1. scsi-disk: allow MODE SELECT block descriptor to set the block size
Link: 356c4c441e
The MODE SELECT command can contain an optional block descriptor that can be used
to set the device block size. If the block descriptor is present then update the
block size on the SCSI device accordingly.
This allows CDROMs to be used with A/UX which requires a CDROM drive which is
capable of switching from a 2048 byte sector size to a 512 byte sector size.
2. scsi-disk: ensure block size is non-zero and changes limited to bits 8-15
Link: 55794c904d
The existing code assumes that the block size can be generated from p[1] << 8
in multiple places which ignores the top and bottom 8 bits. If the block size
is allowed to be set to an arbitrary value then this causes a mismatch
between the value written by the guest in the block descriptor and the value
subsequently read back using READ CAPACITY causing the guest to generate
requests that can crash QEMU.
For now restrict block size changes to bits 8-15 and also ignore requests to
set the block size to 0 which causes the SCSI emulation to crash in at least
one place with a divide by zero error.
3. Disallow block sizes smaller than 512 [CVE-2023-42467]
Link: 7cfcc79b0a
We are doing things like
nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
with a division by 0 exception. Thus disallow block sizes of 256
bytes to avoid this situation.
(From OE-Core rev: e9af3d328db8a32c22bb0798fa8dbb749e3f607b)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).
This change is to fix CVE-2023-5088.
Link: 7d7512019f
(From OE-Core rev: aa84c668bfe2436d36f49a422c775119e2412c8b)
Signed-off-by: Sourav Pramanik <sourav.pramanik@kpit.com>
Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: a1256b8fa415002eee78427cc292b866570ee267)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The commit [9bd4ddeb4b] backports fix for CVE-2023-2861 for version 6.2.0.
The 'qemu_fstat' in `do_create_others' is not defined which leads to the undefined symbol error on certain architectures.
Also, the commit message says "(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)". So either the wrapper has to be dropped or it has to be defined.
Hence, backported the main patch rather than the cherry picked one.
(From OE-Core rev: 983d19dfdad361f8b3275b404f1ac0b9befc9f6c)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the QEMU virtual crypto device while handling data
encryption/decryption requests in virtio_crypto_handle_sym_req.
There is no check for the value of `src_len` and `dst_len` in
virtio_crypto_sym_op_helper, potentially leading to a heap buffer
overflow when the two values differ.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3180
Upstream patches:
49f1e02bac
(From OE-Core rev: de421cab92c49ba0f068eae9d6b458a0368fcd03)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport 2 patches and rebase
0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch to fix
compile error:
../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt':
../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'?
1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
| ^~~~
| gsize
../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is reported only once for each function it appears in
(From OE-Core rev: b3f42317c1932253e7e6b2fd7a263bdbd6c2f69a)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The previous version of this wasn't correctly passing the program name
as argv[0], and was also over-complicated anyway because argv[] is
guaranteed to be terminated with a NULL pointer, so it can be passed
directly to the execv'd process without needing to be copied.
(From OE-Core rev: c8b7a0570903fc7916530c2fcffaee3b61f27301)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 6edf38add3c20c44efe0588e2815bb280d22e0c4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bridge helper program is invoked directly from QEMU when it needs to
attach to a network bridge. As such, it is subject to the environment of
QEMU itself. Specifically, if bridging is enabled with direct rendering
acceleration, QEMU is run with an LD_PRELOAD that attempts to preload
several uninative libraries; however /bin/sh doesn't use the uninative
loader which means it can fail to start with an error like:
/bin/sh: symbol lookup error: sysroots-uninative/x86_64-linux/lib/librt.so.1: undefined symbol: __libc_unwind_link_get, version GLIBC_PRIVATE
Converting the helper program to a C program resolves this problem
because it will now use the uninative loader so the preload doesn't
cause errors.
(From OE-Core rev: 428a0be91eafb961f0fe92d2abccde5352c54c54)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit f698e98f2f09952b34488b8cf9e73e82bd7aea07)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
io_uring is enabled or disabled depending on whether liburing is available,
so add a PACKAGECONFIG to make this explicit, disabled by default.
(From OE-Core rev: 3243b069db7629d15e4b8c25b4133f824d18520c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit daee79639c39ac6278855b35e0ddf71e52dd13f8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With libjack-devel or jack-audio-connection-kit-devel, qemu-native
detects the library/header and tries to build with it. Since its
missing from the sysroot, it fails to build.
-O2 -fPIE -D_REENTRANT -Wno-undef -MD -MQ libcommon.fa.p/audio_jackaudio.c.o
-MF libcommon.fa.p/audio_jackaudio.c.o.d -o libcommon.fa.p/audio_jackaudio.c.o
-c ../qemu-6.2.0/audio/jackaudio.c
| ../qemu-6.2.0/audio/jackaudio.c:34:10: fatal error: jack/jack.h: No such file
or directory
| 34 | #include <jack/jack.h>
| | ^~~~~~~~~~~~~
| compilation terminated.
(From OE-Core rev: 05eb77bd1e9e1ba59032cbb49953cab8015e37a3)
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 27260be388f7f9f324ff405e7d8e254925b4ae90)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://github.com/qemu/qemu
MR: 119830
Type: Security Fix
Disposition: Backport from 418ade7849
ChangeID: 41d6646e06319e629da574b9b2e8a3a197a73441
Description:
CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.
(From OE-Core rev: 5f236e744b5b528bdf8d95c9580c273f63c04452)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a PACKAGECONFIG option for slirp, defaulting to internal. This avoids
the presence of libslirp on the host causing qemu to link against that
instead breaking reproducibility and usability of the binary on hosts
where the library isn't present.
We need to add it to PACKAGECONFIG by default since users do expect slirp
to be enabled in the wider community.
(From OE-Core rev: 9637a46258a596ccb0a7ddc350b33a5fc6c7872e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5a9a64132bf5ecac9d611d29751226a466c4a2c1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Avoid accidentally linking to the vde library from the host by
adding a PACKAGECONFIG for the option.
(From OE-Core rev: 83ab9f51f45b73ff595fbb8d519eee4f4d48e308)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Avoid accidentally linking to the rdma library from the host by
adding a PACKAGECONFIG for the option. This was found on new
Fedora 36 autobuilder workers.
(From OE-Core rev: 84390c353d8fee55ae0eeb6a698e45d350f8141b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2a0f3cb225e4d5471155abbcd05d09bd6bf1620f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Autobuilder workers were non-deterministically enabling capstone
depending on whether the worker had libcapstone installed.
Add PACKAGECONFIG for capstone with default off, since qemu does not
require capstone support.
Qemu version in dunfell has capstone in the source tree as a submodule
and has configure options to enable it using that source code or using
the system libcapstone.
Qemu versions in master and kirkstone have removed the capstone
submodule and configure options, but added libcapstone autodetection to
meson.
In all cases using PACKAGECONFIG will allow a deterministic build.
(From OE-Core rev: 171fa2d7092db896ba0816074a435a883447fdb8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 052ef1f14d1e6a5ee34f742f65e51b20b416f79f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
its in auto mode, which is troublesome particularly on native recipe
where it pokes at build host to find this library if its not in native
sysroot and when build host has libbpf installed it enables it silently
otherwise disables the support. so lets make it deterministic, and if
one needs to enable this feature then enable the packageconfig
intentionally, It was found when trying to solve this QA warning
Skipping RPATH /usr/lib64 as is a standard search path for /mnt/b/yoe/master/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-
r0/sysroot-destdir/mnt/b/yoe/master/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-x86_64
This is becasue qemu's build system adds the needed flags to -rpath for
the libraries it needs and in this case it has found libbpf.so in
/usr/lib64 on build host.
(From OE-Core rev: 2f97e2d92982b9cffaccdf251c1b6d47de0258c2)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d493928b7c98ab11b5d8c50924b1a2c464bf7f5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a fix queued upstream for the issue in this CVE:
"""
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This might happen on purpose (malicious guest) or because some other
guest/host address mapping.
We need to protect againts such case.
"""
(From OE-Core rev: 1b8513c1abdcd6430f9311efd04d785488f79d7d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- This abstracts on GL/GLES implementations
- Rename packageconfig to epoxy to match what code it doing underneath
(From OE-Core rev: 0ded646a83768868a1cc4dceb962ee707348af1b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
some architectures like ppc/mips do not wire this in kernel since
linux/mman.h for these architectures do not use asm-generic/mman.h
(From OE-Core rev: 442fa3d9eeae100bfa97002c97671d4b540048ed)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is use of MESA_EGL_NO_X11_HEADERS which is now renamed in newer headers to
EGL_NO_X11 from mesa/khronos headers, however this define is
relatively new and 3D stacks do not have this adopted but apps
like qemu and bunch of others depend on it, I guess they assume mesa.
One can argue that its better to fix the 3D stacks to behave
like mesa but this means every BSP using these stacks will need to
carry such a fix.
https://gitlab.freedesktop.org/mesa/mesa/-/blob/main/include/EGL/eglplatform.h
(From OE-Core rev: 8c9d0bc4eb2784a3defa047e509d96e0eb521c03)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This will create _STR and _UID section for TPM in qemu acpi table,
with these section, the missing "description" and "uid" files will
be created for TPM in /sys by kernel.
(From OE-Core rev: 88bf29935358e727c65693085b50a57f879b774b)
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
