Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge tag 'pull-request-2023-05-26' of https://gitlab.com/thuth/qemu
…into staging

* Use MachineClass->default_nic in more machines to allow running them
  without "--nodefaults" in builds that used "--without-default-devices"
* Improve qtests for such builds
* Add up-/downsampling qtest
* Avoid crash if default RAM backend name has been stolen
* Fix reentrant DMA problem in the lsi53c895a device (CVE-2023-0330)

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmRwdqsRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbXk6g//eQzVGv1Ep4ZusQXPDpFJLgBNq7JMOF6a
# bWa6fTluzCn2ivnbgPEf0lV1TsCrUuQwqWlEozylltE6l4zbmIWBMO8F/6Wy0JZH
# DuBrO9fio+nKhcEqeFLE+wTWUCiBqM66n8LL+rznO3RjXv2QU8zhk9owmsEKZUV0
# vXrMO5XdUO/dTrxyBdVjbok9L1UpkF+Sp9LEHNxIJZnAqhVmx13jnKq6WTrDR/fX
# ZwGbwWxsnTZl5PuPsHePdTWhXigzZJYcI5TSfcdTVHbzIxVKzFIvTX7stKxySL3b
# 3rXqmkmdozi28UPq7kXvLRoN8VscORgC3J+0izVxd1P0q+sh6p+hF/8T1r0UCqWa
# cgPoqGP5fcqfQiQxdaPbm3Ar9qscZPqzpZWxzjFQsptxf69RIEg+8XZq/EP+6g+c
# GxCh1cqugLdWvZPpBjoGIDlftxJZ99rMKnOZJEudaAIDzRWbNBuqzVo5osj8n5ht
# m68Nanlil451+ySuTS7iiWyyKXF6hIfe5I6A72QdxMPeHsavcCk5D5AN76dFSTmN
# XWWqlk9CNYbvaYSIqyxJpANiwA5Y0j7r6GVXdWFZ9YRt//+z2rMwOrZIqYyvoscE
# 5p+ul/qgUq10XkNwI9t1pd9DX8g+5yuIY0chfC9G1B0AuiPHzvmszORBYY+8+7GT
# 2Rwq/HqraC4=
# =eab7
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 26 May 2023 02:06:51 AM PDT
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [undefined]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [undefined]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2023-05-26' of https://gitlab.com/thuth/qemu:
  hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)
  lsi53c895a: disable reentrancy detection for MMIO region, too
  machine: do not crash if default RAM backend name has been stolen
  tests/qtest/ac97-test: add up-/downsampling tests
  tests/qtest/usb-hcd-ehci-test: Check for EHCI and UHCI HCDs before using them
  tests/qtest/rtl8139-test: Check whether the rtl8139 device is available
  tests/qtest: Check for virtio-blk before using -cdrom with the arm virt machine
  tests/qtest/usb-hcd-uhci-test: Check whether "usb-storage" is available
  hw/mips: Use MachineClass->default_nic in the virt machine
  hw/arm: Use MachineClass->default_nic in the sbsa-ref machine
  hw/xtensa: Use MachineClass->default_nic in the virt machine
  hw/loongarch64: Use MachineClass->default_nic in the virt machine
  hw/arm: Use MachineClass->default_nic in the virt machine
  hw/alpha: Use MachineClass->default_nic in the alpha machine
  hw/hppa: Use MachineClass->default_nic in the hppa machine

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
  • Loading branch information
@rth7680
rth7680 committed May 26, 2023
2 parents a3cb6d5 + b987718 commit 9cb47a1
Show file tree
Hide file tree
Showing 16 changed files with 140 additions and 19 deletions.
4 changes: 3 additions & 1 deletion hw/alpha/dp264.c
View file
Expand Up @@ -49,6 +49,7 @@ static void clipper_init(MachineState *machine)
const char *kernel_filename = machine->kernel_filename;
const char *kernel_cmdline = machine->kernel_cmdline;
const char *initrd_filename = machine->initrd_filename;
MachineClass *mc = MACHINE_GET_CLASS(machine);
AlphaCPU *cpus[4];
PCIBus *pci_bus;
PCIDevice *pci_dev;
Expand Down Expand Up @@ -124,7 +125,7 @@ static void clipper_init(MachineState *machine)

/* Network setup. e1000 is good enough, failing Tulip support. */
for (i = 0; i < nb_nics; i++) {
pci_nic_init_nofail(&nd_table[i], pci_bus, "e1000", NULL);
pci_nic_init_nofail(&nd_table[i], pci_bus, mc->default_nic, NULL);
}

/* Super I/O */
Expand Down Expand Up @@ -213,6 +214,7 @@ static void clipper_machine_init(MachineClass *mc)
mc->is_default = true;
mc->default_cpu_type = ALPHA_CPU_TYPE_NAME("ev67");
mc->default_ram_id = "ram";
mc->default_nic = "e1000";
}

DEFINE_MACHINE("clipper", clipper_machine_init)
4 changes: 3 additions & 1 deletion hw/arm/sbsa-ref.c
View file
Expand Up @@ -596,6 +596,7 @@ static void create_pcie(SBSAMachineState *sms)
hwaddr size_mmio_high = sbsa_ref_memmap[SBSA_PCIE_MMIO_HIGH].size;
hwaddr base_pio = sbsa_ref_memmap[SBSA_PCIE_PIO].base;
int irq = sbsa_ref_irqmap[SBSA_PCIE];
MachineClass *mc = MACHINE_GET_CLASS(sms);
MemoryRegion *mmio_alias, *mmio_alias_high, *mmio_reg;
MemoryRegion *ecam_alias, *ecam_reg;
DeviceState *dev;
Expand Down Expand Up @@ -641,7 +642,7 @@ static void create_pcie(SBSAMachineState *sms)
NICInfo *nd = &nd_table[i];

if (!nd->model) {
nd->model = g_strdup("e1000e");
nd->model = g_strdup(mc->default_nic);
}

pci_nic_init_nofail(nd, pci->bus, nd->model, NULL);
Expand Down Expand Up @@ -858,6 +859,7 @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
mc->minimum_page_bits = 12;
mc->block_default_type = IF_IDE;
mc->no_cdrom = 1;
mc->default_nic = "e1000e";
mc->default_ram_size = 1 * GiB;
mc->default_ram_id = "sbsa-ref.ram";
mc->default_cpus = 4;
Expand Down
4 changes: 3 additions & 1 deletion hw/arm/virt.c
View file
Expand Up @@ -1426,6 +1426,7 @@ static void create_pcie(VirtMachineState *vms)
int i, ecam_id;
PCIHostState *pci;
MachineState *ms = MACHINE(vms);
MachineClass *mc = MACHINE_GET_CLASS(ms);

dev = qdev_new(TYPE_GPEX_HOST);
sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
Expand Down Expand Up @@ -1479,7 +1480,7 @@ static void create_pcie(VirtMachineState *vms)
NICInfo *nd = &nd_table[i];

if (!nd->model) {
nd->model = g_strdup("virtio");
nd->model = g_strdup(mc->default_nic);
}

pci_nic_init_nofail(nd, pci->bus, nd->model, NULL);
Expand Down Expand Up @@ -3033,6 +3034,7 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
mc->auto_enable_numa_with_memhp = true;
mc->auto_enable_numa_with_memdev = true;
mc->default_ram_id = "mach-virt.ram";
mc->default_nic = "virtio-net-pci";

object_class_property_add(oc, "acpi", "OnOffAuto",
virt_get_acpi, virt_set_acpi,
Expand Down
8 changes: 8 additions & 0 deletions hw/core/machine.c
View file
Expand Up @@ -1338,6 +1338,14 @@ void machine_run_board_init(MachineState *machine, const char *mem_path, Error *
}
} else if (machine_class->default_ram_id && machine->ram_size &&
numa_uses_legacy_mem()) {
if (object_property_find(object_get_objects_root(),
machine_class->default_ram_id)) {
error_setg(errp, "object name '%s' is reserved for the default"
" RAM backend, it can't be used for any other purposes."
" Change the object's 'id' to something else",
machine_class->default_ram_id);
return;
}
if (!create_default_memdev(current_machine, mem_path, errp)) {
return;
}
Expand Down
4 changes: 3 additions & 1 deletion hw/hppa/machine.c
View file
Expand Up @@ -177,6 +177,7 @@ static void machine_hppa_init(MachineState *machine)
const char *kernel_filename = machine->kernel_filename;
const char *kernel_cmdline = machine->kernel_cmdline;
const char *initrd_filename = machine->initrd_filename;
MachineClass *mc = MACHINE_GET_CLASS(machine);
DeviceState *dev, *dino_dev, *lasi_dev;
PCIBus *pci_bus;
ISABus *isa_bus;
Expand Down Expand Up @@ -272,7 +273,7 @@ static void machine_hppa_init(MachineState *machine)

for (i = 0; i < nb_nics; i++) {
if (!enable_lasi_lan()) {
pci_nic_init_nofail(&nd_table[i], pci_bus, "tulip", NULL);
pci_nic_init_nofail(&nd_table[i], pci_bus, mc->default_nic, NULL);
}
}

Expand Down Expand Up @@ -462,6 +463,7 @@ static void hppa_machine_init_class_init(ObjectClass *oc, void *data)
mc->default_ram_size = 512 * MiB;
mc->default_boot_order = "cd";
mc->default_ram_id = "ram";
mc->default_nic = "tulip";

nc->nmi_monitor_handler = hppa_nmi;
}
Expand Down
4 changes: 3 additions & 1 deletion hw/loongarch/virt.c
View file
Expand Up @@ -474,6 +474,7 @@ static DeviceState *create_platform_bus(DeviceState *pch_pic)

static void loongarch_devices_init(DeviceState *pch_pic, LoongArchMachineState *lams)
{
MachineClass *mc = MACHINE_GET_CLASS(lams);
DeviceState *gpex_dev;
SysBusDevice *d;
PCIBus *pci_bus;
Expand Down Expand Up @@ -528,7 +529,7 @@ static void loongarch_devices_init(DeviceState *pch_pic, LoongArchMachineState *
NICInfo *nd = &nd_table[i];

if (!nd->model) {
nd->model = g_strdup("virtio");
nd->model = g_strdup(mc->default_nic);
}

pci_nic_init_nofail(nd, pci_bus, nd->model, NULL);
Expand Down Expand Up @@ -1038,6 +1039,7 @@ static void loongarch_class_init(ObjectClass *oc, void *data)
mc->default_boot_order = "c";
mc->no_cdrom = 1;
mc->get_hotplug_handler = virt_machine_get_hotplug_handler;
mc->default_nic = "virtio-net-pci";
hc->plug = loongarch_machine_device_plug_cb;
hc->pre_plug = virt_machine_device_pre_plug;
hc->unplug_request = virt_machine_device_unplug_request;
Expand Down
4 changes: 3 additions & 1 deletion hw/mips/loongson3_virt.c
View file
Expand Up @@ -406,6 +406,7 @@ static inline void loongson3_virt_devices_init(MachineState *machine,
PCIBus *pci_bus;
DeviceState *dev;
MemoryRegion *mmio_reg, *ecam_reg;
MachineClass *mc = MACHINE_GET_CLASS(machine);
LoongsonMachineState *s = LOONGSON_MACHINE(machine);

dev = qdev_new(TYPE_GPEX_HOST);
Expand Down Expand Up @@ -456,7 +457,7 @@ static inline void loongson3_virt_devices_init(MachineState *machine,
NICInfo *nd = &nd_table[i];

if (!nd->model) {
nd->model = g_strdup("virtio");
nd->model = g_strdup(mc->default_nic);
}

pci_nic_init_nofail(nd, pci_bus, nd->model, NULL);
Expand Down Expand Up @@ -619,6 +620,7 @@ static void loongson3v_machine_class_init(ObjectClass *oc, void *data)
mc->default_ram_size = 1600 * MiB;
mc->kvm_type = mips_kvm_type;
mc->minimum_page_bits = 14;
mc->default_nic = "virtio-net-pci";
}

static const TypeInfo loongson3_machine_types[] = {
Expand Down
24 changes: 18 additions & 6 deletions hw/scsi/lsi53c895a.c
View file
Expand Up @@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s)
uint32_t addr, addr_high;
int opcode;
int insn_processed = 0;
static int reentrancy_level;

reentrancy_level++;

s->istat1 |= LSI_ISTAT1_SRUN;
again:
if (++insn_processed > LSI_MAX_INSN) {
/* Some windows drivers make the device spin waiting for a memory
location to change. If we have been executed a lot of code then
assume this is the case and force an unexpected device disconnect.
This is apparently sufficient to beat the drivers into submission.
*/
/*
* Some windows drivers make the device spin waiting for a memory location
* to change. If we have executed more than LSI_MAX_INSN instructions then
* assume this is the case and force an unexpected device disconnect. This
* is apparently sufficient to beat the drivers into submission.
*
* Another issue (CVE-2023-0330) can occur if the script is programmed to
* trigger itself again and again. Avoid this problem by stopping after
* being called multiple times in a reentrant way (8 is an arbitrary value
* which should be enough for all valid use cases).
*/
if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
if (!(s->sien0 & LSI_SIST0_UDC)) {
qemu_log_mask(LOG_GUEST_ERROR,
"lsi_scsi: inf. loop with UDC masked");
Expand Down Expand Up @@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s)
}
}
trace_lsi_execute_script_stop();

reentrancy_level--;
}

static uint8_t lsi_reg_readb(LSIState *s, int offset)
Expand Down Expand Up @@ -2307,6 +2318,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
* re-entrancy guard.
*/
s->ram_io.disable_reentrancy_guard = true;
s->mmio_io.disable_reentrancy_guard = true;

address_space_init(&s->pci_io_as, pci_address_space_io(dev), "lsi-pci-io");
qdev_init_gpio_out(d, &s->ext_irq, 1);
Expand Down
9 changes: 6 additions & 3 deletions hw/xtensa/virt.c
View file
Expand Up @@ -38,7 +38,8 @@
#include "xtensa_memory.h"
#include "xtensa_sim.h"

static void create_pcie(CPUXtensaState *env, int irq_base, hwaddr addr_base)
static void create_pcie(MachineState *ms, CPUXtensaState *env, int irq_base,
hwaddr addr_base)
{
hwaddr base_ecam = addr_base + 0x00100000;
hwaddr size_ecam = 0x03f00000;
Expand All @@ -54,6 +55,7 @@ static void create_pcie(CPUXtensaState *env, int irq_base, hwaddr addr_base)
MemoryRegion *mmio_alias;
MemoryRegion *mmio_reg;

MachineClass *mc = MACHINE_GET_CLASS(ms);
DeviceState *dev;
PCIHostState *pci;
qemu_irq *extints;
Expand Down Expand Up @@ -104,7 +106,7 @@ static void create_pcie(CPUXtensaState *env, int irq_base, hwaddr addr_base)
NICInfo *nd = &nd_table[i];

if (!nd->model) {
nd->model = g_strdup("virtio");
nd->model = g_strdup(mc->default_nic);
}

pci_nic_init_nofail(nd, pci->bus, nd->model, NULL);
Expand All @@ -117,7 +119,7 @@ static void xtensa_virt_init(MachineState *machine)
XtensaCPU *cpu = xtensa_sim_common_init(machine);
CPUXtensaState *env = &cpu->env;

create_pcie(env, 0, 0xf0000000);
create_pcie(machine, env, 0, 0xf0000000);
xtensa_sim_load_kernel(cpu, machine);
}

Expand All @@ -127,6 +129,7 @@ static void xtensa_virt_machine_init(MachineClass *mc)
mc->init = xtensa_virt_init;
mc->max_cpus = 32;
mc->default_cpu_type = XTENSA_DEFAULT_CPU_TYPE;
mc->default_nic = "virtio-net-pci";
}

DEFINE_MACHINE("virt", xtensa_virt_machine_init)
40 changes: 39 additions & 1 deletion tests/qtest/ac97-test.c
View file
Expand Up @@ -42,16 +42,54 @@ static void *ac97_create(void *pci_bus, QGuestAllocator *alloc, void *addr)
return &ac97->obj;
}

/*
* This is rather a test of the audio subsystem and not an AC97 test. Test if
* the audio subsystem can handle a 44100/1 upsample ratio. For some time this
* used to trigger QEMU aborts.
*/
static void ac97_playback_upsample(void *obj, void *data, QGuestAllocator *alloc)
{
QAC97 *ac97 = obj;
QPCIDevice *dev = &ac97->dev;
QPCIBar bar0;

qpci_device_enable(dev);
bar0 = qpci_iomap(dev, 0, NULL);
/* IOBAR0 offset 0x2c: PCM Front DAC Rate */
qpci_io_writew(dev, bar0, 0x2c, 0x1);
}

/*
* This test is similar to the playback upsample test. QEMU shouldn't abort if
* asked for a 1/44100 downsample ratio.
*/
static void ac97_record_downsample(void *obj, void *data, QGuestAllocator *alloc)
{
QAC97 *ac97 = obj;
QPCIDevice *dev = &ac97->dev;
QPCIBar bar0;

qpci_device_enable(dev);
bar0 = qpci_iomap(dev, 0, NULL);
/* IOBAR0 offset 0x32: PCM L/R ADC Rate */
qpci_io_writew(dev, bar0, 0x32, 0x1);
}

static void ac97_register_nodes(void)
{
QOSGraphEdgeOptions opts = {
.extra_device_opts = "addr=04.0",
.extra_device_opts = "addr=04.0,audiodev=snd0",
.after_cmd_line = "-audiodev none,id=snd0"
",out.frequency=44100,in.frequency=44100",
};
add_qpci_address(&opts, &(QPCIAddress) { .devfn = QPCI_DEVFN(4, 0) });

qos_node_create_driver("AC97", ac97_create);
qos_node_produces("AC97", "pci-device");
qos_node_consumes("AC97", "pci-bus", &opts);

qos_add_test("playback_upsample", "AC97", ac97_playback_upsample, NULL);
qos_add_test("record_downsample", "AC97", ac97_record_downsample, NULL);
}

libqos_init(ac97_register_nodes);
2 changes: 1 addition & 1 deletion tests/qtest/bios-tables-test.c
View file
Expand Up @@ -2164,7 +2164,7 @@ int main(int argc, char *argv[])
}
}
} else if (strcmp(arch, "aarch64") == 0) {
if (has_tcg) {
if (has_tcg && qtest_has_device("virtio-blk-pci")) {
qtest_add_func("acpi/virt", test_acpi_virt_tcg);
qtest_add_func("acpi/virt/acpihmatvirt",
test_acpi_virt_tcg_acpi_hmat);
Expand Down
6 changes: 5 additions & 1 deletion tests/qtest/cdrom-test.c
View file
Expand Up @@ -264,9 +264,13 @@ int main(int argc, char **argv)
const char *armmachines[] = {
"realview-eb", "realview-eb-mpcore", "realview-pb-a8",
"realview-pbx-a9", "versatileab", "versatilepb", "vexpress-a15",
"vexpress-a9", "virt", NULL
"vexpress-a9", NULL
};
add_cdrom_param_tests(armmachines);
if (qtest_has_device("virtio-blk-pci")) {
const char *virtmachine[] = { "virt", NULL };
add_cdrom_param_tests(virtmachine);
}
} else {
const char *nonemachine[] = { "none", NULL };
add_cdrom_param_tests(nonemachine);
Expand Down
33 changes: 33 additions & 0 deletions tests/qtest/fuzz-lsi53c895a-test.c
View file
Expand Up @@ -8,6 +8,36 @@
#include "qemu/osdep.h"
#include "libqtest.h"

/*
* This used to trigger a DMA reentrancy issue
* leading to memory corruption bugs like stack
* overflow or use-after-free
* https://gitlab.com/qemu-project/qemu/-/issues/1563
*/
static void test_lsi_dma_reentrancy(void)
{
QTestState *s;

s = qtest_init("-M q35 -m 512M -nodefaults "
"-blockdev driver=null-co,node-name=null0 "
"-device lsi53c810 -device scsi-cd,drive=null0");

qtest_outl(s, 0xcf8, 0x80000804); /* PCI Command Register */
qtest_outw(s, 0xcfc, 0x7); /* Enables accesses */
qtest_outl(s, 0xcf8, 0x80000814); /* Memory Bar 1 */
qtest_outl(s, 0xcfc, 0xff100000); /* Set MMIO Address*/
qtest_outl(s, 0xcf8, 0x80000818); /* Memory Bar 2 */
qtest_outl(s, 0xcfc, 0xff000000); /* Set RAM Address*/
qtest_writel(s, 0xff000000, 0xc0000024);
qtest_writel(s, 0xff000114, 0x00000080);
qtest_writel(s, 0xff00012c, 0xff000000);
qtest_writel(s, 0xff000004, 0xff000114);
qtest_writel(s, 0xff000008, 0xff100014);
qtest_writel(s, 0xff10002f, 0x000000ff);

qtest_quit(s);
}

/*
* This used to trigger a UAF in lsi_do_msgout()
* https://gitlab.com/qemu-project/qemu/-/issues/972
Expand Down Expand Up @@ -124,5 +154,8 @@ int main(int argc, char **argv)
qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
test_lsi_do_msgout_cancel_req);

qtest_add_func("fuzz/lsi53c895a/lsi_dma_reentrancy",
test_lsi_dma_reentrancy);

return g_test_run();
}
4 changes: 4 additions & 0 deletions tests/qtest/rtl8139-test.c
View file
Expand Up @@ -209,6 +209,10 @@ int main(int argc, char **argv)

g_test_init(&argc, &argv, NULL);

if (!qtest_has_device("rtl8139")) {
return 0;
}

qtest_start("-device rtl8139");

qtest_add_func("/rtl8139/nop", nop);
Expand Down

0 comments on commit 9cb47a1

Please sign in to comment.