packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!578 fix CVE-2021-20257/CVE-2020-13253 and fix gcc 10.3.1 compile error (openeuler !302!305)

Browse Source 
From: @sundongx 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan
This commit is contained in:
openeuler-ci-bot 2022-05-30 03:27:17 +00:00 committed by Gitee
commit 051651f20a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
12 changed files with 851 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
curses-Fixes-curses-compiling-errors.patch Normal file
View File

@ -0,0 +1,60 @@
From a90cb5bc6accc02d155d74f08e630a26f252f435 Mon Sep 17 00:00:00 2001
From: Yonggang Luo <luoyonggang@gmail.com>
Date: Tue, 13 Oct 2020 07:43:46 +0800
Subject: [PATCH 2/4] curses: Fixes curses compiling errors.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is the compiling error:
../ui/curses.c: In function 'curses_refresh':
../ui/curses.c:256:5: error: 'next_maybe_keycode' may be used uninitialized in this function [-Werror=maybe-uninitialized]
256 | curses2foo(_curses2keycode, _curseskey2keycode, chr, maybe_keycode)
| ^~~~~~~~~~
../ui/curses.c:302:32: note: 'next_maybe_keycode' was declared here
302 | enum maybe_keycode next_maybe_keycode;
| ^~~~~~~~~~~~~~~~~~
../ui/curses.c:256:5: error: 'maybe_keycode' may be used uninitialized in this function [-Werror=maybe-uninitialized]
256 | curses2foo(_curses2keycode, _curseskey2keycode, chr, maybe_keycode)
| ^~~~~~~~~~
../ui/curses.c:265:24: note: 'maybe_keycode' was declared here
265 | enum maybe_keycode maybe_keycode;
| ^~~~~~~~~~~~~
cc1.exe: all warnings being treated as errors
gcc version 10.2.0 (Rev1, Built by MSYS2 project)
Signed-off-by: Yonggang Luo <luoyonggang@gmail.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20201012234348.1427-4-luoyonggang@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/curses.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ui/curses.c b/ui/curses.c
index a6e260eb96..18fcfe82d8 100644
--- a/ui/curses.c
+++ b/ui/curses.c
@@ -259,7 +259,7 @@ static int curses2foo(const int _curses2foo[], const int _curseskey2foo[],
static void curses_refresh(DisplayChangeListener *dcl)
{
int chr, keysym, keycode, keycode_alt;
- enum maybe_keycode maybe_keycode;
+ enum maybe_keycode maybe_keycode = CURSES_KEYCODE;
curses_winch_check();
@@ -296,7 +296,7 @@ static void curses_refresh(DisplayChangeListener *dcl)
/* alt or esc key */
if (keycode == 1) {
- enum maybe_keycode next_maybe_keycode;
+ enum maybe_keycode next_maybe_keycode = CURSES_KEYCODE;
int nextchr = console_getch(&next_maybe_keycode);
if (nextchr != -1) {
--
2.17.1

50
e1000-fail-early-for-evil-descriptor.patch Normal file
View File

@ -0,0 +1,50 @@
From d9f04ba174842bfdbcdcec2c90a2a726b914b9fd Mon Sep 17 00:00:00 2001
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 13:45:28 +0800
Subject: [PATCH 1/7] e1000: fail early for evil descriptor
During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:
if (tp->size + bytes > msh)
bytes = msh - tp->size;
This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/e1000.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index a99aa3ccc3..f0219d363c 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
msh = tp->tso_props.hdr_len + tp->tso_props.mss;
do {
bytes = split_size;
+ if (tp->size >= msh) {
+ goto eop;
+ }
if (tp->size + bytes > msh)
bytes = msh - tp->size;
@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
tp->size += split_size;
}
+eop:
if (!(txd_lower & E1000_TXD_CMD_EOP))
return;
if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
--
2.17.1

58
e1000-fix-tx-re-entrancy-problem.patch Normal file
View File

@ -0,0 +1,58 @@
From c28382f7ef531e10a45d240cdb29145f8638232e Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 21 Oct 2021 12:10:47 -0400
Subject: [PATCH 2/7] e1000: fix tx re-entrancy problem
The fact that the MMIO handler is not re-entrant causes an infinite
loop under certain conditions:
Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX
We now eliminate the effect of this problem locally in e1000, by adding
a boolean in struct E1000State indicating when the TX side is busy. This
will cause any entering new call to return early instead of interfering
with the ongoing work, and eliminates any risk of looping.
This is intended to address CVE-2021-20257.
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/e1000.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index f0219d363c..a41b5b116d 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -104,6 +104,7 @@ typedef struct E1000State_st {
e1000x_txd_props props;
e1000x_txd_props tso_props;
uint16_t tso_frames;
+ bool busy;
} tx;
struct {
@@ -748,6 +749,11 @@ start_xmit(E1000State *s)
return;
}
+ if (s->tx.busy) {
+ return;
+ }
+ s->tx.busy = true;
+
while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
base = tx_desc_base(s) +
sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
@@ -774,6 +780,7 @@ start_xmit(E1000State *s)
break;
}
}
+ s->tx.busy = false;
set_ics(s, 0, cause);
}
--
2.17.1

105
hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch Normal file
View File

@ -0,0 +1,105 @@
From ee7165e6dd077ebbe25f79b45fe0094a6c6779ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Tue, 7 Jul 2020 13:02:34 +0200
Subject: [PATCH 5/7] hw/sd/sdcard: Do not allow invalid SD card sizes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.
While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.
In a pair of commits we will fix CVE-2020-13253 as:
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.
Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):
$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
qemu-system-arm: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
---
hw/sd/sd.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index caac17e71b..263072a353 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -32,6 +32,7 @@
#include "qemu/osdep.h"
#include "qemu/units.h"
+#include "qemu-common.h"
#include "hw/qdev.h"
#include "hw/hw.h"
#include "hw/registerfields.h"
@@ -2091,11 +2092,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
}
if (sd->blk) {
+ int64_t blk_size;
+
if (blk_is_read_only(sd->blk)) {
error_setg(errp, "Cannot use read-only drive as SD card");
return;
}
+ blk_size = blk_getlength(sd->blk);
+ if (blk_size > 0 && !is_power_of_2(blk_size)) {
+ int64_t blk_size_aligned = pow2ceil(blk_size);
+ char *blk_size_str;
+
+ blk_size_str = size_to_str(blk_size);
+ error_setg(errp, "Invalid SD card size: %s", blk_size_str);
+ g_free(blk_size_str);
+
+ blk_size_str = size_to_str(blk_size_aligned);
+ error_append_hint(errp,
+ "SD card size has to be a power of 2, e.g. %s.\n"
+ "You can resize disk images with"
+ " 'qemu-img resize <imagefile> <new-size>'\n"
+ "(note that this will lose data if you make the"
+ " image smaller than it currently is).\n",
+ blk_size_str);
+ g_free(blk_size_str);
+
+ return;
+ }
+
ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
BLK_PERM_ALL, errp);
if (ret < 0) {
--
2.17.1

131
hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch Normal file
View File

@ -0,0 +1,131 @@
From 8d920e44e5bd5e719aca03887e9bcc5a02787a2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Thu, 4 Jun 2020 19:22:29 +0200
Subject: [PATCH 7/7] hw/sd/sdcard: Do not switch to ReceivingData if address
is invalid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only move the state machine to ReceivingData if there is no
pending error. This avoids later OOB access while processing
commands queued.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.3 Data Read
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
4.3.4 Data Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
Fixes: CVE-2020-13253
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
---
hw/sd/sd.c | 38 ++++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 14 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index ed796fb41f..79d5f1a5b9 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1156,13 +1156,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
case 17: /* CMD17: READ_SINGLE_BLOCK */
switch (sd->state) {
case sd_transfer_state:
- sd->state = sd_sendingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
- if (sd->data_start + sd->blk_len > sd->size) {
+ if (addr + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
}
+
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
return sd_r1;
default:
@@ -1173,13 +1175,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
switch (sd->state) {
case sd_transfer_state:
- sd->state = sd_sendingdata_state;
- sd->data_start = addr;
- sd->data_offset = 0;
- if (sd->data_start + sd->blk_len > sd->size) {
+ if (addr + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
}
+
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
return sd_r1;
default:
@@ -1219,14 +1223,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+
+ if (addr + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
+
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
- }
if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
}
@@ -1246,14 +1253,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
/* Writing in SPI mode not implemented. */
if (sd->spi)
break;
+
+ if (addr + sd->blk_len > sd->size) {
+ sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+ }
+
sd->state = sd_receivingdata_state;
sd->data_start = addr;
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size) {
- sd->card_status |= ADDRESS_ERROR;
- }
if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
}
--
2.17.1

48
hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch Normal file
View File

@ -0,0 +1,48 @@
From 3fb16cbd24233829b3696e06abb12db317d68aac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Wed, 3 Jun 2020 19:59:16 +0200
Subject: [PATCH 3/7] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only SCSD cards support Class 6 (Block Oriented Write Protection)
commands.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.14 Command Functional Difference in Card Capacity Types
* Write Protected Group
SDHC and SDXC do not support write-protected groups. Issuing
CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
---
hw/sd/sd.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 917195a65b..ed3eae930b 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -905,6 +905,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->multi_blk_cnt = 0;
}
+ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
+ /* Only Standard Capacity cards support class 6 commands */
+ return sd_illegal;
+ }
+
switch (req.cmd) {
/* Basic commands (Class 0 and Class 1) */
case 0: /* CMD0: GO_IDLE_STATE */
--
2.17.1

43
hw-sd-sdcard-Simplify-realize-a-bit.patch Normal file
View File

@ -0,0 +1,43 @@
From 3b8e4bca9d5d51219778950456d52226a9caffdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Tue, 5 Jun 2018 22:28:51 -0300
Subject: [PATCH 4/7] hw/sd/sdcard: Simplify realize() a bit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We don't need to check if sd->blk is set twice.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
---
hw/sd/sd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index ed3eae930b..caac17e71b 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -2090,12 +2090,12 @@ static void sd_realize(DeviceState *dev, Error **errp)
return;
}
- if (sd->blk && blk_is_read_only(sd->blk)) {
- error_setg(errp, "Cannot use read-only drive as SD card");
- return;
- }
-
if (sd->blk) {
+ if (blk_is_read_only(sd->blk)) {
+ error_setg(errp, "Cannot use read-only drive as SD card");
+ return;
+ }
+
ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
BLK_PERM_ALL, errp);
if (ret < 0) {
--
2.17.1

87
hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch Normal file
View File

@ -0,0 +1,87 @@
From 29a65998b9c0e22983d6861efabae88106af591b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Mon, 13 Jul 2020 09:27:35 +0200
Subject: [PATCH 6/7] hw/sd/sdcard: Update coding style to make checkpatch.pl
happy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To make the next commit easier to review, clean this code first.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
---
hw/sd/sd.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 263072a353..ed796fb41f 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1160,8 +1160,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_start = addr;
sd->data_offset = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ }
return sd_r1;
default:
@@ -1176,8 +1177,9 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_start = addr;
sd->data_offset = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
+ }
return sd_r1;
default:
@@ -1222,12 +1224,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ }
+ if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ }
+ if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ }
return sd_r1;
default:
@@ -1246,12 +1251,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
sd->data_offset = 0;
sd->blk_written = 0;
- if (sd->data_start + sd->blk_len > sd->size)
+ if (sd->data_start + sd->blk_len > sd->size) {
sd->card_status |= ADDRESS_ERROR;
- if (sd_wp_addr(sd, sd->data_start))
+ }
+ if (sd_wp_addr(sd, sd->data_start)) {
sd->card_status |= WP_VIOLATION;
- if (sd->csd[14] & 0x30)
+ }
+ if (sd->csd[14] & 0x30) {
sd->card_status |= WP_VIOLATION;
+ }
return sd_r1;
default:
--
2.17.1

51
net-dump.c-Suppress-spurious-compiler-warning.patch Normal file
View File

@ -0,0 +1,51 @@
From 55dee3d51d658d72edecd28168be69f822bff970 Mon Sep 17 00:00:00 2001
From: liuxiangdong <liuxiangdong5@huawei.com>
Date: Tue, 8 Feb 2022 15:10:25 +0800
Subject: [PATCH 3/4] net/dump.c: Suppress spurious compiler warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Compiling with gcc version 11.2.0 (Ubuntu 11.2.0-13ubuntu1) results in
a (spurious) warning:
In function dump_receive_iov,
inlined from filter_dump_receive_iov at ../net/dump.c:157:5:
../net/dump.c:89:9: error: writev specified size 18446744073709551600
exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]
89 | if (writev(s->fd, dumpiov, cnt + 1) != sizeof(hdr) + caplen) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /home/ptomsich/qemu/include/qemu/osdep.h:108,
from ../net/dump.c:25:
../net/dump.c: In function filter_dump_receive_iov:
/usr/include/x86_64-linux-gnu/sys/uio.h:52:16: note: in a call to function
writev declared with attribute read_only (2, 3)
52 | extern ssize_t writev (int __fd, const struct iovec *__iovec, int
__count)
| ^~~~~~
cc1: all warnings being treated as errors
This change helps that version of GCC to understand what is going on
and suppresses this warning.
Signed-off-by: Philipp Tomsich <philipp.toms...@vrull.eu>
---
net/dump.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/dump.c b/net/dump.c
index 23b3628dde..3cf9fe869d 100644
--- a/net/dump.c
+++ b/net/dump.c
@@ -86,7 +86,7 @@ static ssize_t dump_receive_iov(DumpState *s, const struct iovec *iov, int cnt)
dumpiov[0].iov_len = sizeof(hdr);
cnt = iov_copy(&dumpiov[1], cnt, iov, cnt, 0, caplen);
- if (writev(s->fd, dumpiov, cnt + 1) != sizeof(hdr) + caplen) {
+ if (writev(s->fd, &dumpiov[0], cnt + 1) != sizeof(hdr) + caplen) {
error_report("network dump write error - stopping dump");
close(s->fd);
s->fd = -1;
--
2.17.1

26
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu
Version: 4.1.0
Release: 68
Release: 69
Epoch: 2
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -359,6 +359,17 @@ Patch0346: hw-intc-arm_gicv3_dist-Rename-64-bit-accessors-with-.patch
Patch0347: hw-intc-arm_gicv3-Replace-mis-used-MEMTX_-constants-.patch
Patch0348: hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch
Patch0349: net-colo-compare.c-Check-that-colo-compare-is-active.patch
Patch0350: e1000-fail-early-for-evil-descriptor.patch
Patch0351: e1000-fix-tx-re-entrancy-problem.patch
Patch0352: hw-sd-sdcard-Restrict-Class-6-commands-to-SCSD-cards.patch
Patch0353: hw-sd-sdcard-Simplify-realize-a-bit.patch
Patch0354: hw-sd-sdcard-Do-not-allow-invalid-SD-card-sizes.patch
Patch0355: hw-sd-sdcard-Update-coding-style-to-make-checkpatch..patch
Patch0356: hw-sd-sdcard-Do-not-switch-to-ReceivingData-if-addre.patch
Patch0357: scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch
Patch0358: curses-Fixes-curses-compiling-errors.patch
Patch0359: net-dump.c-Suppress-spurious-compiler-warning.patch
Patch0360: tests-Replace-deprecated-ASN1-code.patch
BuildRequires: flex
BuildRequires: bison
@ -755,6 +766,19 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Mon May 30 2022 sundongxu <sundongxu3@huawei.com>
- e1000: fail early for evil descriptor
- e1000: fix tx re-entrancy problem
- hw/sd/sdcard: Do not allow invalid SD card sizes
- hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
- hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
- hw/sd/sdcard: Simplify realize() a bit
- hw/sd/sdcard: Update coding style to make checkpatch.pl happy
- scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[]
- curses: Fixes curses compiling errors.
- net/dump.c: Suppress spurious compiler warning
- tests: Replace deprecated ASN1 code
* Sat May 21 2022 yezengruan <yezengruan@huawei.com>
- hw/intc/arm_gicv3_dist: Rename 64-bit accessors with 'q' suffix
- hw/intc/arm_gicv3: Replace mis-used MEMTX_* constants by booleans

95
scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch Normal file
View File

@ -0,0 +1,95 @@
From 36a343cbba2752fab2995fd0d9848c192f0c9579 Mon Sep 17 00:00:00 2001
From: Christophe de Dinechin <dinechin@redhat.com>
Date: Fri, 28 Feb 2020 16:00:59 +0100
Subject: [PATCH 1/4] scsi/qemu-pr-helper: Fix out-of-bounds access to
trnptid_list[]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Compile error reported by gcc 10.0.1:
scsi/qemu-pr-helper.c: In function multipath_pr_out:
scsi/qemu-pr-helper.c:523:32: error: array subscript <unknown> is outside array bounds of struct transportid *[0] [-Werror=array-bounds]
523 | paramp.trnptid_list[paramp.num_transportid++] = id;
| ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from scsi/qemu-pr-helper.c:36:
/usr/include/mpath_persist.h:168:22: note: while referencing trnptid_list
168 | struct transportid *trnptid_list[];
| ^~~~~~~~~~~~
scsi/qemu-pr-helper.c:424:35: note: defined here paramp
424 | struct prout_param_descriptor paramp;
| ^~~~~~
This highlights an actual implementation issue in function multipath_pr_out.
The variable paramp is declared with type `struct prout_param_descriptor`,
which is a struct terminated by an empty array in mpath_persist.h:
struct transportid *trnptid_list[];
That empty array was filled with code that looked like that:
trnptid_list[paramp.descr.num_transportid++] = id;
This is an actual out-of-bounds access.
The fix is to malloc `paramp`.
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
scsi/qemu-pr-helper.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c
index a256ce490b..aa135df1f9 100644
--- a/scsi/qemu-pr-helper.c
+++ b/scsi/qemu-pr-helper.c
@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
int rq_servact = cdb[1];
int rq_scope = cdb[2] >> 4;
int rq_type = cdb[2] & 0xf;
- struct prout_param_descriptor paramp;
+ g_autofree struct prout_param_descriptor *paramp = NULL;
char transportids[PR_HELPER_DATA_SIZE];
int r;
+ paramp = g_malloc0(sizeof(struct prout_param_descriptor)
+ + sizeof(struct transportid *) * MPATH_MX_TIDS);
+
if (sz < PR_OUT_FIXED_PARAM_SIZE) {
/* Illegal request, Parameter list length error. This isn't fatal;
* we have read the data, send an error without closing the socket.
@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
* used by libmpathpersist (which, of course, will immediately
* do the opposite).
*/
- memset(&paramp, 0, sizeof(paramp));
- memcpy(&paramp.key, &param[0], 8);
- memcpy(&paramp.sa_key, &param[8], 8);
- paramp.sa_flags = param[20];
+ memcpy(&paramp->key, &param[0], 8);
+ memcpy(&paramp->sa_key, &param[8], 8);
+ paramp->sa_flags = param[20];
if (sz > PR_OUT_FIXED_PARAM_SIZE) {
size_t transportid_len;
int i, j;
@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
return CHECK_CONDITION;
}
- paramp.trnptid_list[paramp.num_transportid++] = id;
+ assert(paramp->num_transportid < MPATH_MX_TIDS);
+ paramp->trnptid_list[paramp->num_transportid++] = id;
}
}
r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type,
- &paramp, noisy, verbose);
+ paramp, noisy, verbose);
return mpath_reconstruct_sense(fd, r, sense);
}
#endif
--
2.17.1

98
tests-Replace-deprecated-ASN1-code.patch Normal file
View File

@ -0,0 +1,98 @@
From d3918f6f22ad23b18f83eb446ee787d41ffd4631 Mon Sep 17 00:00:00 2001
From: Stefan Weil <sw@weilnetz.de>
Date: Thu, 28 Jan 2021 18:15:23 +0100
Subject: [PATCH 4/4] tests: Replace deprecated ASN1 code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes several compiler warnings on MacOS with Homebrew. The
git development branch for forthcoming libtasn1 4.17.0 has introduced
deprecation warnings for several macros/types that we use.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tests/crypto-tls-x509-helpers.c | 10 +++++-----
tests/crypto-tls-x509-helpers.h | 2 +-
tests/pkix_asn1_tab.c | 2 +-
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
index 9b669c2a4b..5471434ca2 100644
--- a/tests/crypto-tls-x509-helpers.c
+++ b/tests/crypto-tls-x509-helpers.c
@@ -30,7 +30,7 @@
* This stores some static data that is needed when
* encoding extensions in the x509 certs
*/
-ASN1_TYPE pkix_asn1;
+asn1_node pkix_asn1;
/*
* To avoid consuming random entropy to generate keys,
@@ -118,7 +118,7 @@ void test_tls_cleanup(const char *keyfile)
/*
* Turns an ASN1 object into a DER encoded byte array
*/
-static void test_tls_der_encode(ASN1_TYPE src,
+static void test_tls_der_encode(asn1_node src,
const char *src_name,
gnutls_datum_t *res)
{
@@ -296,7 +296,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* the 'critical' field which we want control over
*/
if (req->basicConstraintsEnable) {
- ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ asn1_node ext = NULL;
asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext);
asn1_write_value(ext, "cA",
@@ -323,7 +323,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* to be 'critical'
*/
if (req->keyUsageEnable) {
- ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ asn1_node ext = NULL;
char str[2];
str[0] = req->keyUsageValue & 0xff;
@@ -353,7 +353,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* set this the hard way building up ASN1 data ourselves
*/
if (req->keyPurposeEnable) {
- ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ asn1_node ext = NULL;
asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext);
if (req->keyPurposeOID1) {
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
index 08efba4e19..8fcd7785ab 100644
--- a/tests/crypto-tls-x509-helpers.h
+++ b/tests/crypto-tls-x509-helpers.h
@@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile);
}; \
test_tls_generate_cert(&varname, NULL)
-extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
+extern const asn1_static_node pkix_asn1_tab[];
#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */
diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c
index f15fc515cb..4aaf736d3f 100644
--- a/tests/pkix_asn1_tab.c
+++ b/tests/pkix_asn1_tab.c
@@ -8,7 +8,7 @@
#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
-const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
+const asn1_static_node pkix_asn1_tab[] = {
{"PKIX1", 536875024, 0},
{0, 1073741836, 0},
{"id-ce", 1879048204, 0},
--
2.17.1