[Qemu-commits] [qemu/qemu] b15479: hw/block/fdc: Extract blk_create

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] b15479: hw/block/fdc: Extract blk_create_empt

From:	Richard Henderson
Subject:	[Qemu-commits] [qemu/qemu] b15479: hw/block/fdc: Extract blk_create_empty_drive()
Date:	Thu, 02 Dec 2021 11:15:33 -0800

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: b154791e7b6d4ca5cdcd54443484d97360bd7ad2
      
https://github.com/qemu/qemu/commit/b154791e7b6d4ca5cdcd54443484d97360bd7ad2
  Author: Philippe Mathieu-Daudé <philmd@redhat.com>
  Date:   2021-12-02 (Thu, 02 Dec 2021)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  hw/block/fdc: Extract blk_create_empty_drive()

We are going to re-use this code in the next commit,
so extract it as a new blk_create_empty_drive() function.

Inspired-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20211124161536.631563-2-philmd@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>


  Commit: 1ab95af033a419e7a64e2d58e67dd96b20af5233
      
https://github.com/qemu/qemu/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
  Author: Philippe Mathieu-Daudé <philmd@redhat.com>
  Date:   2021-12-02 (Thu, 02 Dec 2021)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196

Guest might select another drive on the bus by setting the
DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
The current controller model doesn't expect a BlockBackend
to be NULL. A simple way to fix CVE-2021-20196 is to create
an empty BlockBackend when it is missing. All further
accesses will be safely handled, and the controller state
machines keep behaving correctly.

Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20196
Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20211124161536.631563-3-philmd@redhat.com
BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>


  Commit: cc20926e9b8077bff6813efc8dcdeae90d1a3b10
      
https://github.com/qemu/qemu/commit/cc20926e9b8077bff6813efc8dcdeae90d1a3b10
  Author: Philippe Mathieu-Daudé <philmd@redhat.com>
  Date:   2021-12-02 (Thu, 02 Dec 2021)

  Changed paths:
    M tests/qtest/fdc-test.c

  Log Message:
  -----------
  tests/qtest/fdc-test: Add a regression test for CVE-2021-20196

Without the previous commit, when running 'make check-qtest-i386'
with QEMU configured with '--enable-sanitizers' we get:

  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
  ==287878==The signal is caused by a WRITE memory access.
  ==287878==Hint: address points to the zero page.
      #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5
      #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5
      #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11
      #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17
      #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9
      #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9

Add the reproducer for CVE-2021-20196.

Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20211124161536.631563-4-philmd@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>


  Commit: a69254a2b320e31d3aa63ca910b7aa02efcd5492
      
https://github.com/qemu/qemu/commit/a69254a2b320e31d3aa63ca910b7aa02efcd5492
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2021-12-02 (Thu, 02 Dec 2021)

  Changed paths:
    M hw/block/fdc.c
    M tests/qtest/fdc-test.c

  Log Message:
  -----------
  Merge tag 'ide-pull-request' of https://gitlab.com/jsnow/qemu into staging

Pull request

# gpg: Signature made Wed 01 Dec 2021 10:17:38 PM PST
# gpg:                using RSA key F9B7ABDBBCACDF95BE76CBD07DEF8106AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" [full]

* tag 'ide-pull-request' of https://gitlab.com/jsnow/qemu:
  tests/qtest/fdc-test: Add a regression test for CVE-2021-20196
  hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
  hw/block/fdc: Extract blk_create_empty_drive()

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Compare: https://github.com/qemu/qemu/compare/682aa69b1f4d...a69254a2b320

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] b15479: hw/block/fdc: Extract blk_create_empty_drive(), Richard Henderson <=

Prev by Date: [Qemu-commits] [qemu/qemu] 24c4cd: MAINTAINERS: Change my email address
Next by Date: [Qemu-commits] [qemu/qemu] e7fa33: seabios: update submodule to 1.15.0
Previous by thread: [Qemu-commits] [qemu/qemu] 24c4cd: MAINTAINERS: Change my email address
Next by thread: [Qemu-commits] [qemu/qemu] e7fa33: seabios: update submodule to 1.15.0
Index(es):
- Date
- Thread