xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From b9d383ab797f54ae5fa8746117770709921dc529 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Wed, 15 Dec 2021 19:24:19 +0100
4Subject: [PATCH] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Quoting Peter Maydell:
10
11 "These MEMTX_* aren't from the memory transaction
12  API functions; they're just being used by gicd_readl() and
13  friends as a way to indicate a success/failure so that the
14  actual MemoryRegionOps read/write fns like gicv3_dist_read()
15  can log a guest error."
16
17We are going to introduce more MemTxResult bits, so it is
18safer to check for !MEMTX_OK rather than MEMTX_ERROR.
19
20Reviewed-by: Peter Xu <peterx@redhat.com>
21Reviewed-by: David Hildenbrand <david@redhat.com>
22Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
23Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
24Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com>
25Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
26Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
27
28CVE: CVE-2021-3750
29
30Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529]
31---
32 hw/intc/arm_gicv3_redist.c | 4 ++--
33 1 file changed, 2 insertions(+), 2 deletions(-)
34
35diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
36index c8ff3ec..99b11ca 100644
37--- a/hw/intc/arm_gicv3_redist.c
38+++ b/hw/intc/arm_gicv3_redist.c
39@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
40         break;
41     }
42
43-    if (r == MEMTX_ERROR) {
44+    if (r != MEMTX_OK) {
45         qemu_log_mask(LOG_GUEST_ERROR,
46                       "%s: invalid guest read at offset " TARGET_FMT_plx
47                       " size %u\n", __func__, offset, size);
48@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
49         break;
50     }
51
52-    if (r == MEMTX_ERROR) {
53+    if (r != MEMTX_OK) {
54         qemu_log_mask(LOG_GUEST_ERROR,
55                       "%s: invalid guest write at offset " TARGET_FMT_plx
56                       " size %u\n", __func__, offset, size);
57--
581.8.3.1
59
60