qemu: fix CVE-2020-24352

(From OE-Core rev: 12bee66a42a7c2a38789ddb37cb098bcbf0b3841) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-11-19 17:43:29 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-11-29 00:07:58 +0000
commit: 9b58e1d1a87c1b33b180f71799cb32b3ce31211e (patch)
tree: d8c4ce7c6bcecaf0b43d3d4e8f688e0c7563cf0b /meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
parent: f4ff33fd11d86a37e751d23ab471526c1c71efbf (diff)
download: poky-9b58e1d1a87c1b33b180f71799cb32b3ce31211e.tar.gz
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 0000000000..861ff6c3b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
+From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 16:08:18 +0530
+Subject: [PATCH 1/1] ati: check x y display parameter values
+The source and destination x,y display parameters in ati_2d_blt()
+may run off the vga limits if either of s->regs.[src|dst]_[xy] is
+zero. Check the parameter values to avoid potential crash.
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20201021103818.1704030-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
+CVE: CVE-2020-24352
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
+@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride *= bpp;
+     }
+     uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+-    if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+-        dst_stride >= end) {
+    if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
+        || dst_bits + dst_x
+         + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+         qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+         return;
+     }
+@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+             src_bits += s->regs.crtc_offset & 0x07ffffff;
+             src_stride *= bpp;
+         }
+-        if (src_bits >= end || src_bits + src_x +
+-            (src_y + s->regs.dst_height) * src_stride >= end) {
+        if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
+            || src_bits + src_x
+             + (src_y + s->regs.dst_height) * src_stride >= end) {
+             qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+             return;
+         }
+-- 
+1.8.3.1
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-11-19 17:43:29 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-11-29 00:07:58 +0000
commit	9b58e1d1a87c1b33b180f71799cb32b3ce31211e (patch)
tree	d8c4ce7c6bcecaf0b43d3d4e8f688e0c7563cf0b /meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
parent	f4ff33fd11d86a37e751d23ab471526c1c71efbf (diff)
download	poky-9b58e1d1a87c1b33b180f71799cb32b3ce31211e.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch new file mode 100644 index 0000000000..861ff6c3b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
	1	From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Wed, 21 Oct 2020 16:08:18 +0530
	4	Subject: [PATCH 1/1] ati: check x y display parameter values
	5
	6	The source and destination x,y display parameters in ati_2d_blt()
	7	may run off the vga limits if either of s->regs.[src\|dst]_[xy] is
	8	zero. Check the parameter values to avoid potential crash.
	9
	10	Reported-by: Gaoning Pan <pgn@zju.edu.cn>
	11	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	12	Message-id: 20201021103818.1704030-1-ppandit@redhat.com
	13	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	14
	15	Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
	16	CVE: CVE-2020-24352
	17	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	18	---
	19	hw/display/ati_2d.c \| 10 ++++++----
	20	1 file changed, 6 insertions(+), 4 deletions(-)
	21
	22	diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
	23	index 23a8ae0..4dc10ea 100644
	24	--- a/hw/display/ati_2d.c
	25	+++ b/hw/display/ati_2d.c
	26	@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
	27	dst_stride *= bpp;
	28	}
	29	uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
	30	- if (dst_bits >= end \|\| dst_bits + dst_x + (dst_y + s->regs.dst_height) *
	31	- dst_stride >= end) {
	32	+ if (dst_x > 0x3fff \|\| dst_y > 0x3fff \|\| dst_bits >= end
	33	+ \|\| dst_bits + dst_x
	34	+ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
	35	qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
	36	return;
	37	}
	38	@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
	39	src_bits += s->regs.crtc_offset & 0x07ffffff;
	40	src_stride *= bpp;
	41	}
	42	- if (src_bits >= end \|\| src_bits + src_x +
	43	- (src_y + s->regs.dst_height) * src_stride >= end) {
	44	+ if (src_x > 0x3fff \|\| src_y > 0x3fff \|\| src_bits >= end
	45	+ \|\| src_bits + src_x
	46	+ + (src_y + s->regs.dst_height) * src_stride >= end) {
	47	qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
	48	return;
	49	}
	50	--
	51	1.8.3.1
	52