diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-06-16 16:21:42 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-07-08 10:47:50 +0100 |
commit | 4e90fb17b129b7a5df584799ec9629474362d50c (patch) | |
tree | e5d6d71e2c9e9e7d6ae3ebd87dfe039ad67413c1 | |
parent | 09d29eb36a335cadb1249f6849e090d22bbf5a2e (diff) | |
download | poky-4e90fb17b129b7a5df584799ec9629474362d50c.tar.gz |
qemu: fix CVE-2020-10702 & CVE-2020-13765
(From OE-Core rev: 684307688eb0c1a98be8885164ecc8f578a36cf8)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | 52 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch | 48 |
3 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4e5ea174a9..5cdba1f02c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
37 | file://CVE-2020-7039-3.patch \ | 37 | file://CVE-2020-7039-3.patch \ |
38 | file://CVE-2020-7211.patch \ | 38 | file://CVE-2020-7211.patch \ |
39 | file://CVE-2020-11869.patch \ | 39 | file://CVE-2020-11869.patch \ |
40 | file://CVE-2020-13765.patch \ | ||
41 | file://CVE-2020-10702.patch \ | ||
40 | " | 42 | " |
41 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
42 | 44 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch new file mode 100644 index 0000000000..21a3ceb30d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vincent Dehors <vincent.dehors@smile.fr> | ||
3 | Date: Thu, 23 Jan 2020 15:22:38 +0000 | ||
4 | Subject: [PATCH] target/arm: Fix PAuth sbox functions | ||
5 | |||
6 | In the PAC computation, sbox was applied over wrong bits. | ||
7 | As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. | ||
8 | |||
9 | Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was | ||
10 | used to verify one computation of the pauth_computepac() function which | ||
11 | uses sbox2. | ||
12 | |||
13 | Launchpad: https://bugs.launchpad.net/bugs/1859713 | ||
14 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
15 | Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr> | ||
16 | Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr> | ||
17 | Message-id: 20200116230809.19078-2-richard.henderson@linaro.org | ||
18 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9] | ||
22 | CVE: CVE-2020-10702 | ||
23 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | target/arm/pauth_helper.c | 4 ++-- | ||
26 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c | ||
29 | index d3194f2..0a5f41e 100644 | ||
30 | --- a/target/arm/pauth_helper.c | ||
31 | +++ b/target/arm/pauth_helper.c | ||
32 | @@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) | ||
33 | uint64_t o = 0; | ||
34 | int b; | ||
35 | |||
36 | - for (b = 0; b < 64; b += 16) { | ||
37 | + for (b = 0; b < 64; b += 4) { | ||
38 | o |= (uint64_t)sub[(i >> b) & 0xf] << b; | ||
39 | } | ||
40 | return o; | ||
41 | @@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) | ||
42 | uint64_t o = 0; | ||
43 | int b; | ||
44 | |||
45 | - for (b = 0; b < 64; b += 16) { | ||
46 | + for (b = 0; b < 64; b += 4) { | ||
47 | o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; | ||
48 | } | ||
49 | return o; | ||
50 | -- | ||
51 | 1.8.3.1 | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch new file mode 100644 index 0000000000..9014ba0f13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Huth <thuth@redhat.com> | ||
3 | Date: Wed, 25 Sep 2019 14:16:43 +0200 | ||
4 | Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy() | ||
5 | |||
6 | Both, "rom->addr" and "addr" are derived from the binary image | ||
7 | that can be loaded with the "-kernel" paramer. The code in | ||
8 | rom_copy() then calculates: | ||
9 | |||
10 | d = dest + (rom->addr - addr); | ||
11 | |||
12 | and uses "d" as destination in a memcpy() some lines later. Now with | ||
13 | bad kernel images, it is possible that rom->addr is smaller than addr, | ||
14 | thus "rom->addr - addr" gets negative and the memcpy() then tries to | ||
15 | copy contents from the image to a bad memory location. This could | ||
16 | maybe be used to inject code from a kernel image into the QEMU binary, | ||
17 | so we better fix it with an additional sanity check here. | ||
18 | |||
19 | Cc: qemu-stable@nongnu.org | ||
20 | Reported-by: Guangming Liu | ||
21 | Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 | ||
22 | Message-Id: <20190925130331.27825-1-thuth@redhat.com> | ||
23 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
24 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
25 | |||
26 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319] | ||
27 | CVE: CVE-2020-13765 | ||
28 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | hw/core/loader.c | 2 +- | ||
31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/hw/core/loader.c b/hw/core/loader.c | ||
34 | index 0d60219..5099f27 100644 | ||
35 | --- a/hw/core/loader.c | ||
36 | +++ b/hw/core/loader.c | ||
37 | @@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size) | ||
38 | if (rom->addr + rom->romsize < addr) { | ||
39 | continue; | ||
40 | } | ||
41 | - if (rom->addr > end) { | ||
42 | + if (rom->addr > end || rom->addr < addr) { | ||
43 | break; | ||
44 | } | ||
45 | |||
46 | -- | ||
47 | 1.8.3.1 | ||
48 | |||