summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2021-04-23 00:45:01 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-04-24 17:53:05 +0100
commit5c59b634a23d691d88446669e502f54d5d578fda (patch)
tree407cbd25fabf07a53358bc71890fb2e8c7dcdf5c
parent640c6d1191d5b545902ee77cb57ea4467bfcc78b (diff)
downloadpoky-5c59b634a23d691d88446669e502f54d5d578fda.tar.gz
qemu: fix CVE-2020-29443
(From OE-Core rev: 481e012de865ee232fa5a233e9f1d4fc7a2232ab) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch107
2 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 65e0489a97..fc9c9e15f9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
35 file://CVE-2020-35517_2.patch \ 35 file://CVE-2020-35517_2.patch \
36 file://CVE-2020-35517_3.patch \ 36 file://CVE-2020-35517_3.patch \
37 file://CVE-2021-20181.patch \ 37 file://CVE-2021-20181.patch \
38 file://CVE-2020-29443.patch \
38 " 39 "
39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 40UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
40 41
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..c72324fce6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,107 @@
1From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 18 Jan 2021 17:21:30 +0530
4Subject: [PATCH] ide: atapi: check logical block address and read size
5 (CVE-2020-29443)
6
7While processing ATAPI cmd_read/cmd_read_cd commands,
8Logical Block Address (LBA) maybe invalid OR closer to the last block,
9leading to an OOB access issues. Add range check to avoid it.
10
11Fixes: CVE-2020-29443
12Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
13Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
14Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
15Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
16Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
17Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
18
19Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
20CVE: CVE-2020-29443
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
25 1 file changed, 24 insertions(+), 6 deletions(-)
26
27diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
28index e79157863..b626199e3 100644
29--- a/hw/ide/atapi.c
30+++ b/hw/ide/atapi.c
31@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
32 static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
33 int sector_size)
34 {
35+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
36+
37 s->lba = lba;
38 s->packet_transfer_size = nb_sectors * sector_size;
39 s->elementary_transfer_size = 0;
40@@ -420,6 +422,8 @@ eot:
41 static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
42 int sector_size)
43 {
44+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
45+
46 s->lba = lba;
47 s->packet_transfer_size = nb_sectors * sector_size;
48 s->io_buffer_size = 0;
49@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
50
51 static void cmd_read(IDEState *s, uint8_t* buf)
52 {
53- int nb_sectors, lba;
54+ unsigned int nb_sectors, lba;
55+
56+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
57+ uint64_t total_sectors = s->nb_sectors >> 2;
58
59 if (buf[0] == GPCMD_READ_10) {
60 nb_sectors = lduw_be_p(buf + 7);
61 } else {
62 nb_sectors = ldl_be_p(buf + 6);
63 }
64-
65- lba = ldl_be_p(buf + 2);
66 if (nb_sectors == 0) {
67 ide_atapi_cmd_ok(s);
68 return;
69 }
70
71+ lba = ldl_be_p(buf + 2);
72+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
73+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
74+ return;
75+ }
76+
77 ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
78 }
79
80 static void cmd_read_cd(IDEState *s, uint8_t* buf)
81 {
82- int nb_sectors, lba, transfer_request;
83+ unsigned int nb_sectors, lba, transfer_request;
84
85- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
86- lba = ldl_be_p(buf + 2);
87+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
88+ uint64_t total_sectors = s->nb_sectors >> 2;
89
90+ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
91 if (nb_sectors == 0) {
92 ide_atapi_cmd_ok(s);
93 return;
94 }
95
96+ lba = ldl_be_p(buf + 2);
97+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
98+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
99+ return;
100+ }
101+
102 transfer_request = buf[9] & 0xf8;
103 if (transfer_request == 0x00) {
104 /* nothing */
105--
1062.29.2
107