On Tue, Oct 11, 2022 at 6:27 AM vkumbhar <vkumb...@mvista.com> wrote: > > Source: https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html > MR: 116345 > Type: Security Fix > Disposition: Backport from > https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html > ChangeID: 16be2d24b89b9ff8f492b034f77eb24800771910 > Description: > When building QEMU with DEBUG_ATI defined then running with > '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' > we get: > > ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 > ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 > ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 > ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 > ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 > ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 > ati_mm_write 4 0x1420 DST_Y <- 0x3fff > ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff > ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff > ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 > bpp:32 > rop:0xff > ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ > ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, > y:16383, w:16383, h:16383, xor:0xff000000) > Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. > (gdb) bt > #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at > /lib64/libpixman-1.so.0 > #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 > #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at > hw/display/ati_2d.c:196 > #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, > addr=5512, > data=1073692671, size=4) at hw/display/ati.c:843 > #4 0x0000555558b90ec4 in memory_region_write_accessor > (mr=0x631000039cc0, > addr=5512, ..., size=4, ...) at softmmu/memory.c:492 > > Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced > the local dst_x and dst_y which adjust the (x, y) coordinates > depending on the direction in the SRCCOPY ROP3 operation, but > forgot to address the same issue for the PATCOPY, BLACKNESS and > WHITENESS operations, which also call pixman_fill(). > > Fix that now by using the adjusted coordinates in the pixman_fill > call, and update the related debug printf(). > > Signed-off-by: Vivek Kumbhar <vkumb...@mvista.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 1 + > .../qemu/qemu/0001-CVE-2021-3638.patch | 42 +++++++++++++++++++
Same issue with the filename as in previous patches. > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/0001-CVE-2021-3638.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > b/meta/recipes-devtools/qemu/qemu.inc > index 7a963ad57c..b9ac4c663c 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -52,6 +52,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2019-20175.patch \ > file://CVE-2020-24352.patch \ > file://CVE-2020-25723.patch \ > + file://0001-CVE-2021-3638.patch \ And once again the patch doesn't apply since you aren't using current dunfell head. Please rebase and send a V2 Thanks, Steve > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-3638.patch > b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-3638.patch > new file mode 100644 > index 0000000000..965ac3f181 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-3638.patch > @@ -0,0 +1,42 @@ > +From 1faf9c708c95b92678b7babb56f7ed861e3eda11 Mon Sep 17 00:00:00 2001 > +From: Vivek Kumbhar <vkumb...@mvista.com> > +Date: Thu, 1 Sep 2022 10:22:44 +0530 > +Subject: [PATCH] CVE-2021-3638 > + > +Upstream-Status: > https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html > +CVE: CVE-2021-3638 > +Signed-off-by: Vivek Kumbhar <vkumb...@mvista.com> > +--- > + hw/display/ati_2d.c | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > + > +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c > +index 23a8ae0c..395b523b 100644 > +--- a/hw/display/ati_2d.c > ++++ b/hw/display/ati_2d.c > +@@ -83,7 +83,7 @@ void ati_2d_blt(ATIVGAState *s) > + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", > + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, > + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, > +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, > ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, > + s->regs.dst_width, s->regs.dst_height, > + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), > + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); > +@@ -178,11 +178,11 @@ void ati_2d_blt(ATIVGAState *s) > + dst_stride /= sizeof(uint32_t); > + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", > + dst_bits, dst_stride, bpp, > +- s->regs.dst_x, s->regs.dst_y, > ++ dst_x, dst_y, > + s->regs.dst_width, s->regs.dst_height, > + filler); > + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, > +- s->regs.dst_x, s->regs.dst_y, > ++ dst_x, dst_y, > + s->regs.dst_width, s->regs.dst_height, > + filler); > + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && > +-- > +2.25.1 > + > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171641): https://lists.openembedded.org/g/openembedded-core/message/171641 Mute This Topic: https://lists.openembedded.org/mt/94262751/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
