From nobody Sat May 18 21:00:15 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1637236665; cv=none; d=zohomail.com; s=zohoarc; b=UrZ8CZU4WNh3nMaYxdx1lfHEy7gDL11NjZQIEUhnJmKWo0Oc4BBnBdp/Wy3a7sklIwy3QX+iyXn+OE9n+I7ji1TuA5PBSbp7Iqy4GLCqeSAoXhX0a/iw3e+Gf8LbSU1pT5kKB1hdEa6AXlUjVKpmfwWRrO2kOT/+bjo14ZJ3wXo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1637236665; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=lzuKn55Ra2wJ3rJCLCQizOMIU4b9FmjwBEXrIOw78PQ=; b=DNKTk+RLuU0DrGpkfJnrzSresRAkJLO/ccD0WB0Z//3xhOCZiwAmm6vSi6mFQ9q978juay427TZMMnFVQUVqRH7o8mJcmY46f6yMqMq3FoxNyMOXTmivMRBlSXuZE52zyqOr0FdF/CxHcILV9hrurQtxoGg17HHjFENIptotoF8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1637236665416541.7166768895736; Thu, 18 Nov 2021 03:57:45 -0800 (PST) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-193-pbmo5ShRPDSqdxG4Xt_ohw-1; Thu, 18 Nov 2021 06:57:41 -0500 Received: by mail-wr1-f70.google.com with SMTP id v17-20020adfedd1000000b0017c5e737b02so1008066wro.18 for ; Thu, 18 Nov 2021 03:57:40 -0800 (PST) Return-Path: Return-Path: Received: from x1w.. (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id f7sm11461195wmg.6.2021.11.18.03.57.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Nov 2021 03:57:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637236664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lzuKn55Ra2wJ3rJCLCQizOMIU4b9FmjwBEXrIOw78PQ=; b=aKALWaljG14Nu9+u1oiJri8IldhGddAU4cQEYVx/1noIvVBFlqzC2EdSkkbZi+9LA2GYE8 KV7Byy4LlaIfOTxT+CUJjFJWKKDP7GJMOMFzpnC42CSkLHUdkuPKTnMcPntwr1N5zMWb4l BgJJpt9BVrUG03OEGBSmvhAhy5OP+gY= X-MC-Unique: pbmo5ShRPDSqdxG4Xt_ohw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lzuKn55Ra2wJ3rJCLCQizOMIU4b9FmjwBEXrIOw78PQ=; b=QpvVKxVOargDz9ottFOdrDhnu82zYzqz0qHrVDiJhkKp8+7rHj36qiGLSAdkVBaaxI FtHuBnX8WvsX3xIbKJ12WZTXpEV5eM72NuCyXjIW1QVrJdZFtbgxD5wcHaISss05RcfE GfcEDwaLaxfpFxxzLlEHHQEjgfcuNRsndCdvL8a+isMDZt0z7dHHrtSs8SfEJ8gHA02w w8f5Mthsbfx8k164zyQENca9UmljQlj0xwNi1YCEBlc7XH26aMbThqp+e/d3j0Hdo8aF lVit4QzbHADWtDo8d5fZuyrEoNOys4s3ZJV+oDott+RV6KOK2H2J6CsMk/JnFtL00HK8 4YRA== X-Gm-Message-State: AOAM533CthYlgzQJnO3CcWKHMIDAIuYwQHdyMJg8efxUe076Sxjk9UYx W4anIPa7Cz21tdNEP+KRFtUDIU22G9Vkon/gWu2l8OYQ7vgfi4kFaPgzh10N0TaNWpBGY85CmgH x7GeKXxOr4UMjJQ== X-Received: by 2002:a05:6000:381:: with SMTP id u1mr30806983wrf.302.1637236659992; Thu, 18 Nov 2021 03:57:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJzdp0aWMtmZRvlrchyr32NULq7lw+F8Vt9m4D8MyUnucb5PwN2Bv9qCPaKbiA8EO5mDAgKOSw== X-Received: by 2002:a05:6000:381:: with SMTP id u1mr30806954wrf.302.1637236659809; Thu, 18 Nov 2021 03:57:39 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Paolo Bonzini , Hanna Reitz , John Snow , =?UTF-8?q?Herv=C3=A9=20Poussineau?= , Thomas Huth , Kevin Wolf , Alexander Bulekov , Prasad J Pandit , Laurent Vivier , qemu-block@nongnu.org, Darren Kenny , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org Subject: [PATCH-for-6.2 1/2] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) Date: Thu, 18 Nov 2021 12:57:32 +0100 Message-Id: <20211118115733.4038610-2-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211118115733.4038610-1-philmd@redhat.com> References: <20211118115733.4038610-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1637236667408100001 Per the 82078 datasheet, if the end-of-track (EOT byte in the FIFO) is more than the number of sectors per side, the command is terminated unsuccessfully: * 5.2.5 DATA TRANSFER TERMINATION The 82078 supports terminal count explicitly through the TC pin and implicitly through the underrun/over- run and end-of-track (EOT) functions. For full sector transfers, the EOT parameter can define the last sector to be transferred in a single or multisector transfer. If the last sector to be transferred is a par- tial sector, the host can stop transferring the data in mid-sector, and the 82078 will continue to complete the sector as if a hardware TC was received. The only difference between these implicit functions and TC is that they return "abnormal termination" result status. Such status indications can be ignored if they were expected. * 6.1.3 READ TRACK This command terminates when the EOT specified number of sectors have been read. If the 82078 does not find an I D Address Mark on the diskette after the second=C2=B7 occurrence of a pulse on the INDX# pin, then it sets the IC code in Status Regis- ter 0 to "01" (Abnormal termination), sets the MA bit in Status Register 1 to "1", and terminates the com- mand. * 6.1.6 VERIFY Refer to Table 6-6 and Table 6-7 for information concerning the values of MT and EC versus SC and EOT value. * Table 6=C2=B76. Result Phase Table * Table 6-7. Verify Command Result Phase Table Fix by aborting the transfer when EOT > # Sectors Per Side. Cc: qemu-stable@nongnu.org Cc: Herv=C3=A9 Poussineau Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") Reported-by: Alexander Bulekov Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Jon Maloy Reviewed-by: Hanna Reitz --- hw/block/fdc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/block/fdc.c b/hw/block/fdc.c index fa933cd3263..d21b717b7d6 100644 --- a/hw/block/fdc.c +++ b/hw/block/fdc.c @@ -1512,6 +1512,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, in= t direction) int tmp; fdctrl->data_len =3D 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fif= o[5]); tmp =3D (fdctrl->fifo[6] - ks + 1); + if (tmp < 0) { + FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); + fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); + fdctrl->fifo[3] =3D kt; + fdctrl->fifo[4] =3D kh; + fdctrl->fifo[5] =3D ks; + return; + } if (fdctrl->fifo[0] & 0x80) tmp +=3D fdctrl->fifo[6]; fdctrl->data_len *=3D tmp; --=20 2.31.1 From nobody Sat May 18 21:00:15 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1637236670; cv=none; d=zohomail.com; s=zohoarc; b=MW/dUqWVeUnn8waoG2YfyVAzIzdrxlit4pOlc6MX+nIVAdu+oMWetfWLyeEGQJx/AifxUnFXWmbXaLGBr+FawQk3VSFeIx2MmzT1gb46gHEeMH81ysjpZaK0XEfj18q6pkBf/hvcWTHVu79M26cQhnKBbuvUsE3R29esbDmbnn4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1637236670; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=KXqu6cI8Td7cyUbAVYGjEIQ094Z6gc+ZX3XJfUB2WR4=; b=A6nM88sMxxBLPdmCXxMYGyQzOR0nFg0YSN+2hi+Up1+9Uo9EK2NzELJp/zc6HgNcwSlJHyc2uBrw3VVLDD1073+/Zh1jzAZYFE7ZxNZCDMMk5nz+kPi2HCEkmLmmfudOXL4QQ0jh/cqUOnnMw5Cj9SWvOPOakkgZZTHZKJWpLOc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1637236670243913.5436644508242; Thu, 18 Nov 2021 03:57:50 -0800 (PST) Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-359-RNNMiA_VOTKE_9_rP-Vd9w-1; Thu, 18 Nov 2021 06:57:48 -0500 Received: by mail-wm1-f72.google.com with SMTP id o10-20020a05600c4fca00b0033312e1ed8bso3002734wmq.2 for ; Thu, 18 Nov 2021 03:57:47 -0800 (PST) Return-Path: Return-Path: Received: from x1w.. (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id y12sm2937767wrn.73.2021.11.18.03.57.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Nov 2021 03:57:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637236669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KXqu6cI8Td7cyUbAVYGjEIQ094Z6gc+ZX3XJfUB2WR4=; b=fQQiscwfJw3AZHkEuq1HnF6XbAvjpZdHyw8e02g2Px1OJDPpbo1NkQ+MKeroK6bZ5PIqU9 w5MQdYkmNeyrE52ZxhjlpcYdWM4excMLYGMoOp9bn/4RR0+/teqBG3xOLW/FflAbVn2BIk b5rGWIGpB+fiU/6uk+y2KK0ck/ldErs= X-MC-Unique: RNNMiA_VOTKE_9_rP-Vd9w-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KXqu6cI8Td7cyUbAVYGjEIQ094Z6gc+ZX3XJfUB2WR4=; b=F2Rl26drcP+VsVIOEJ4qMFgjvh8i0OLxSf3Sk/DCop+Mg4I/R2CBOzNqHaSKISjj5x eskerT2+vhhAOZJvnmkhtF65NhYifYQZGtJEXIhTos7bxou9fKg/Mzm733iehGjSO2DO mjc4GjcAMGod0fUuf/FiUBBlXJOe68KTsg3EH6harkMk46wvlX12CS4F3/eU4KtIY4oz CmD/PgwUuklTf05OBM8iZ/5d9GEmBzbctvc8F2roRAxAzSaOspQ+P5DTgb4beMcwmQyB rqLOV+NIvdBKL/tZtNDp9+/agi2odTt8nyZPhZr3+RaDZHCuv48eod0uCNqDx1IXVnow gQsw== X-Gm-Message-State: AOAM532LTYI8rnxqDKhNi2cp7WxmQjzLMJkMd4QhJjqPUWPXigbFEXyx UtLa5ATXyU6E6x10t7gnCpA8gAPzbzJV7hyKzaxnV9IjeobMyWIfMF/Nf+MiYLZWAtXJoKTDqWm KS3PQusTbf6PiSA== X-Received: by 2002:a05:600c:2052:: with SMTP id p18mr9605098wmg.3.1637236664691; Thu, 18 Nov 2021 03:57:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJwZEzmTMZG8+3e2xwjnrgJhhk9IWOOoQ90eGXVipQfu5+RT6mb1PZrqtpztaF1lqJ+WXakY3A== X-Received: by 2002:a05:600c:2052:: with SMTP id p18mr9605064wmg.3.1637236664465; Thu, 18 Nov 2021 03:57:44 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Paolo Bonzini , Hanna Reitz , John Snow , =?UTF-8?q?Herv=C3=A9=20Poussineau?= , Thomas Huth , Kevin Wolf , Alexander Bulekov , Prasad J Pandit , Laurent Vivier , qemu-block@nongnu.org, Darren Kenny , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH-for-6.2 2/2] tests/qtest/fdc-test: Add a regression test for CVE-2021-3507 Date: Thu, 18 Nov 2021 12:57:33 +0100 Message-Id: <20211118115733.4038610-3-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211118115733.4038610-1-philmd@redhat.com> References: <20211118115733.4038610-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1637236671466100001 Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 Without the previous commit, when running 'make check-qtest-i386' with QEMU configured with '--enable-sanitizers' we get: =3D=3D4028352=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on addre= ss 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 READ of size 786432 at 0x619000062a00 thread T0 #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-commo= n.h:82:5 #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x6190= 00062800,0x619000062a00) allocated by thread T0 here: #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e659= 19) in __asan_memcpy Shadow bytes around the buggy address: 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd =3D=3D4028352=3D=3DABORTING Reported-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Jon Maloy Reviewed-by: Alexander Bulekov --- tests/qtest/fdc-test.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c index 26b69f7c5cd..f164d972d10 100644 --- a/tests/qtest/fdc-test.c +++ b/tests/qtest/fdc-test.c @@ -546,6 +546,25 @@ static void fuzz_registers(void) } } =20 +static void test_cve_2021_3507(void) +{ + QTestState *s; + + s =3D qtest_initf("-nographic -m 32M -nodefaults " + "-drive file=3D%s,format=3Draw,if=3Dfloppy", test_imag= e); + qtest_outl(s, 0x9, 0x0a0206); + qtest_outw(s, 0x3f4, 0x1600); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0200); + qtest_outw(s, 0x3f4, 0x0200); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_quit(s); +} + int main(int argc, char **argv) { int fd; @@ -576,6 +595,7 @@ int main(int argc, char **argv) qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18); qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); qtest_add_func("/fdc/fuzz-registers", fuzz_registers); + qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); =20 ret =3D g_test_run(); =20 --=20 2.31.1