poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch - openbmc/openbmc - Gitiles

 From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
 Date: Thu, 18 Nov 2021 12:57:33 +0100
 Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for
  CVE-2021-3507
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339

 Without the previous commit, when running 'make check-qtest-i386'
 with QEMU configured with '--enable-sanitizers' we get:

   ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0
   READ of size 786432 at 0x619000062a00 thread T0
       #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)
       #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13
       #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14
       #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18
       #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16
       #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5
       #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5
       #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9
       #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13
       #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13
       #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13
       #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9
       #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17

   0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)
   allocated by thread T0 here:
       #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)
       #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11
       #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27
       #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20
       #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5
       #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13

   SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy
   Shadow bytes around the buggy address:
     0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   Shadow byte legend (one shadow byte represents 8 application bytes):
     Addressable:           00
     Heap left redzone:       fa
     Freed heap region:       fd
   ==4028352==ABORTING

 [ kwolf: Added snapshot=on to prevent write file lock failure ]

 Reported-by: Alexander Bulekov <alxndr@bu.edu>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>

 Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc]
 CVE: CVE-2021-3507

 Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
 ---
  tests/qtest/fdc-test.c | 21 +++++++++++++++++++++
  1 file changed, 21 insertions(+)

 diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
 index b0d40012e..1d4f85212 100644
 --- a/tests/qtest/fdc-test.c
 +++ b/tests/qtest/fdc-test.c
 @@ -583,6 +583,26 @@ static void test_cve_2021_20196(void)
      qtest_quit(s);
  }

 +static void test_cve_2021_3507(void)
 +{
 +    QTestState *s;
 +
 +    s = qtest_initf("-nographic -m 32M -nodefaults "
 +                    "-drive file=%s,format=raw,if=floppy,snapshot=on",
 +                    test_image);
 +    qtest_outl(s, 0x9, 0x0a0206);
 +    qtest_outw(s, 0x3f4, 0x1600);
 +    qtest_outw(s, 0x3f4, 0x0000);
 +    qtest_outw(s, 0x3f4, 0x0000);
 +    qtest_outw(s, 0x3f4, 0x0000);
 +    qtest_outw(s, 0x3f4, 0x0200);
 +    qtest_outw(s, 0x3f4, 0x0200);
 +    qtest_outw(s, 0x3f4, 0x0000);
 +    qtest_outw(s, 0x3f4, 0x0000);
 +    qtest_outw(s, 0x3f4, 0x0000);
 +    qtest_quit(s);
 +}
 +
  int main(int argc, char **argv)
  {
      int fd;
 @@ -614,6 +634,7 @@ int main(int argc, char **argv)
      qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
      qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
      qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
 +    qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507);

      ret = g_test_run();

 --
 2.33.0
	From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001
	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
	Date: Thu, 18 Nov 2021 12:57:33 +0100
	Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for
	CVE-2021-3507
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339

	Without the previous commit, when running 'make check-qtest-i386'
	with QEMU configured with '--enable-sanitizers' we get:

	==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0
	READ of size 786432 at 0x619000062a00 thread T0
	#0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)
	#1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13
	#2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14
	#3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18
	#4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16
	#5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5
	#6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5
	#7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9
	#8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13
	#9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13
	#10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13
	#11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9
	#12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17

	0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)
	allocated by thread T0 here:
	#0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)
	#1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11
	#2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27
	#3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20
	#4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5
	#5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13

	SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy
	Shadow bytes around the buggy address:
	0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	=>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Heap left redzone: fa
	Freed heap region: fd
	==4028352==ABORTING

	[ kwolf: Added snapshot=on to prevent write file lock failure ]

	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
	Signed-off-by: Kevin Wolf <kwolf@redhat.com>

	Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc]
	CVE: CVE-2021-3507

	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	---
	tests/qtest/fdc-test.c \| 21 +++++++++++++++++++++
	1 file changed, 21 insertions(+)

	diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
	index b0d40012e..1d4f85212 100644
	--- a/tests/qtest/fdc-test.c
	+++ b/tests/qtest/fdc-test.c
	@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void)
	qtest_quit(s);
	}

	+static void test_cve_2021_3507(void)
	+{
	+ QTestState *s;
	+
	+ s = qtest_initf("-nographic -m 32M -nodefaults "
	+ "-drive file=%s,format=raw,if=floppy,snapshot=on",
	+ test_image);
	+ qtest_outl(s, 0x9, 0x0a0206);
	+ qtest_outw(s, 0x3f4, 0x1600);
	+ qtest_outw(s, 0x3f4, 0x0000);
	+ qtest_outw(s, 0x3f4, 0x0000);
	+ qtest_outw(s, 0x3f4, 0x0000);
	+ qtest_outw(s, 0x3f4, 0x0200);
	+ qtest_outw(s, 0x3f4, 0x0200);
	+ qtest_outw(s, 0x3f4, 0x0000);
	+ qtest_outw(s, 0x3f4, 0x0000);
	+ qtest_outw(s, 0x3f4, 0x0000);
	+ qtest_quit(s);
	+}
	+
	int main(int argc, char **argv)
	{
	int fd;
	@@ -614,6 +634,7 @@ int main(int argc, char **argv)
	qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
	qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
	qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
	+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507);

	ret = g_test_run();

	--
	2.33.0