Fix CVE-2021-3611 and heap overflow in sdhci code

[PULL 0/8] Fix CVE-2021-3611 and heap overflow in sdhci code

Thomas Huth posted 8 patches 2 years, 1 month ago

Download series mbox

Test checkpatch passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20220321170320.282496-1-thuth@redhat.com

Maintainers: Gerd Hoffmann <kraxel@redhat.com>, "Philippe Mathieu-Daudé" <f4bug@amsat.org>, Bin Meng <bin.meng@windriver.com>, Paolo Bonzini <pbonzini@redhat.com>, Peter Xu <peterx@redhat.com>, David Hildenbrand <david@redhat.com>, Alexander Bulekov <alxndr@bu.edu>, Bandan Das <bsd@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, Thomas Huth <thuth@redhat.com>, Darren Kenny <darren.kenny@oracle.com>, Qiuhao Li <Qiuhao.Li@outlook.com>, Laurent Vivier <lvivier@redhat.com>

include/exec/memattrs.h        |  9 +++++
hw/audio/intel-hda.c           | 11 ++++--
hw/sd/sdhci.c                  | 35 ++++++++++++++-----
softmmu/physmem.c              | 55 ++++++++++++++++++++++++------
tests/qtest/fuzz-sdcard-test.c | 76 ++++++++++++++++++++++++++++++++++++++++++
tests/qtest/intel-hda-test.c   | 34 +++++++++++++++++++
6 files changed, 198 insertions(+), 22 deletions(-)

Expand all Fold all

[PULL 0/8] Fix CVE-2021-3611 and heap overflow in sdhci code

Posted by Thomas Huth 2 years, 1 month ago

The following changes since commit 2058fdbe81e2985c226a026851dd26b146d3395c:

  Merge tag 'fixes-20220318-pull-request' of git://git.kraxel.org/qemu into staging (2022-03-19 11:28:54 +0000)

are available in the Git repository at:

  https://gitlab.com/thuth/qemu.git tags/pull-request-2022-03-21

for you to fetch changes up to 27801168ecbb34b987d2e92a12369367bf9ac2bf:

  tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225) (2022-03-21 14:05:42 +0100)

----------------------------------------------------------------
* Fix stack-overflow due to recursive DMA in intel-hda (CVE-2021-3611)
* Fix heap overflow due to recursive DMA in sdhci code

----------------------------------------------------------------

As far as I can see, these patches were ready to go, just felt
through the cracks so far since Philippe is now doing other stuff...
I think it would be nice to get these fixed for 7.0 (and if there
is ever a thorough global DMA reentrancy fix later in >= 7.1, we
can still revert the device-specific fixes here again later).

Philippe Mathieu-Daudé (8):
    softmmu/physmem: Simplify flatview_write and address_space_access_valid
    softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR
    hw/audio/intel-hda: Do not ignore DMA overrun errors
    hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO devices)
    tests/qtest/intel-hda-test: Add reproducer for issue #542
    hw/sd/sdhci: Honor failed DMA transactions
    hw/sd/sdhci: Prohibit DMA accesses to devices
    tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)

 include/exec/memattrs.h        |  9 +++++
 hw/audio/intel-hda.c           | 11 ++++--
 hw/sd/sdhci.c                  | 35 ++++++++++++++-----
 softmmu/physmem.c              | 55 ++++++++++++++++++++++++------
 tests/qtest/fuzz-sdcard-test.c | 76 ++++++++++++++++++++++++++++++++++++++++++
 tests/qtest/intel-hda-test.c   | 34 +++++++++++++++++++
 6 files changed, 198 insertions(+), 22 deletions(-)

Re: [PULL 0/8] Fix CVE-2021-3611 and heap overflow in sdhci code

Posted by Peter Maydell 2 years, 1 month ago

On Mon, 21 Mar 2022 at 17:03, Thomas Huth <thuth@redhat.com> wrote:
>
> The following changes since commit 2058fdbe81e2985c226a026851dd26b146d3395c:
>
>   Merge tag 'fixes-20220318-pull-request' of git://git.kraxel.org/qemu into staging (2022-03-19 11:28:54 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/thuth/qemu.git tags/pull-request-2022-03-21
>
> for you to fetch changes up to 27801168ecbb34b987d2e92a12369367bf9ac2bf:
>
>   tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225) (2022-03-21 14:05:42 +0100)
>
> ----------------------------------------------------------------
> * Fix stack-overflow due to recursive DMA in intel-hda (CVE-2021-3611)
> * Fix heap overflow due to recursive DMA in sdhci code
>
> ----------------------------------------------------------------
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/7.0
for any user-visible changes.

-- PMM