From nobody Tue Apr 23 21:01:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1637770555; cv=none; d=zohomail.com; s=zohoarc; b=PNNaHiKNYoKgcDEWZKF2gJEZGz5zdcXy6/r1ZInob47/h/gweKw2rrpbM1mFK8hNmowImtWV3xp7VLFlLs3dm2CCWuzyc1lQCigpX60gX58FryeP54m0/rOLpUp13ZHHXPpRwpaNhlgmIxNg/5rIXBxIJ2OpFM1YNIo51uZ1yF0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1637770555; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=pAJvjWL7+9OjZK8lvdVpeV3G6cYC7dwmwUMy7U51Sis=; b=bUUSpeNKam6N/rGSj/lC25A+5lflQt2/+XGsYSyw93t//S5hiaY53orP9YoCG87Mv8OcUYtAKk4CTQzWYqjGj95g+8TJXo5vShCI35UilxTYIpIHX2AZvVkdpiREDzFq3e0H0dhwMYBFYB+HDPoLXYCAqDLhmoPWfgTBZNIwDFs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1637770555339131.64090414953205; Wed, 24 Nov 2021 08:15:55 -0800 (PST) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-543-F3qWVlxQO92S2Xu1kgVSPw-1; Wed, 24 Nov 2021 11:15:47 -0500 Received: by mail-wr1-f71.google.com with SMTP id q17-20020adff791000000b00183e734ba48so620140wrp.8 for ; Wed, 24 Nov 2021 08:15:47 -0800 (PST) Return-Path: Return-Path: Received: from x1w.redhat.com (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id g18sm238429wrv.42.2021.11.24.08.15.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Nov 2021 08:15:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637770554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pAJvjWL7+9OjZK8lvdVpeV3G6cYC7dwmwUMy7U51Sis=; b=eQQqNR/I3BqTj2JsrJUMLYGL2zYQWcwVXA7PqODZIUlevSsFvss09Uc5GYk2ENMuWwX9Us kKDx0swzW9NvFFMwFYIPqnSoxlw+kSuyEagNSX3pSIIlneC/3e+04dtdrlQ2gmBtpM8yyt sIJ2aiJV2z5vMEt+WTqPOE/ss2b5QJY= X-MC-Unique: F3qWVlxQO92S2Xu1kgVSPw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pAJvjWL7+9OjZK8lvdVpeV3G6cYC7dwmwUMy7U51Sis=; b=GRRTh3JV8vfMOOAw7cBc9xVLkRboYs9oPmLf+ozS8QroLgJyN4YuT9UtXCZjTaRP7l lDzcDLSRIkJc3lUI/e7YkvZlDu2g5lw6KSIADvmpnSQ0iQr45thpKUW3cUPSiOsNlyIk XuRYdLUxopAe/NzRE/WCeGHbDZNAQ5bUxU7+1LXZyZhjIED0Db5nXuhk22k+BLh6lEpX GKA1+RbitB2DgI0yovfnF+OrAuLBFzuvPGfo5Ku4BpVxOMjzGTZb7p8GtahPDvrlsLRw mqAHuOzsnQ3Sout7HggCZPhUOugSmBOs5nUu/LLRaAWJwZx8t0VGyzSSUZmi/Tkp05kf o1JQ== X-Gm-Message-State: AOAM532AXuA/0CDpON9F3la748aeAR87hVjYGdkXAMC9k8a6FcYYNL8f JecffKd6pd+x2h3DjmSMIEiyut/Ztw0Dil9AfpqefRY0NLucSe1fE/ID5yyYdehsJ51qBfIBqJj 3viEottF+xMrV4w== X-Received: by 2002:a5d:44d1:: with SMTP id z17mr21038349wrr.143.1637770545115; Wed, 24 Nov 2021 08:15:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwD9RdGN6SPWCFFH8LFC0bXsyXZDyls+tWio3VN0u65oJD/MN0d2h89E97UsuseeuRigr54iw== X-Received: by 2002:a5d:44d1:: with SMTP id z17mr21037970wrr.143.1637770542794; Wed, 24 Nov 2021 08:15:42 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Thomas Huth , Laurent Vivier , John Snow , Kevin Wolf , Paolo Bonzini , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH v4 1/3] hw/block/fdc: Extract blk_create_empty_drive() Date: Wed, 24 Nov 2021 17:15:34 +0100 Message-Id: <20211124161536.631563-2-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211124161536.631563-1-philmd@redhat.com> References: <20211124161536.631563-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1637770557708100001 We are going to re-use this code in the next commit, so extract it as a new blk_create_empty_drive() function. Inspired-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Hanna Reitz --- hw/block/fdc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hw/block/fdc.c b/hw/block/fdc.c index fa933cd3263..1dbf3f6028f 100644 --- a/hw/block/fdc.c +++ b/hw/block/fdc.c @@ -61,6 +61,12 @@ } while (0) =20 =20 +/* Anonymous BlockBackend for empty drive */ +static BlockBackend *blk_create_empty_drive(void) +{ + return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); +} + /********************************************************/ /* qdev floppy bus */ =20 @@ -486,8 +492,7 @@ static void floppy_drive_realize(DeviceState *qdev, Err= or **errp) } =20 if (!dev->conf.blk) { - /* Anonymous BlockBackend for an empty drive */ - dev->conf.blk =3D blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); + dev->conf.blk =3D blk_create_empty_drive(); ret =3D blk_attach_dev(dev->conf.blk, qdev); assert(ret =3D=3D 0); =20 --=20 2.33.1 From nobody Tue Apr 23 21:01:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1637770556; cv=none; d=zohomail.com; s=zohoarc; b=k0BqsA9TDhJ5jedAlp22YcjG5yPkCe7P64QdquVvZaWObSAPrJoVD9nEMs4cTAAfbulBf+Bsn2hR3vRNtFDmX3dC2WHu6bj9v7ViF+vkVzj81FxZhj7aCSZ8+sCT2xRkdxzNdv0QWM5d9Ur7opNf/3lGNyXMZ29dRGmXmgyBW9w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1637770556; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=UWA1IDLGCZTNS+dT5T8n4DWw9F8qpa2tToMXzGyuHog=; b=V08sfPVpuoYf+MrVBs91TavXTXrOT6qfOUqfT89m4IbM4WFxJORNqYra0ivgCYtOIQeS7Z46UyOVe8WhwZGnTA6vrHgTSu4lst9RPLz/wpXBKQubFzPkTPkrFsB42nbDyYLhW5LmqIyrd2QlxcOfCZYwo4z1NpNOMOjBOeXphZ4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1637770556813908.2336206206312; Wed, 24 Nov 2021 08:15:56 -0800 (PST) Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-346-gg1W_vWZM2m5A7hD-fTO0w-1; Wed, 24 Nov 2021 11:15:51 -0500 Received: by mail-wm1-f72.google.com with SMTP id ay34-20020a05600c1e2200b00337fd217772so1711497wmb.4 for ; Wed, 24 Nov 2021 08:15:51 -0800 (PST) Return-Path: Return-Path: Received: from x1w.redhat.com (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id o1sm234558wrn.63.2021.11.24.08.15.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Nov 2021 08:15:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637770555; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UWA1IDLGCZTNS+dT5T8n4DWw9F8qpa2tToMXzGyuHog=; b=S2mHyBY4m4Q17FWeMarpzp+7YnExqGxusl9fWdfwDMlh1BSUttdKtBr2fFOMp/2oJZDI3W Uq3MJG9zT9yxurUSh+YrVPmdPAdOsIS7TUOl/IXdHFcen6mDFVW9TBNkiZLEV7NRROU0hS LwWjJ5j3CU+sttnrUSi0Ct/gk7EsM7c= X-MC-Unique: gg1W_vWZM2m5A7hD-fTO0w-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UWA1IDLGCZTNS+dT5T8n4DWw9F8qpa2tToMXzGyuHog=; b=Of6nMm4jTm4NDIoe0+HpfVnEodZuBXJSuwA97igVgONvLXqaBcF5A6+5qPJmZzkYFD y1uTRTV+qoVoHVTcknqleIyH8u8bPFl5ONSK+qL0OdRm96IoHC92y+/ad/Tjo3RWL741 yM3yR6luW7AEZx6Kdn4CMb45pxm0FNz2xLLPARxSnZIvYjrPUFNADdPsvqfQB2qxKhAL W/lu4RAd9wjHmFIafRKAmM67BCHT8cNzVU0iny4/G5DYXg/pD8Yk2u0kEecOFgPtGyIN 0bhbvfbEuts9ORqJ6MM6yxpOGaJOzJsfHuKk6CfEDuGjE6xMInKvSbd7IAjmsQOyNzsV Jv8Q== X-Gm-Message-State: AOAM533iFt2nKnMnl5awdALUXrS0W3FGiFdM4cpKycC0Tyd3k+5kJo/L fa3vWCNwC45m8kT9uEXI0/6RIKDxczZVR23IPuwkuYI8jc9COjxcjbIwR4xFxl7iiF1fz4uzsUC BLCRGxuEQYfDdCg== X-Received: by 2002:a05:600c:1e8d:: with SMTP id be13mr16646704wmb.79.1637770550149; Wed, 24 Nov 2021 08:15:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJwhOxWAfEOKANUCdT5gCfgNnQm4YjIS4Kb5ct9ksNwKPCyZAxhHo+ZzOqFgRDRUWtEsNYglyg== X-Received: by 2002:a05:600c:1e8d:: with SMTP id be13mr16646606wmb.79.1637770549664; Wed, 24 Nov 2021 08:15:49 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Thomas Huth , Laurent Vivier , John Snow , Kevin Wolf , Paolo Bonzini , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Gaoning Pan , Darren Kenny Subject: [PATCH v4 2/3] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 Date: Wed, 24 Nov 2021 17:15:35 +0100 Message-Id: <20211124161536.631563-3-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211124161536.631563-1-philmd@redhat.com> References: <20211124161536.631563-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1637770560505100001 Guest might select another drive on the bus by setting the DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). The current controller model doesn't expect a BlockBackend to be NULL. A simple way to fix CVE-2021-20196 is to create an empty BlockBackend when it is missing. All further accesses will be safely handled, and the controller state machines keep behaving correctly. Cc: qemu-stable@nongnu.org Fixes: CVE-2021-20196 Reported-by: Gaoning Pan (Ant Security Light-Year Lab) BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/block/fdc.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/hw/block/fdc.c b/hw/block/fdc.c index 1dbf3f6028f..21d18ac2e36 100644 --- a/hw/block/fdc.c +++ b/hw/block/fdc.c @@ -1166,7 +1166,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit) =20 static FDrive *get_cur_drv(FDCtrl *fdctrl) { - return get_drv(fdctrl, fdctrl->cur_drv); + FDrive *cur_drv =3D get_drv(fdctrl, fdctrl->cur_drv); + + if (!cur_drv->blk) { + /* + * Kludge: empty drive line selected. Create an anonymous + * BlockBackend to avoid NULL deref with various BlockBackend + * API calls within this model (CVE-2021-20196). + * Due to the controller QOM model limitations, we don't + * attach the created to the controller device. + */ + cur_drv->blk =3D blk_create_empty_drive(); + } + return cur_drv; } =20 /* Status A register : 0x00 (read-only) */ --=20 2.33.1 From nobody Tue Apr 23 21:01:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1637770558; cv=none; d=zohomail.com; s=zohoarc; b=dQrrAi7Vh906Tak02k6kAZxrsy/ii5+NKH9/VROMgeXHhpu2guY3KtCDtfg8HebhxjM0ZEdwP9FscEJJC4veDikXx2MJpO2jCyB2QahjtkeFdllwzWw0IMQNLBGda5+/CY/yLoZ00bPGSBK9QZqTpMROCwMc9hijE0fpJxnv/OM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1637770558; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=zOmniXP9kECuj+4xZCjgmlfWEZPERWHw8eGdEQjANt4=; b=R7m5gp/wb57QU/TDSVve1lyBOZYzW7civSRf1f0hmAS9aTwTbKzz+dr/pm1LAyeiewdQ2mOf/PfUf7X4qqu0Qw7yd2viQXKi6kTB1UzHN3QhXRlsOD2fY4S4bzn1KD3hd1owbqF19UYBXtE8qxWbLdTdkTPZe+fV/r8lRw5eDQM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1637770558252205.3404575680987; Wed, 24 Nov 2021 08:15:58 -0800 (PST) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-450-3KEshuemMQ6NYbE4OscasA-1; Wed, 24 Nov 2021 11:15:55 -0500 Received: by mail-wm1-f71.google.com with SMTP id g81-20020a1c9d54000000b003330e488323so1912679wme.0 for ; Wed, 24 Nov 2021 08:15:55 -0800 (PST) Return-Path: Return-Path: Received: from x1w.redhat.com (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id x21sm4812146wmc.14.2021.11.24.08.15.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Nov 2021 08:15:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637770557; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zOmniXP9kECuj+4xZCjgmlfWEZPERWHw8eGdEQjANt4=; b=Kp7dozvlU1tkbI/rWTgK+Yb/GYX/9vbQ75Y5l6OC9KmuCxU4riUAR9eG4jfiqWyuXmfbHC 7yMYdR470W3Xp8/haXImepCVqCw6VV6z09OyhHocWHcrigquVIR6OeV2cATUEUV4rAkPBr 4OT2FQpvji+36I2JxiG/zWpmi+kldCE= X-MC-Unique: 3KEshuemMQ6NYbE4OscasA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zOmniXP9kECuj+4xZCjgmlfWEZPERWHw8eGdEQjANt4=; b=KucbP2zTiP4+TuHYgLEGKWCBJHUMOcMP4jBmoHQ7lqIF5F6nUc+hWaT7cc2fOfCeTe HubViS1YXuaxQJwNyKZ2Q6osoeqrXnqlH9F1Go0OWJXbYK8imftv17TWWcZuu6KhzXyQ GTGYr9rgiOdPEntina3GxpnbegSw2kDy2MC6ft5J42n9B+vX8W4LBZSr0eSS12mX1B1g Xb1ktkORH3jHpuZ1Mqgvk5PShsDyFzlGt8hpb2sgBHQFpGI3xMMy5pVTZK2wCdkpa14Y TOQoq5awwIY+HbNuuE7bemKoV2t0uIyMZEgTlR46wFYBrrydUwzFdbOfDvg7A49hBHey WCTg== X-Gm-Message-State: AOAM53194xmivFTa5WoSb3GW1/Mbx64mpIwLQHccU94Htl5plnVDPItz JN2nVGkjGgxTgtQwgfDJMQaKgil9tTuibryUz6EBX0QAm1QXMlBmmj3iaPfSXIOejyu9b+3DHzl 5bGE46VQtn337Tg== X-Received: by 2002:a05:600c:4f87:: with SMTP id n7mr16705876wmq.63.1637770554522; Wed, 24 Nov 2021 08:15:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJxT+NPiV38nxAR+CDUuMQ+dNp39joX1ZHPVoTiVVZ+s5jJuW5fc0L+g+XlYDRuHZYrR7mSKaA== X-Received: by 2002:a05:600c:4f87:: with SMTP id n7mr16705842wmq.63.1637770554343; Wed, 24 Nov 2021 08:15:54 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Hanna Reitz , Thomas Huth , Laurent Vivier , John Snow , Kevin Wolf , Paolo Bonzini , qemu-block@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Darren Kenny Subject: [PATCH v4 3/3] tests/qtest/fdc-test: Add a regression test for CVE-2021-20196 Date: Wed, 24 Nov 2021 17:15:36 +0100 Message-Id: <20211124161536.631563-4-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211124161536.631563-1-philmd@redhat.com> References: <20211124161536.631563-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1637770561851100003 Without the previous commit, when running 'make check-qtest-i386' with QEMU configured with '--enable-sanitizers' we get: AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D287878=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x0000= 00000344 =3D=3D287878=3D=3DThe signal is caused by a WRITE memory access. =3D=3D287878=3D=3DHint: address points to the zero page. #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5 #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5 #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11 #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17 #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9 #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9 Add the reproducer for CVE-2021-20196. Suggested-by: Alexander Bulekov Reviewed-by: Darren Kenny Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Hanna Reitz --- tests/qtest/fdc-test.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c index 26b69f7c5cd..8f6eee84a47 100644 --- a/tests/qtest/fdc-test.c +++ b/tests/qtest/fdc-test.c @@ -32,6 +32,9 @@ /* TODO actually test the results and get rid of this */ #define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__)) =20 +#define DRIVE_FLOPPY_BLANK \ + "-drive if=3Dfloppy,file=3Dnull-co://,file.read-zeroes=3Don,format=3Dr= aw,size=3D1440k" + #define TEST_IMAGE_SIZE 1440 * 1024 =20 #define FLOPPY_BASE 0x3f0 @@ -546,6 +549,40 @@ static void fuzz_registers(void) } } =20 +static bool qtest_check_clang_sanitizer(void) +{ +#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer) + return true; +#else + g_test_skip("QEMU not configured using --enable-sanitizers"); + return false; +#endif +} +static void test_cve_2021_20196(void) +{ + QTestState *s; + + if (!qtest_check_clang_sanitizer()) { + return; + } + + s =3D qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK); + + qtest_outw(s, 0x3f4, 0x0500); + qtest_outb(s, 0x3f5, 0x00); + qtest_outb(s, 0x3f5, 0x00); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outb(s, 0x3f5, 0x00); + qtest_outw(s, 0x3f1, 0x0400); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outb(s, 0x3f5, 0x00); + qtest_outb(s, 0x3f5, 0x01); + qtest_outw(s, 0x3f1, 0x0500); + qtest_outb(s, 0x3f5, 0x00); + qtest_quit(s); +} + int main(int argc, char **argv) { int fd; @@ -576,6 +613,7 @@ int main(int argc, char **argv) qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18); qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); qtest_add_func("/fdc/fuzz-registers", fuzz_registers); + qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); =20 ret =3D g_test_run(); =20 --=20 2.33.1