summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-06-16 08:21:42 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-07-08 09:47:50 (GMT)
commit4e90fb17b129b7a5df584799ec9629474362d50c (patch)
treee5d6d71e2c9e9e7d6ae3ebd87dfe039ad67413c1
parent09d29eb36a335cadb1249f6849e090d22bbf5a2e (diff)
downloadpoky-4e90fb17b129b7a5df584799ec9629474362d50c.tar.gz
qemu: fix CVE-2020-10702 & CVE-2020-13765
(From OE-Core rev: 684307688eb0c1a98be8885164ecc8f578a36cf8) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch48
3 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4e5ea17..5cdba1f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
37 file://CVE-2020-7039-3.patch \ 37 file://CVE-2020-7039-3.patch \
38 file://CVE-2020-7211.patch \ 38 file://CVE-2020-7211.patch \
39 file://CVE-2020-11869.patch \ 39 file://CVE-2020-11869.patch \
40 file://CVE-2020-13765.patch \
41 file://CVE-2020-10702.patch \
40 " 42 "
41UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 43UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42 44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
new file mode 100644
index 0000000..21a3ceb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
@@ -0,0 +1,52 @@
1From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001
2From: Vincent Dehors <vincent.dehors@smile.fr>
3Date: Thu, 23 Jan 2020 15:22:38 +0000
4Subject: [PATCH] target/arm: Fix PAuth sbox functions
5
6In the PAC computation, sbox was applied over wrong bits.
7As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16.
8
9Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was
10used to verify one computation of the pauth_computepac() function which
11uses sbox2.
12
13Launchpad: https://bugs.launchpad.net/bugs/1859713
14Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
15Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr>
16Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr>
17Message-id: 20200116230809.19078-2-richard.henderson@linaro.org
18Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
19Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
20
21Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9]
22CVE: CVE-2020-10702
23Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
24---
25 target/arm/pauth_helper.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
29index d3194f2..0a5f41e 100644
30--- a/target/arm/pauth_helper.c
31+++ b/target/arm/pauth_helper.c
32@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i)
33 uint64_t o = 0;
34 int b;
35
36- for (b = 0; b < 64; b += 16) {
37+ for (b = 0; b < 64; b += 4) {
38 o |= (uint64_t)sub[(i >> b) & 0xf] << b;
39 }
40 return o;
41@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i)
42 uint64_t o = 0;
43 int b;
44
45- for (b = 0; b < 64; b += 16) {
46+ for (b = 0; b < 64; b += 4) {
47 o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b;
48 }
49 return o;
50--
511.8.3.1
52
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
new file mode 100644
index 0000000..9014ba0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
@@ -0,0 +1,48 @@
1From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001
2From: Thomas Huth <thuth@redhat.com>
3Date: Wed, 25 Sep 2019 14:16:43 +0200
4Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
5
6Both, "rom->addr" and "addr" are derived from the binary image
7that can be loaded with the "-kernel" paramer. The code in
8rom_copy() then calculates:
9
10 d = dest + (rom->addr - addr);
11
12and uses "d" as destination in a memcpy() some lines later. Now with
13bad kernel images, it is possible that rom->addr is smaller than addr,
14thus "rom->addr - addr" gets negative and the memcpy() then tries to
15copy contents from the image to a bad memory location. This could
16maybe be used to inject code from a kernel image into the QEMU binary,
17so we better fix it with an additional sanity check here.
18
19Cc: qemu-stable@nongnu.org
20Reported-by: Guangming Liu
21Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
22Message-Id: <20190925130331.27825-1-thuth@redhat.com>
23Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
24Signed-off-by: Thomas Huth <thuth@redhat.com>
25
26Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319]
27CVE: CVE-2020-13765
28Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
29---
30 hw/core/loader.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33diff --git a/hw/core/loader.c b/hw/core/loader.c
34index 0d60219..5099f27 100644
35--- a/hw/core/loader.c
36+++ b/hw/core/loader.c
37@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
38 if (rom->addr + rom->romsize < addr) {
39 continue;
40 }
41- if (rom->addr > end) {
42+ if (rom->addr > end || rom->addr < addr) {
43 break;
44 }
45
46--
471.8.3.1
48