qemu : fix CVE-2022-35414 (#3597)

* qemu : fix CVE-2022-35414

* address PR comment

Co-authored-by: Nicolas Guibourge <[email protected]>

SPECS/qemu/CVE-2022-35414.patch

@@ -0,0 +1,64 @@
+From 418ade7849ce7641c0f7333718caf5091a02fd4c Mon Sep 17 00:00:00 2001
+From: Richard Henderson <[email protected]>
+Date: Tue, 21 Jun 2022 08:38:29 -0700
+Subject: [PATCH] softmmu: Always initialize xlat in
+ address_space_translate_for_iotlb
+
+The bug is an uninitialized memory read, along the translate_fail
+path, which results in garbage being read from iotlb_to_section,
+which can lead to a crash in io_readx/io_writex.
+
+The bug may be fixed by writing any value with zero
+in ~TARGET_PAGE_MASK, so that the call to iotlb_to_section using
+the xlat'ed address returns io_mem_unassigned, as desired by the
+translate_fail path.
+
+It is most useful to record the original physical page address,
+which will eventually be logged by memory_region_access_valid
+when the access is rejected by unassigned_mem_accepts.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1065
+Signed-off-by: Richard Henderson <[email protected]>
+Reviewed-by: Peter Maydell <[email protected]>
+Message-Id: <[email protected]>
+---
+ softmmu/physmem.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
+index fb16be57a6c6..dc3c3e5f2e70 100644
+--- a/softmmu/physmem.c
++++ b/softmmu/physmem.c
+@@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
+
+ /* Called from RCU critical section */
+ MemoryRegionSection *
+-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
+                                   hwaddr *xlat, hwaddr *plen,
+                                   MemTxAttrs attrs, int *prot)
+ {
+@@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     IOMMUMemoryRegionClass *imrc;
+     IOMMUTLBEntry iotlb;
+     int iommu_idx;
++    hwaddr addr = orig_addr;
+     AddressSpaceDispatch *d =
+         qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
+
+@@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     return section;
+
+ translate_fail:
++    /*
++     * We should be given a page-aligned address -- certainly
++     * tlb_set_page_with_attrs() does so.  The page offset of xlat
++     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
++     * The page portion of xlat will be logged by memory_region_access_valid()
++     * when this memory access is rejected, so use the original untranslated
++     * physical address.
++     */
++    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
++    *xlat = orig_addr;
+     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
+ }

SPECS/qemu/qemu.spec

@@ -217,7 +217,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{version}-%{release}
 Summary:        QEMU is a FAST! processor emulator
 Name:           qemu
 Version:        6.2.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD AND CC-BY AND GPLv2+ AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -256,6 +256,7 @@ Patch1002:      CVE-2022-1050.patch
 Patch1003:      CVE-2022-26354.patch
 Patch1004:      CVE-2022-26353.patch
 Patch1005:      CVE-2021-4206.patch
+Patch1006:      CVE-2022-35414.patch
 
 # alsa audio output
 BuildRequires:  alsa-lib-devel
@@ -2282,6 +2283,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s %{_sbindir}/nologin \
 
 
 %changelog
+* Tue Aug 23 2022 Nicolas Guibourge <[email protected]> - 6.2.0-6
+- address CVE-2022-35414
+
 * Fri Jul 01 2022 Muhammad Falak <[email protected]> - 6.2.0-5
 - Ship efi*rom & pxe*rom rom files