!560 fix CVE-2021-20196/CVE-2021-4207/CVE-2021-4206 (openeuler !286)

From: @bobychen 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan

display-qxl-render-fix-race-condition-in-qxl_cursor-.patch

@@ -0,0 +1,38 @@
+From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:11:06 +0200
+Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor
+ (CVE-2021-4207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid fetching 'width' and 'height' a second time to prevent possible
+race condition. Refer to security advisory
+https://starlabs.sg/advisories/22-4207/ for more information.
+
+Fixes: CVE-2021-4207
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/qxl-render.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 14ad2b352d..4a63c382f6 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -259,7 +259,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+         }
+         break;
+     case SPICE_CURSOR_TYPE_ALPHA:
+-        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
++        size = sizeof(uint32_t) * c->width * c->height;
+         qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
+         if (qxl->debug > 2) {
+             cursor_print_ascii_art(c, "qxl/alpha");
+-- 
+2.27.0
+

hw-block-fdc-Extract-blk_create_empty_drive.patch

@@ -0,0 +1,49 @@
+From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-2-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 9b24cb9b85..deea339d70 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -56,6 +56,12 @@
+     } while (0)
+ 
+ 
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++    return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++}
++
+ /********************************************************/
+ /* qdev floppy bus                                      */
+ 
+@@ -539,8 +545,7 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp)
+     }
+ 
+     if (!dev->conf.blk) {
+-        /* Anonymous BlockBackend for an empty drive */
+-        dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++        dev->conf.blk = blk_create_empty_drive();
+         ret = blk_attach_dev(dev->conf.blk, qdev);
+         assert(ret == 0);
+ 
+-- 
+2.27.0
+

hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch

@@ -0,0 +1,62 @@
+From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20196
+Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-3-philmd@redhat.com
+BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index deea339d70..47b6939d44 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1358,7 +1358,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+ 
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+-    return get_drv(fdctrl, fdctrl->cur_drv);
++    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++    if (!cur_drv->blk) {
++        /*
++         * Kludge: empty drive line selected. Create an anonymous
++         * BlockBackend to avoid NULL deref with various BlockBackend
++         * API calls within this model (CVE-2021-20196).
++         * Due to the controller QOM model limitations, we don't
++         * attach the created to the controller device.
++         */
++        cur_drv->blk = blk_create_empty_drive();
++    }
++    return cur_drv;
+ }
+ 
+ /* Status A register : 0x00 (read-only) */
+-- 
+2.27.0
+

qemu.spec

@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 66
+Release: 67
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -350,6 +350,11 @@ Patch0337: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch
 Patch0338: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch
 Patch0339: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
 Patch0340: virtio-net-fix-map-leaking-on-error-during-receive.patch
+Patch0341: hw-block-fdc-Extract-blk_create_empty_drive.patch
+Patch0342: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch
+Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch
+Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch
+Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -746,6 +751,13 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue May 10 2022 yezengruan <yezengruan@huawei.com>
+- hw/block/fdc: Extract blk_create_empty_drive()
+- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
+- tests/fdc-test: Add a regression test for CVE-2021-20196
+- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
+- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
+
 * Fri Apr 15 2022 yezengruan <yezengruan@huawei.com>
 - vhost-vsock: detach the virqueue element in case of error (CVE-2022-26354)
 - virtio-net: fix map leaking on error during receive (CVE-2022-26353)

tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch

@@ -0,0 +1,100 @@
+From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:36 +0100
+Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without the previous commit, when running 'make check-qtest-i386'
+with QEMU configured with '--enable-sanitizers' we get:
+
+  AddressSanitizer:DEADLYSIGNAL
+  =================================================================
+  ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
+  ==287878==The signal is caused by a WRITE memory access.
+  ==287878==Hint: address points to the zero page.
+      #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5
+      #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5
+      #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11
+      #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17
+      #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9
+      #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9
+
+Add the reproducer for CVE-2021-20196.
+
+Suggested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-4-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ tests/fdc-test.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/tests/fdc-test.c b/tests/fdc-test.c
+index 31cd3295c1..644cafc060 100644
+--- a/tests/fdc-test.c
++++ b/tests/fdc-test.c
+@@ -32,6 +32,9 @@
+ /* TODO actually test the results and get rid of this */
+ #define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__))
+ 
++#define DRIVE_FLOPPY_BLANK \
++    "-drive if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k"
++
+ #define TEST_IMAGE_SIZE 1440 * 1024
+ 
+ #define FLOPPY_BASE 0x3f0
+@@ -546,6 +549,40 @@ static void fuzz_registers(void)
+     }
+ }
+ 
++static bool qtest_check_clang_sanitizer(void)
++{
++#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer)
++    return true;
++#else
++    g_test_skip("QEMU not configured using --enable-sanitizers");
++    return false;
++#endif
++}
++static void test_cve_2021_20196(void)
++{
++    QTestState *s;
++
++    if (!qtest_check_clang_sanitizer()) {
++        return;
++    }
++
++    s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK);
++
++    qtest_outw(s, 0x3f4, 0x0500);
++    qtest_outb(s, 0x3f5, 0x00);
++    qtest_outb(s, 0x3f5, 0x00);
++    qtest_outw(s, 0x3f4, 0x0000);
++    qtest_outb(s, 0x3f5, 0x00);
++    qtest_outw(s, 0x3f1, 0x0400);
++    qtest_outw(s, 0x3f4, 0x0000);
++    qtest_outw(s, 0x3f4, 0x0000);
++    qtest_outb(s, 0x3f5, 0x00);
++    qtest_outb(s, 0x3f5, 0x01);
++    qtest_outw(s, 0x3f1, 0x0500);
++    qtest_outb(s, 0x3f5, 0x00);
++    qtest_quit(s);
++}
++
+ int main(int argc, char **argv)
+ {
+     int fd;
+@@ -576,6 +613,7 @@ int main(int argc, char **argv)
+     qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18);
+     qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
+     qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
++    qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
+ 
+     ret = g_test_run();
+ 
+-- 
+2.27.0
+

ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch

@@ -0,0 +1,84 @@
+From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:17:12 +0200
+Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc
+ (CVE-2021-4206)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Prevent potential integer overflow by limiting 'width' and 'height' to
+512x512. Also change 'datasize' type to size_t. Refer to security
+advisory https://starlabs.sg/advisories/22-4206/ for more information.
+
+Fixes: CVE-2021-4206
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/qxl-render.c | 7 +++++++
+ hw/display/vmware_vga.c | 2 ++
+ ui/cursor.c             | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 4a63c382f6..bcef2a5fb0 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -240,6 +240,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+     size_t size;
+ 
+     c = cursor_alloc(cursor->header.width, cursor->header.height);
++
++    if (!c) {
++        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
++                cursor->header.width, cursor->header.height);
++        goto fail;
++    }
++
+     c->hot_x = cursor->header.hot_spot_x;
+     c->hot_y = cursor->header.hot_spot_y;
+     switch (cursor->header.type) {
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 249a179bf6..1c977cedf7 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -507,6 +507,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+     int i, pixels;
+ 
+     qc = cursor_alloc(c->width, c->height);
++    assert(qc != NULL);
++
+     qc->hot_x = c->hot_x;
+     qc->hot_y = c->hot_y;
+     switch (c->bpp) {
+diff --git a/ui/cursor.c b/ui/cursor.c
+index 1d62ddd4d0..835f0802f9 100644
+--- a/ui/cursor.c
++++ b/ui/cursor.c
+@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
+ 
+     /* parse pixel data */
+     c = cursor_alloc(width, height);
++    assert(c != NULL);
++
+     for (pixel = 0, y = 0; y < height; y++, line++) {
+         for (x = 0; x < height; x++, pixel++) {
+             idx = xpm[line][x];
+@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
+ QEMUCursor *cursor_alloc(int width, int height)
+ {
+     QEMUCursor *c;
+-    int datasize = width * height * sizeof(uint32_t);
++    size_t datasize = width * height * sizeof(uint32_t);
++
++    if (width > 512 || height > 512) {
++        return NULL;
++    }
+ 
+     c = g_malloc0(sizeof(QEMUCursor) + datasize);
+     c->width  = width;
+-- 
+2.27.0
+