'Re: [OE-core][dunfell][PATCH v2] qemu: fix CVE-2021-20196 block fdc null pointer dereference may lea'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core][dunfell][PATCH v2] qemu: fix CVE-2021-20196 block fdc null pointer dereference may lea
From:       "Denys Dmytriyenko" <denis () denix ! org>
Date:       2022-11-29 15:42:11
Message-ID: 20221129154211.GR22689 () denix ! org
[Download RAW message or body]

On Tue, Nov 29, 2022 at 04:56:08AM -1000, Steve Sakoman wrote:
> On Tue, Nov 29, 2022 at 1:08 AM vkumbhar <vkumbhar@mvista.com> wrote:
> > 
> > From: Vivek Kumbhar <vkumbhar@mvista.com>
> > 
> > Upstream-Status: Backport \
> > [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
> > 

Plus Upstream-Status is not needed here ^^^, only down there in the patch file \
itself.


> > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > ---
> > meta/recipes-devtools/qemu/qemu.inc           |  1 +
> > .../qemu/qemu/CVE-2021-20196.patch            | 62 +++++++++++++++++++
> > 2 files changed, 63 insertions(+)
> > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
> > 
> > diff --git a/meta/recipes-devtools/qemu/qemu.inc \
> > b/meta/recipes-devtools/qemu/qemu.inc index 764f948a28..a915b54c1a 100644
> > --- a/meta/recipes-devtools/qemu/qemu.inc
> > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > @@ -113,6 +113,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> > file://CVE-2022-0216-2.patch \
> > file://CVE-2021-3750.patch \
> > file://CVE-2021-3638.patch \
> > +          file://CVE-2021-20196.patch \
> > "
> > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
> > 
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch \
> > b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch new file mode 100644
> > index 0000000000..24da80e7db
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
> > @@ -0,0 +1,62 @@
> > +From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001
> > +From: Vivek Kumbhar <vkumbhar@mvista.com>
> > +Date: Tue, 29 Nov 2022 15:57:13 +0530
> > +Subject: [PATCH] CVE-2021-20196
> > +
> > +Upstream-Status: \
> > https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
> > 
> 
> This should be: Upstream-Status: Backport
> [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
>  
> I've fixed it, so no need for a v2.
> 
> Steve
> 
> > +CVE: CVE-2021-20196
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +
> > +hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
> > +
> > +Guest might select another drive on the bus by setting the
> > +DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
> > +The current controller model doesn't expect a BlockBackend
> > +to be NULL. A simple way to fix CVE-2021-20196 is to create
> > +an empty BlockBackend when it is missing. All further
> > +accesses will be safely handled, and the controller state
> > +machines keep behaving correctly.
> > +---
> > + hw/block/fdc.c | 19 ++++++++++++++++++-
> > + 1 file changed, 18 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/hw/block/fdc.c b/hw/block/fdc.c
> > +index ac5d31e8..e128e975 100644
> > +--- a/hw/block/fdc.c
> > ++++ b/hw/block/fdc.c
> > +@@ -58,6 +58,11 @@
> > +         }                                                       \
> > +     } while (0)
> > +
> > ++/* Anonymous BlockBackend for empty drive */
> > ++static BlockBackend *blk_create_empty_drive(void)
> > ++{
> > ++    return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
> > ++}
> > +
> > + /********************************************************/
> > + /* qdev floppy bus                                      */
> > +@@ -1356,7 +1361,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
> > +
> > + static FDrive *get_cur_drv(FDCtrl *fdctrl)
> > + {
> > +-    return get_drv(fdctrl, fdctrl->cur_drv);
> > ++    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
> > ++
> > ++    if (!cur_drv->blk) {
> > ++        /*
> > ++         * Kludge: empty drive line selected. Create an anonymous
> > ++         * BlockBackend to avoid NULL deref with various BlockBackend
> > ++         * API calls within this model (CVE-2021-20196).
> > ++         * Due to the controller QOM model limitations, we don't
> > ++         * attach the created to the controller device.
> > ++         */
> > ++        cur_drv->blk = blk_create_empty_drive();
> > ++    }
> > ++    return cur_drv;
> > + }
> > +
> > + /* Status A register : 0x00 (read-only) */
> > +--
> > +2.25.1
> > +
> > --
> > 2.25.1
> > 
> > 
> > 
> > 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173978): https://lists.openembedded.org/g/openembedded-core/message/173978
Mute This Topic: https://lists.openembedded.org/mt/95331908/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic