summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2021-04-23 00:45:04 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-04-24 17:53:05 +0100
commit4284f80d1f6d8146aa85dc8a4b4c13f432134433 (patch)
treeffe7be7765153c96d5260d85a1e0852d9ba2772f
parentea7850cd837571a58a10aa0d674a8ddbac1c337b (diff)
downloadpoky-4284f80d1f6d8146aa85dc8a4b4c13f432134433.tar.gz
qemu: fix CVE-2021-3416
(From OE-Core rev: e2b5bc11d1b26b73b62e1a63cb75572793282dcb) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc10
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch177
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch46
11 files changed, 582 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 0ac33f87fc..177e453fff 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -43,6 +43,16 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
43 file://CVE-2021-3409_4.patch \ 43 file://CVE-2021-3409_4.patch \
44 file://CVE-2021-3409_5.patch \ 44 file://CVE-2021-3409_5.patch \
45 file://CVE-2021-3409_6.patch \ 45 file://CVE-2021-3409_6.patch \
46 file://CVE-2021-3416_1.patch \
47 file://CVE-2021-3416_2.patch \
48 file://CVE-2021-3416_3.patch \
49 file://CVE-2021-3416_4.patch \
50 file://CVE-2021-3416_5.patch \
51 file://CVE-2021-3416_6.patch \
52 file://CVE-2021-3416_7.patch \
53 file://CVE-2021-3416_8.patch \
54 file://CVE-2021-3416_9.patch \
55 file://CVE-2021-3416_10.patch \
46 " 56 "
47UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 57UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
48 58
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000000..5bacd67481
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
1From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 11:44:36 +0800
4Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Some NIC supports loopback mode and this is done by calling
10nc->info->receive() directly which in fact suppresses the effort of
11reentrancy check that is done in qemu_net_queue_send().
12
13Unfortunately we can't use qemu_net_queue_send() here since for
14loopback there's no sender as peer, so this patch introduce a
15qemu_receive_packet() which is used for implementing loopback mode
16for a NIC with this check.
17
18NIC that supports loopback mode will be converted to this helper.
19
20This is intended to address CVE-2021-3416.
21
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
24Cc: qemu-stable@nongnu.org
25Signed-off-by: Jason Wang <jasowang@redhat.com>
26
27Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
28CVE: CVE-2021-3416
29
30Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
31---
32 include/net/net.h | 5 +++++
33 include/net/queue.h | 8 ++++++++
34 net/net.c | 38 +++++++++++++++++++++++++++++++-------
35 net/queue.c | 22 ++++++++++++++++++++++
36 4 files changed, 66 insertions(+), 7 deletions(-)
37
38diff --git a/include/net/net.h b/include/net/net.h
39index 778fc787c..03f058ecb 100644
40--- a/include/net/net.h
41+++ b/include/net/net.h
42@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
43 void qemu_del_net_client(NetClientState *nc);
44 typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
45 void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
46+int qemu_can_receive_packet(NetClientState *nc);
47 int qemu_can_send_packet(NetClientState *nc);
48 ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
49 int iovcnt);
50 ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
51 int iovcnt, NetPacketSent *sent_cb);
52 ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
53+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
54+ssize_t qemu_receive_packet_iov(NetClientState *nc,
55+ const struct iovec *iov,
56+ int iovcnt);
57 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
58 ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
59 int size, NetPacketSent *sent_cb);
60diff --git a/include/net/queue.h b/include/net/queue.h
61index c0269bb1d..9f2f289d7 100644
62--- a/include/net/queue.h
63+++ b/include/net/queue.h
64@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
65
66 void qemu_del_net_queue(NetQueue *queue);
67
68+ssize_t qemu_net_queue_receive(NetQueue *queue,
69+ const uint8_t *data,
70+ size_t size);
71+
72+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
73+ const struct iovec *iov,
74+ int iovcnt);
75+
76 ssize_t qemu_net_queue_send(NetQueue *queue,
77 NetClientState *sender,
78 unsigned flags,
79diff --git a/net/net.c b/net/net.c
80index 6a2c3d956..5e15e5d27 100644
81--- a/net/net.c
82+++ b/net/net.c
83@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
84 #endif
85 }
86
87+int qemu_can_receive_packet(NetClientState *nc)
88+{
89+ if (nc->receive_disabled) {
90+ return 0;
91+ } else if (nc->info->can_receive &&
92+ !nc->info->can_receive(nc)) {
93+ return 0;
94+ }
95+ return 1;
96+}
97+
98 int qemu_can_send_packet(NetClientState *sender)
99 {
100 int vm_running = runstate_is_running();
101@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
102 return 1;
103 }
104
105- if (sender->peer->receive_disabled) {
106- return 0;
107- } else if (sender->peer->info->can_receive &&
108- !sender->peer->info->can_receive(sender->peer)) {
109- return 0;
110- }
111- return 1;
112+ return qemu_can_receive_packet(sender->peer);
113 }
114
115 static ssize_t filter_receive_iov(NetClientState *nc,
116@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
117 return qemu_send_packet_async(nc, buf, size, NULL);
118 }
119
120+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
121+{
122+ if (!qemu_can_receive_packet(nc)) {
123+ return 0;
124+ }
125+
126+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
127+}
128+
129+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
130+ int iovcnt)
131+{
132+ if (!qemu_can_receive_packet(nc)) {
133+ return 0;
134+ }
135+
136+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
137+}
138+
139 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
140 {
141 return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
142diff --git a/net/queue.c b/net/queue.c
143index 19e32c80f..c872d51df 100644
144--- a/net/queue.c
145+++ b/net/queue.c
146@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
147 return ret;
148 }
149
150+ssize_t qemu_net_queue_receive(NetQueue *queue,
151+ const uint8_t *data,
152+ size_t size)
153+{
154+ if (queue->delivering) {
155+ return 0;
156+ }
157+
158+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
159+}
160+
161+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
162+ const struct iovec *iov,
163+ int iovcnt)
164+{
165+ if (queue->delivering) {
166+ return 0;
167+ }
168+
169+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
170+}
171+
172 ssize_t qemu_net_queue_send(NetQueue *queue,
173 NetClientState *sender,
174 unsigned flags,
175--
1762.29.2
177
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000000..7deec1a347
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,44 @@
1From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:35:30 -0500
4Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/lan9118.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
30index ab57c02c8..75f18ae2d 100644
31--- a/hw/net/lan9118.c
32+++ b/hw/net/lan9118.c
33@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s)
34 /* FIXME: Honor TX disable, and allow queueing of packets. */
35 if (s->phy_control & 0x4000) {
36 /* This assumes the receive routine doesn't touch the VLANClient. */
37- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
39 } else {
40 qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
41 }
42--
432.29.2
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000000..5e53e20bac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
1From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:13:22 +0800
4Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18
19Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
20CVE: CVE-2021-3416
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/net/e1000.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/hw/net/e1000.c b/hw/net/e1000.c
28index d7d05ae30..cf22c4f07 100644
29--- a/hw/net/e1000.c
30+++ b/hw/net/e1000.c
31@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
32
33 NetClientState *nc = qemu_get_queue(s->nic);
34 if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
35- nc->info->receive(nc, buf, size);
36+ qemu_receive_packet(nc, buf, size);
37 } else {
38 qemu_send_packet(nc, buf, size);
39 }
40--
412.29.2
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000000..3fc469e3e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
1From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:57:40 +0800
4Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
5 loopback packet
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/dp8393x.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 205c0decc..533a8304d 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
33 s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
34 if (nc->info->can_receive(nc)) {
35 s->loopback_packet = 1;
36- nc->info->receive(nc, s->tx_buffer, tx_len);
37+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
38 }
39 } else {
40 /* Transmit packet */
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
new file mode 100644
index 0000000000..e14f37735d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
@@ -0,0 +1,43 @@
1From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:00:01 +0800
4Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/msf2-emac.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
29index 32ba9e841..3e6206044 100644
30--- a/hw/net/msf2-emac.c
31+++ b/hw/net/msf2-emac.c
32@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
33 * R_CFG1 bit 0 is set.
34 */
35 if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
36- nc->info->receive(nc, buf, size);
37+ qemu_receive_packet(nc, buf, size);
38 } else {
39 qemu_send_packet(nc, buf, size);
40 }
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000000..c3f8f97592
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,45 @@
1From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:14:35 +0800
4Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/sungem.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/hw/net/sungem.c b/hw/net/sungem.c
31index 33c3722df..3684a4d73 100644
32--- a/hw/net/sungem.c
33+++ b/hw/net/sungem.c
34@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
35 NetClientState *nc = qemu_get_queue(s->nic);
36
37 if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
38- nc->info->receive(nc, buf, size);
39+ qemu_receive_packet(nc, buf, size);
40 } else {
41 qemu_send_packet(nc, buf, size);
42 }
43--
442.29.2
45
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000000..855c6970f4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,43 @@
1From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:27:52 +0800
4Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_receive_iov() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/net_tx_pkt.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
29index da262edc3..1f9aa59ec 100644
30--- a/hw/net/net_tx_pkt.c
31+++ b/hw/net/net_tx_pkt.c
32@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
33 NetClientState *nc, const struct iovec *iov, int iov_cnt)
34 {
35 if (pkt->is_loopback) {
36- nc->info->receive_iov(nc, iov, iov_cnt);
37+ qemu_receive_packet_iov(nc, iov, iov_cnt);
38 } else {
39 qemu_sendv_packet(nc, iov, iov_cnt);
40 }
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000000..4e1115de02
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,45 @@
1From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Fri, 26 Feb 2021 13:47:53 -0500
4Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
19Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/rtl8139.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
31index ba5ace1ab..d2dd03e6a 100644
32--- a/hw/net/rtl8139.c
33+++ b/hw/net/rtl8139.c
34@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
35 }
36
37 DPRINTF("+++ transmit loopback mode\n");
38- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
39+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
40
41 if (iov) {
42 g_free(buf2);
43--
442.29.2
45
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000000..ed716468dc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
1From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 10:33:34 -0500
4Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/pcnet.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
30index f3f18d859..dcd3fc494 100644
31--- a/hw/net/pcnet.c
32+++ b/hw/net/pcnet.c
33@@ -1250,7 +1250,7 @@ txagain:
34 if (BCR_SWSTYLE(s) == 1)
35 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
36 s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
37- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
39 s->looptest = 0;
40 } else {
41 if (s->nic) {
42--
432.29.2
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000000..39d32b33a4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,46 @@
1From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:33:43 -0500
4Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/cadence_gem.c | 4 ++--
27 1 file changed, 2 insertions(+), 2 deletions(-)
28
29diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
30index 7a534691f..43b760e3f 100644
31--- a/hw/net/cadence_gem.c
32+++ b/hw/net/cadence_gem.c
33@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
34 /* Send the packet somewhere */
35 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
36 GEM_NWCTRL_LOCALLOOP)) {
37- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
38- total_bytes);
39+ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
40+ total_bytes);
41 } else {
42 qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
43 total_bytes);
44--
452.29.2
46
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-13 02:36:52 +0000