[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ba4124: MAINTAINERS: Cc qemu-block mailing li
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] ba4124: MAINTAINERS: Cc qemu-block mailing list |
Date: |
Wed, 15 Jul 2020 04:30:34 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: ba412478d16ca6abb4f240d92e6528eac7d3c337
https://github.com/qemu/qemu/commit/ba412478d16ca6abb4f240d92e6528eac7d3c337
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: Cc qemu-block mailing list
We forgot to include the qemu-block mailing list while adding
this section in commit 076a0fc32a7. Fix this.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200630133912.9428-2-f4bug@amsat.org>
Commit: 1c2329b5d644bad16e888d095e2021ad682201d9
https://github.com/qemu/qemu/commit/1c2329b5d644bad16e888d095e2021ad682201d9
Author: Niek Linnenbank <nieklinnenbank@gmail.com>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M docs/system/arm/orangepi.rst
Log Message:
-----------
docs/orangepi: Add instructions for resizing SD image to power of two
SD cards need to have a size of a power of two.
Update the Orange Pi machine documentation to include
instructions for resizing downloaded images using the
qemu-img command.
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200712183708.15450-1-nieklinnenbank@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Commit: b7dcbf1395da960ec3c313300dc0030674de8cd1
https://github.com/qemu/qemu/commit/b7dcbf1395da960ec3c313300dc0030674de8cd1
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M tests/acceptance/boot_linux_console.py
Log Message:
-----------
tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'
Avocado tags are handy to automatically select tests matching
the tags. Since these tests use a SD card, tag them.
We can run all the tests using a SD card at once with:
$ avocado --show=app run -t u-boot tests/acceptance/
$ AVOCADO_ALLOW_LARGE_STORAGE=ok \
avocado --show=app \
run -t device:sd tests/acceptance/
Fetching asset from
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd
Fetching asset from
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic
Fetching asset from
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9
(1/3)
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd:
PASS (19.56 s)
(2/3)
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic:
PASS (49.97 s)
(3/3)
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9:
PASS (20.06 s)
RESULTS : PASS 3 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 |
CANCEL 0
JOB TIME : 90.02 s
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cleber Rosa <crosa@redhat.com>
Tested-by: Cleber Rosa <crosa@redhat.com>
Message-Id: <20200713183209.26308-4-f4bug@amsat.org>
Commit: 6a289a5ba3383e17fb47029720425bef42e424d7
https://github.com/qemu/qemu/commit/6a289a5ba3383e17fb47029720425bef42e424d7
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M tests/acceptance/boot_linux_console.py
Log Message:
-----------
tests/acceptance/boot_linux: Expand SD card image to power of 2
In few commits we won't allow SD card images with invalid size
(not aligned to a power of 2). Prepare the tests: add the
pow2ceil() and image_pow2ceil_expand() methods and resize the
images (expanding) of the tests using SD cards.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Cleber Rosa <crosa@redhat.com>
Message-Id: <20200713183209.26308-5-f4bug@amsat.org>
Commit: 9157dd597d293ab7f599f4d96c3fe8a6e07c633d
https://github.com/qemu/qemu/commit/9157dd597d293ab7f599f4d96c3fe8a6e07c633d
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
Only SCSD cards support Class 6 (Block Oriented Write Protection)
commands.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.14 Command Functional Difference in Card Capacity Types
* Write Protected Group
SDHC and SDXC do not support write-protected groups. Issuing
CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
Commit: 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d
https://github.com/qemu/qemu/commit/6dd3a164f5b31c703c7d8372841ad3bd6a57de6d
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Simplify realize() a bit
We don't need to check if sd->blk is set twice.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
Commit: a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
https://github.com/qemu/qemu/commit/a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Do not allow invalid SD card sizes
QEMU allows to create SD card with unrealistic sizes. This could
work, but some guests (at least Linux) consider sizes that are not
a power of 2 as a firmware bug and fix the card size to the next
power of 2.
While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end.
In a pair of commits we will fix CVE-2020-13253 as:
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
While this is the correct behavior, in case QEMU create smaller SD
cards, guests still try to access past the image size end, and QEMU
considers this is an invalid address, thus "all further data transfer
is ignored". This is wrong and make the guest looping until
eventually timeouts.
Fix by not allowing invalid SD card sizes (suggesting the expected
size as a hint):
$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
qemu-system-arm: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it
currently is).
Cc: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
Commit: 794d68de2f021a6d3874df41d6bbe8590ec05207
https://github.com/qemu/qemu/commit/794d68de2f021a6d3874df41d6bbe8590ec05207
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Update coding style to make checkpatch.pl happy
To make the next commit easier to review, clean this code first.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
Commit: 790762e5487114341cccc5bffcec4cb3c022c3cd
https://github.com/qemu/qemu/commit/790762e5487114341cccc5bffcec4cb3c022c3cd
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-07-14 (Tue, 14 Jul 2020)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
Only move the state machine to ReceivingData if there is no
pending error. This avoids later OOB access while processing
commands queued.
"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
4.3.3 Data Read
Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
4.3.4 Data Write
Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
occurred and no data transfer is performed.
WP_VIOLATION errors are not modified: the error bit is set, we
stay in receive-data state, wait for a stop command. All further
data transfer is ignored. See the check on sd->card_status at the
beginning of sd_read_data() and sd_write_data().
Fixes: CVE-2020-13253
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
Commit: 3a9163af4e3dd61795a35d47b702e302f98f81d6
https://github.com/qemu/qemu/commit/3a9163af4e3dd61795a35d47b702e302f98f81d6
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-07-15 (Wed, 15 Jul 2020)
Changed paths:
M MAINTAINERS
M docs/system/arm/orangepi.rst
M hw/sd/sd.c
M tests/acceptance/boot_linux_console.py
Log Message:
-----------
Merge remote-tracking branch
'remotes/philmd-gitlab/tags/sdcard-CVE-2020-13253-pull-request' into staging
Fix CVE-2020-13253
By using invalidated address, guest can do out-of-bounds accesses.
These patches fix the issue by only allowing SD card image sizes
power of 2, and not switching to SEND_DATA state when the address
is invalid (out of range).
This issue was found using QEMU fuzzing mode (using --enable-fuzzing,
see docs/devel/fuzzing.txt) and reported by Alexander Bulekov.
Reproducer:
https://bugs.launchpad.net/qemu/+bug/1880822/comments/1
CI jobs results:
. https://cirrus-ci.com/build/5157142548185088
. https://gitlab.com/philmd/qemu/-/pipelines/166381731
. https://travis-ci.org/github/philmd/qemu/builds/707956535
# gpg: Signature made Tue 14 Jul 2020 14:54:44 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>"
[full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd-gitlab/tags/sdcard-CVE-2020-13253-pull-request:
hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
hw/sd/sdcard: Update coding style to make checkpatch.pl happy
hw/sd/sdcard: Do not allow invalid SD card sizes
hw/sd/sdcard: Simplify realize() a bit
hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
tests/acceptance/boot_linux: Expand SD card image to power of 2
tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'
docs/orangepi: Add instructions for resizing SD image to power of two
MAINTAINERS: Cc qemu-block mailing list
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/c920fdba3948...3a9163af4e3d
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] ba4124: MAINTAINERS: Cc qemu-block mailing list,
Peter Maydell <=