[Qemu-commits] [qemu/qemu] 8a13fe: memory: Fix wrong end address dump

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 8a13fe: memory: Fix wrong end address dump

From:	Paolo Bonzini
Subject:	[Qemu-commits] [qemu/qemu] 8a13fe: memory: Fix wrong end address dump
Date:	Tue, 08 Nov 2022 10:42:19 -0800
  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: 8a13fecdfee813d2ee9e8b89a2b2b3313a384ed2
      
https://github.com/qemu/qemu/commit/8a13fecdfee813d2ee9e8b89a2b2b3313a384ed2
  Author: Zhenzhong Duan <zhenzhong.duan@intel.com>
  Date:   2022-11-08 (Tue, 08 Nov 2022)

  Changed paths:
    M softmmu/physmem.c

  Log Message:
  -----------
  memory: Fix wrong end address dump

The end address of memory region section isn't correctly calculated
which leads to overflowed mtree dump:

  Dispatch
    Physical sections
      ......
      #70 @0000000000002000..0000000000011fff io [ROOT]
      #71 @0000000000005000..0000000000005fff (noname)
      #72 @0000000000005000..0000000000014fff io [ROOT]
      #73 @0000000000005658..0000000000005658 vmport
      #74 @0000000000005659..0000000000015658 io [ROOT]
      #75 @0000000000006000..0000000000015fff io [ROOT]

After fix:
      #70 @0000000000002000..0000000000004fff io [ROOT]
      #71 @0000000000005000..0000000000005fff (noname)
      #72 @0000000000005000..0000000000005657 io [ROOT]
      #73 @0000000000005658..0000000000005658 vmport
      #74 @0000000000005659..0000000000005fff io [ROOT]
      #75 @0000000000006000..000000000000ffff io [ROOT]

Fixes: 5e8fd947e2670 ("memory: Rework "info mtree" to print flat views and 
dispatch trees")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20220622095912.3430583-1-zhenzhong.duan@intel.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>


  Commit: 06f1ee6b1e27527a2d4ac9b651493d8b16b2a77d
      
https://github.com/qemu/qemu/commit/06f1ee6b1e27527a2d4ac9b651493d8b16b2a77d
  Author: Philippe Mathieu-Daudé <philmd@linaro.org>
  Date:   2022-11-08 (Tue, 08 Nov 2022)

  Changed paths:
    M hw/sd/sdhci.c

  Log Message:
  -----------
  hw/sd/sdhci: Do not set Buf Wr Ena before writing block (CVE-2022-3872)

When sdhci_write_block_to_card() is called to transfer data from
the FIFO to the SD bus, the data is already present in the buffer
and we have to consume it directly.

See the description of the 'Buffer Write Enable' bit from the
'Present State' register (prnsts::SDHC_SPACE_AVAILABLE) in Table
2.14 from the SDHCI spec v2:

  Buffer Write Enable

  This status is used for non-DMA write transfers.

  The Host Controller can implement multiple buffers to transfer
  data efficiently. This read only flag indicates if space is
  available for write data. If this bit is 1, data can be written
  to the buffer. A change of this bit from 1 to 0 occurs when all
  the block data is written to the buffer. A change of this bit
  from 0 to 1 occurs when top of block data can be written to the
  buffer and generates the Buffer Write Ready interrupt.

In our case, we do not want to overwrite the buffer, so we want
this bit to be 0, then set it to 1 once the data is written onto
the bus.

This is probably a copy/paste error from commit d7dfca0807
("hw/sdhci: introduce standard SD host controller").

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45986#c4

Reproducers:

  $ cat << EOF | \
     qemu-system-x86_64 -nodefaults -display none -machine accel=qtest \
       -m 512M  -device sdhci-pci -device sd-card,drive=mydrive \
       -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
       -nographic -qtest stdio
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80001001
  outl 0xcfc 0x06000000
  write 0xe0000058 0x1 0x6e
  write 0xe0000059 0x1 0x5a
  write 0xe0000028 0x1 0x10
  write 0xe000002c 0x1 0x05
  write 0x5a6e 0x1 0x21
  write 0x5a75 0x1 0x20
  write 0xe0000005 0x1 0x02
  write 0xe000000c 0x1 0x01
  write 0xe000000e 0x1 0x20
  write 0xe000000f 0x1 0x00
  write 0xe000000c 0x1 0x00
  write 0xe0000020 0x1 0x00
  EOF

or 
https://lore.kernel.org/qemu-devel/CAA8xKjXrmS0fkr28AKvNNpyAtM0y0B+5FichpsrhD+mUgnuyKg@mail.gmail.com/

Fixes: CVE-2022-3872
Reported-by: RivenDell <XRivenDell@outlook.com>
Reported-by: Siqi Chen <coc.cyqh@gmail.com>
Reported-by: ningqiang <ningqiang1@huawei.com>
Reported-by: ClusterFuzz
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20221107221236.47841-2-philmd@linaro.org>


  Commit: cf9b3efd816518f9f210f50a0fa3e46a00b33c27
      
https://github.com/qemu/qemu/commit/cf9b3efd816518f9f210f50a0fa3e46a00b33c27
  Author: Daniel Henrique Barboza <danielhb413@gmail.com>
  Date:   2022-11-08 (Tue, 08 Nov 2022)

  Changed paths:
    M hw/block/pflash_cfi01.c
    M hw/block/pflash_cfi02.c

  Log Message:
  -----------
  Revert "hw/block/pflash_cfi: Error out if dev length isn't power of 2"

Commit 334c388f25 ("pflash_cfi: Error out if device length
isn't a power of two") aimed to finish the effort started by
commit 06f1521795 ("pflash: Require backend size to match device,
improve errors"), but unfortunately we are not quite there since
various machines are still ready to accept incomplete / oversized
pflash backend images, and now fail, i.e. on Debian bullseye:

 $ qemu-system-x86_64 \
   -drive \
   if=pflash,format=raw,unit=0,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd
 qemu-system-x86_64: Device size must be a power of two.

where OVMF_CODE.fd comes from the ovmf package, which doesn't
pad the firmware images to the flash size:

 $ ls -lh /usr/share/OVMF/
 -rw-r--r-- 1 root root 3.5M Aug 19  2021 OVMF_CODE_4M.fd
 -rw-r--r-- 1 root root 1.9M Aug 19  2021 OVMF_CODE.fd
 -rw-r--r-- 1 root root 128K Aug 19  2021 OVMF_VARS.fd

Since we entered the freeze period to prepare the v7.2.0 release,
the safest is to revert commit 334c388f25707a234c4a0dea05b9df08d.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1294
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20221108175755.95141-1-philmd@linaro.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20221108172633.860700-1-danielhb413@gmail.com>


  Commit: bc5add1dadcc140fef9af4fe215167e796cd1a58
      
https://github.com/qemu/qemu/commit/bc5add1dadcc140fef9af4fe215167e796cd1a58
  Author: Si-Wei Liu <si-wei.liu@oracle.com>
  Date:   2022-11-08 (Tue, 08 Nov 2022)

  Changed paths:
    M net/vhost-vdpa.c

  Log Message:
  -----------
  vhost-vdpa: fix assert !virtio_net_get_subqueue(nc)->async_tx.elem in 
virtio_net_reset

The citing commit has incorrect code in vhost_vdpa_receive() that returns
zero instead of full packet size to the caller. This renders pending packets
unable to be freed so then get clogged in the tx queue forever. When device
is being reset later on, below assertion failure ensues:

0  0x00007f86d53bb387 in raise () from /lib64/libc.so.6
1  0x00007f86d53bca78 in abort () from /lib64/libc.so.6
2  0x00007f86d53b41a6 in __assert_fail_base () from /lib64/libc.so.6
3  0x00007f86d53b4252 in __assert_fail () from /lib64/libc.so.6
4  0x000055b8f6ff6fcc in virtio_net_reset (vdev=<optimized out>) at 
/usr/src/debug/qemu/hw/net/virtio-net.c:563
5  0x000055b8f7012fcf in virtio_reset (opaque=0x55b8faf881f0) at 
/usr/src/debug/qemu/hw/virtio/virtio.c:1993
6  0x000055b8f71f0086 in virtio_bus_reset (bus=bus@entry=0x55b8faf88178) at 
/usr/src/debug/qemu/hw/virtio/virtio-bus.c:102
7  0x000055b8f71f1620 in virtio_pci_reset (qdev=<optimized out>) at 
/usr/src/debug/qemu/hw/virtio/virtio-pci.c:1845
8  0x000055b8f6fafc6c in memory_region_write_accessor (mr=<optimized out>, 
addr=<optimized out>, value=<optimized out>,
   size=<optimized out>, shift=<optimized out>, mask=<optimized out>, 
attrs=...) at /usr/src/debug/qemu/memory.c:483
9  0x000055b8f6fadce9 in access_with_adjusted_size (addr=addr@entry=20, 
value=value@entry=0x7f867e7fb7e8, size=size@entry=1,
   access_size_min=<optimized out>, access_size_max=<optimized out>, 
access_fn=0x55b8f6fafc20 <memory_region_write_accessor>,
   mr=0x55b8faf80a50, attrs=...) at /usr/src/debug/qemu/memory.c:544
10 0x000055b8f6fb1d0b in memory_region_dispatch_write 
(mr=mr@entry=0x55b8faf80a50, addr=addr@entry=20, data=0, op=<optimized out>,
   attrs=attrs@entry=...) at /usr/src/debug/qemu/memory.c:1470
11 0x000055b8f6f62ada in flatview_write_continue (fv=fv@entry=0x7f86ac04cd20, 
addr=addr@entry=549755813908, attrs=...,
   attrs@entry=..., buf=buf@entry=0x7f86d0223028 <Address 0x7f86d0223028 out of 
bounds>, len=len@entry=1, addr1=20, l=1,
   mr=0x55b8faf80a50) at /usr/src/debug/qemu/exec.c:3266
12 0x000055b8f6f62c8f in flatview_write (fv=0x7f86ac04cd20, addr=549755813908, 
attrs=...,
   buf=0x7f86d0223028 <Address 0x7f86d0223028 out of bounds>, len=1) at 
/usr/src/debug/qemu/exec.c:3306
13 0x000055b8f6f674cb in address_space_write (as=<optimized out>, 
addr=<optimized out>, attrs=..., buf=<optimized out>,
   len=<optimized out>) at /usr/src/debug/qemu/exec.c:3396
14 0x000055b8f6f67575 in address_space_rw (as=<optimized out>, addr=<optimized 
out>, attrs=..., attrs@entry=...,
   buf=buf@entry=0x7f86d0223028 <Address 0x7f86d0223028 out of bounds>, 
len=<optimized out>, is_write=<optimized out>)
   at /usr/src/debug/qemu/exec.c:3406
15 0x000055b8f6fc1cc8 in kvm_cpu_exec (cpu=cpu@entry=0x55b8f9aa0e10) at 
/usr/src/debug/qemu/accel/kvm/kvm-all.c:2410
16 0x000055b8f6fa5f5e in qemu_kvm_cpu_thread_fn (arg=0x55b8f9aa0e10) at 
/usr/src/debug/qemu/cpus.c:1318
17 0x000055b8f7336e16 in qemu_thread_start (args=0x55b8f9ac8480) at 
/usr/src/debug/qemu/util/qemu-thread-posix.c:519
18 0x00007f86d575aea5 in start_thread () from /lib64/libpthread.so.0
19 0x00007f86d5483b2d in clone () from /lib64/libc.so.6

Make vhost_vdpa_receive() return the size passed in as is, so that the
caller qemu_deliver_packet_iov() would eventually propagate it back to
virtio_net_flush_tx() to release pending packets from the async_tx queue.
Which corresponds to the drop path where qemu_sendv_packet_async() returns
non-zero in virtio_net_flush_tx().

Fixes: 846a1e85da64 ("vdpa: Add dummy receive callback")
Cc: Eugenio Perez Martin <eperezma@redhat.com>
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221108041929.18417-2-jasowang@redhat.com>


  Commit: 5391ae9c4ec396c1930d6ea1ebc7c6951ce897ae
      
https://github.com/qemu/qemu/commit/5391ae9c4ec396c1930d6ea1ebc7c6951ce897ae
  Author: Stefan Hajnoczi <stefanha@redhat.com>
  Date:   2022-11-08 (Tue, 08 Nov 2022)

  Changed paths:
    M hw/block/pflash_cfi01.c
    M hw/block/pflash_cfi02.c
    M hw/sd/sdhci.c
    M softmmu/physmem.c

  Log Message:
  -----------
  Merge tag 'memflash-20221108' of https://github.com/philmd/qemu into staging

Memory/SDHCI/ParallelFlash patches queue

- Fix wrong end address dump in 'info mtree' (Zhenzhong Duan)
- Fix in SDHCI for CVE-2022-3872 (myself)
- Revert latest pflash check of underlying block size (Daniel
  Henrique Barboza & myself)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmNqoNgACgkQ4+MsLN6t
# wN6P6Q//WzgRfpDEo/gYr4J0mFQJ3AxNfrRnWC6BqBPTgBhD4EPl8mWvIIla7wK/
# i7wZ5yF6NWqTyrMBYoJp5jnJqpLb9jmPrD+aiHORKEiviVO0Y82NIR8+9QnaPsnV
# st1K5HzjBWNeukvXDmm7/OShtBsIM9y/WV0j0ZfxsBvuokX+C8bCfnxWdNokoLkH
# 7TBhetSd2ndGznA/PbyqNBncK0kaRun3r5jdR5tJ/TYhm29dtSsTP8hwUVidENgO
# Oa/6Ea+4A76Aa3XFSHSyUOi8ZTL3sBj0mqqxeHA07tjPX68DMujqKXHGlBxkZ6bc
# 0R+EsX6xDYQeZaTmb1EyPTwv/lG/AC2yAGq+SrjbaG69FydRqAYM8gp8FgUMF1jw
# SVbEN3OBcmA1RN+dlMSbxugmpHdnPGTP9Tq4yMIJgDYJCOKMNIFm/sWr1CvJKSP9
# RNyXoFpMOrXgKMDdR6iiPtrHFALqpIhW0UXPGSGMryB58wwVHWGVcMOf4lRYmwRl
# 85fDDqxEF/7yjHw+t7ZFMzW7cuqEtaNQ7tvY6Oaw7jklNr5MCTqSvQ3IoWAb0FoS
# dsacJVQNpV0rFzWLHK1oaEs0gDe9OKacO3YHZWJwPoCXh+B8c+O7icMVK4BpThgG
# BL4Arlnyr5YCg7qoalO1Cxz38I1gd6rEXKAbba5EiLnOl1zqhbQ=
# =nJ30
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 08 Nov 2022 13:32:56 EST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" 
[full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'memflash-20221108' of https://github.com/philmd/qemu:
  Revert "hw/block/pflash_cfi: Error out if dev length isn't power of 2"
  hw/sd/sdhci: Do not set Buf Wr Ena before writing block (CVE-2022-3872)
  memory: Fix wrong end address dump

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>


  Commit: b96b19d7b4d79d395bde5c8a9ba2a785e70f8d06
      
https://github.com/qemu/qemu/commit/b96b19d7b4d79d395bde5c8a9ba2a785e70f8d06
  Author: Stefan Hajnoczi <stefanha@redhat.com>
  Date:   2022-11-08 (Tue, 08 Nov 2022)

  Changed paths:
    M VERSION

  Log Message:
  -----------
  Update VERSION for v7.2.0-rc0

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>


Compare: https://github.com/qemu/qemu/compare/ade760a2f638...b96b19d7b4d7
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 8a13fe: memory: Fix wrong end address dump, Paolo Bonzini <=
Prev by Date: [Qemu-commits] [qemu/qemu] 8063db: target/mips: Set CP0St_{KX, SX, UX} for Loongson-2F
Next by Date: [Qemu-commits] [qemu/qemu] f9c307: memory: Fix wrong end address dump
Previous by thread: [Qemu-commits] [qemu/qemu] 3ba5fe: Merge tag 'mips-20221108' of https://github.com/ph...
Next by thread: [Qemu-commits] [qemu/qemu] f9c307: memory: Fix wrong end address dump
Index(es):
- Date
- Thread