summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2020-07-14 15:51:18 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-07-18 11:06:31 +0100
commit11ea0bfdd1bdf394fe3b046396fba41e51862359 (patch)
tree78a722e6f6ff03e340924aaa4f15a46eee9fafed
parent10e2b84149560cc59cd73dd8b438a00538f1873b (diff)
downloadpoky-11ea0bfdd1bdf394fe3b046396fba41e51862359.tar.gz
qemu: fix CVE-2020-13800
(From OE-Core rev: 2c5f827b285c465fb6eb1d2aff9ec1f4e56cb202) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch63
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a9ef3b78bf..618cc50180 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34 file://CVE-2020-10761.patch \ 34 file://CVE-2020-10761.patch \
35 file://CVE-2020-13362.patch \ 35 file://CVE-2020-13362.patch \
36 file://CVE-2020-13659.patch \ 36 file://CVE-2020-13659.patch \
37 file://CVE-2020-13800.patch \
37 " 38 "
38UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39 40
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch
new file mode 100644
index 0000000000..52bfafbbae
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch
@@ -0,0 +1,63 @@
1From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 4 Jun 2020 14:38:30 +0530
4Subject: [PATCH] ati-vga: check mm_index before recursive call
5 (CVE-2020-13800)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10While accessing VGA registers via ati_mm_read/write routines,
11a guest may set 's->regs.mm_index' such that it leads to infinite
12recursion. Check mm_index value to avoid such recursion. Log an
13error message for wrong values.
14
15Reported-by: Ren Ding <rding@gatech.edu>
16Reported-by: Hanqing Zhao <hanqing@gatech.edu>
17Reported-by: Yi Ren <c4tren@gmail.com>
18Message-id: 20200604090830.33885-1-ppandit@redhat.com
19Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
20Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
21Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
22Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23
24Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455]
25CVE: CVE-2020-13800
26Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
27---
28 hw/display/ati.c | 10 ++++++++--
29 1 file changed, 8 insertions(+), 2 deletions(-)
30
31diff --git a/hw/display/ati.c b/hw/display/ati.c
32index 065f197678..67604e68de 100644
33--- a/hw/display/ati.c
34+++ b/hw/display/ati.c
35@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
36 if (idx <= s->vga.vram_size - size) {
37 val = ldn_le_p(s->vga.vram_ptr + idx, size);
38 }
39- } else {
40+ } else if (s->regs.mm_index > MM_DATA + 3) {
41 val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
42+ } else {
43+ qemu_log_mask(LOG_GUEST_ERROR,
44+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
45 }
46 break;
47 case BIOS_0_SCRATCH ... BUS_CNTL - 1:
48@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
49 if (idx <= s->vga.vram_size - size) {
50 stn_le_p(s->vga.vram_ptr + idx, size, data);
51 }
52- } else {
53+ } else if (s->regs.mm_index > MM_DATA + 3) {
54 ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
55+ } else {
56+ qemu_log_mask(LOG_GUEST_ERROR,
57+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
58 }
59 break;
60 case BIOS_0_SCRATCH ... BUS_CNTL - 1:
61--
622.20.1
63