003ff4225690ced Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:21 +0100 +Subject: [PATCH] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add the 'memory' bit to the memory attributes to restrict bus +controller accesses to memories. + +Introduce flatview_access_allowed() to check bus permission +before running any bus transaction. + +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is +restricted. + +There is no change for the default case where 'memory' is not set. + +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211215182421.418374-4-philmd@redhat.com> +Reviewed-by: Richard Henderson +Reviewed-by: Stefan Hajnoczi +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] +Signed-off-by: Thomas Huth +--- + include/exec/memattrs.h | 9 +++++++++ + softmmu/physmem.c | 44 +++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 51 insertions(+), 2 deletions(-) + +--- qemu-2.11+dfsg.orig/include/exec/memattrs.h ++++ qemu-2.11+dfsg/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + } MemTxAttrs; +@@ -54,6 +62,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +--- qemu-2.11+dfsg.orig/exec.c ++++ qemu-2.11+dfsg/exec.c +@@ -34,6 +34,7 @@ + #endif + #include "sysemu/kvm.h" + #include "sysemu/sysemu.h" ++#include "qemu/log.h" + #include "qemu/timer.h" + #include "qemu/config-file.h" + #include "qemu/error-report.h" +@@ -2938,6 +2939,33 @@ static bool prepare_mmio_access(MemoryRe + return release_lock; + } + ++/** ++ * flatview_access_allowed ++ * @mr: #MemoryRegion to be accessed ++ * @attrs: memory transaction attributes ++ * @addr: address within that memory region ++ * @len: the number of bytes to access ++ * ++ * Check if a memory transaction is allowed. ++ * ++ * Returns: true if transaction is allowed, false if denied. ++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -2951,7 +2979,10 @@ static MemTxResult flatview_write_contin + bool release_lock = false; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -3023,6 +3054,9 @@ static MemTxResult flatview_write(FlatVi + rcu_read_lock(); + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + result = flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + rcu_read_unlock(); +@@ -3050,7 +3084,10 @@ MemTxResult flatview_read_continue(FlatV + bool release_lock = false; + + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -3120,6 +3157,9 @@ MemTxResult flatview_read_full(FlatView + rcu_read_lock(); + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + result = flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + rcu_read_unlock(); diff -Nru qemu-2.11+dfsg/debian/patches/CVE-2022-0216-1.patch qemu-2.11+dfsg/debian/patches/CVE-2022-0216-1.patch --- qemu-2.11+dfsg/debian/patches/CVE-2022-0216-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/CVE-2022-0216-1.patch 2022-12-07 13:39:38.000000000 +0000 @@ -0,0 +1,34 @@ +Backport of https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 + +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- qemu-2.11+dfsg.orig/hw/scsi/lsi53c895a.c ++++ qemu-2.11+dfsg/hw/scsi/lsi53c895a.c +@@ -982,8 +982,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + DPRINTF("MSG: ABORT TAG tag=0x%x\n", current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; diff -Nru qemu-2.11+dfsg/debian/patches/CVE-2022-0216-2.patch qemu-2.11+dfsg/debian/patches/CVE-2022-0216-2.patch --- qemu-2.11+dfsg/debian/patches/CVE-2022-0216-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/CVE-2022-0216-2.patch 2022-12-07 13:39:58.000000000 +0000 @@ -0,0 +1,46 @@ +Backport of https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 +Test file removed since file doesnt exist in bionic + +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/lsi53c895a.c | 3 +- + tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+), 1 deletion(-) + +--- qemu-2.11+dfsg.orig/hw/scsi/lsi53c895a.c ++++ qemu-2.11+dfsg/hw/scsi/lsi53c895a.c +@@ -984,7 +984,7 @@ static void lsi_do_msgout(LSIState *s) + DPRINTF("MSG: ABORT TAG tag=0x%x\n", current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1010,6 +1010,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic diff -Nru qemu-2.11+dfsg/debian/patches/series qemu-2.11+dfsg/debian/patches/series --- qemu-2.11+dfsg/debian/patches/series 2022-06-09 15:37:19.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/series 2022-12-07 13:39:50.000000000 +0000 @@ -241,3 +241,6 @@ CVE-2021-4207.patch CVE-2022-26353.patch CVE-2022-26354.patch +CVE-2021-3750.patch +CVE-2022-0216-1.patch +CVE-2022-0216-2.patch