diff options
author | Davide Gardenal <davidegarde2000@gmail.com> | 2022-03-18 09:47:57 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-23 23:16:12 +0000 |
commit | 094a9a9a236ed1cb6b53f1326f6ec702ee354f48 (patch) | |
tree | 9248205a35ff1bfcb001f957f3910db9f1d71918 /meta/recipes-devtools/qemu | |
parent | 9d155cbf956024e6ade0f10486ed8fe427652ad0 (diff) | |
download | poky-094a9a9a236ed1cb6b53f1326f6ec702ee354f48.tar.gz |
qemu: backport fix for CVE-2020-13253
Backport commits from the following MR:
https://git.qemu.org/?p=qemu.git;a=commit;h=3a9163af4e3dd61795a35d47b702e302f98f81d6
Two other commits have been backported in order to be able
to correctly apply the patches.
CVE: CVE-2020-13253
(From OE-Core rev: b258b0deccde2d8fd2c4372dd0f376c7b95945f5)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 5 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch | 50 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch | 112 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch | 86 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch | 139 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch | 54 |
6 files changed, 446 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index ef9bc3f64a..0bdc917783 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -92,6 +92,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
92 | file://CVE-2020-27617.patch \ | 92 | file://CVE-2020-27617.patch \ |
93 | file://CVE-2020-28916.patch \ | 93 | file://CVE-2020-28916.patch \ |
94 | file://CVE-2021-3682.patch \ | 94 | file://CVE-2021-3682.patch \ |
95 | file://CVE-2020-13253_1.patch \ | ||
96 | file://CVE-2020-13253_2.patch \ | ||
97 | file://CVE-2020-13253_3.patch \ | ||
98 | file://CVE-2020-13253_4.patch \ | ||
99 | file://CVE-2020-13253_5.patch \ | ||
95 | " | 100 | " |
96 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 101 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
97 | 102 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch new file mode 100644 index 0000000000..7f8383987c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 5 Jun 2018 22:28:51 -0300 | ||
4 | Subject: [PATCH 1/1] hw/sd/sdcard: Simplify realize() a bit | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | We don't need to check if sd->blk is set twice. | ||
10 | |||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
13 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
14 | Message-Id: <20200630133912.9428-18-f4bug@amsat.org> | ||
15 | |||
16 | Upstram-Status: Backport: | ||
17 | https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=6dd3a164f5b31c703c7d8372841ad3bd6a57de6d | ||
18 | |||
19 | CVE: CVE-2020-13253 | ||
20 | |||
21 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
22 | --- | ||
23 | hw/sd/sd.c | 10 +++++----- | ||
24 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
27 | index 1cc16bf..edd60a0 100644 | ||
28 | --- a/hw/sd/sd.c | ||
29 | +++ b/hw/sd/sd.c | ||
30 | @@ -2105,12 +2105,12 @@ static void sd_realize(DeviceState *dev, Error **errp) | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | - if (sd->blk && blk_is_read_only(sd->blk)) { | ||
35 | - error_setg(errp, "Cannot use read-only drive as SD card"); | ||
36 | - return; | ||
37 | - } | ||
38 | - | ||
39 | if (sd->blk) { | ||
40 | + if (blk_is_read_only(sd->blk)) { | ||
41 | + error_setg(errp, "Cannot use read-only drive as SD card"); | ||
42 | + return; | ||
43 | + } | ||
44 | + | ||
45 | ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, | ||
46 | BLK_PERM_ALL, errp); | ||
47 | if (ret < 0) { | ||
48 | -- | ||
49 | 1.8.3.1 | ||
50 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch new file mode 100644 index 0000000000..53145d059f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 7 Jul 2020 13:02:34 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | QEMU allows to create SD card with unrealistic sizes. This could | ||
10 | work, but some guests (at least Linux) consider sizes that are not | ||
11 | a power of 2 as a firmware bug and fix the card size to the next | ||
12 | power of 2. | ||
13 | |||
14 | While the possibility to use small SD card images has been seen as | ||
15 | a feature, it became a bug with CVE-2020-13253, where the guest is | ||
16 | able to do OOB read/write accesses past the image size end. | ||
17 | |||
18 | In a pair of commits we will fix CVE-2020-13253 as: | ||
19 | |||
20 | Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
21 | occurred and no data transfer is performed. | ||
22 | |||
23 | Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
24 | occurred and no data transfer is performed. | ||
25 | |||
26 | WP_VIOLATION errors are not modified: the error bit is set, we | ||
27 | stay in receive-data state, wait for a stop command. All further | ||
28 | data transfer is ignored. See the check on sd->card_status at the | ||
29 | beginning of sd_read_data() and sd_write_data(). | ||
30 | |||
31 | While this is the correct behavior, in case QEMU create smaller SD | ||
32 | cards, guests still try to access past the image size end, and QEMU | ||
33 | considers this is an invalid address, thus "all further data transfer | ||
34 | is ignored". This is wrong and make the guest looping until | ||
35 | eventually timeouts. | ||
36 | |||
37 | Fix by not allowing invalid SD card sizes (suggesting the expected | ||
38 | size as a hint): | ||
39 | |||
40 | $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw | ||
41 | qemu-system-arm: Invalid SD card size: 60 MiB | ||
42 | SD card size has to be a power of 2, e.g. 64 MiB. | ||
43 | You can resize disk images with 'qemu-img resize <imagefile> <new-size>' | ||
44 | (note that this will lose data if you make the image smaller than it currently is). | ||
45 | |||
46 | Cc: qemu-stable@nongnu.org | ||
47 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
48 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
49 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
50 | Message-Id: <20200713183209.26308-8-f4bug@amsat.org> | ||
51 | |||
52 | Upstram-Status: Backport: | ||
53 | https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 | ||
54 | |||
55 | CVE: CVE-2020-13253 | ||
56 | |||
57 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
58 | --- | ||
59 | hw/sd/sd.c | 25 +++++++++++++++++++++++++ | ||
60 | 1 file changed, 25 insertions(+) | ||
61 | |||
62 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
63 | index edd60a09c0..76d68359a4 100644 | ||
64 | --- a/hw/sd/sd.c | ||
65 | +++ b/hw/sd/sd.c | ||
66 | @@ -32,6 +32,7 @@ | ||
67 | |||
68 | #include "qemu/osdep.h" | ||
69 | #include "qemu/units.h" | ||
70 | +#include "qemu/cutils.h" | ||
71 | #include "hw/irq.h" | ||
72 | #include "hw/registerfields.h" | ||
73 | #include "sysemu/block-backend.h" | ||
74 | @@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp) | ||
75 | } | ||
76 | |||
77 | if (sd->blk) { | ||
78 | + int64_t blk_size; | ||
79 | + | ||
80 | if (blk_is_read_only(sd->blk)) { | ||
81 | error_setg(errp, "Cannot use read-only drive as SD card"); | ||
82 | return; | ||
83 | } | ||
84 | |||
85 | + blk_size = blk_getlength(sd->blk); | ||
86 | + if (blk_size > 0 && !is_power_of_2(blk_size)) { | ||
87 | + int64_t blk_size_aligned = pow2ceil(blk_size); | ||
88 | + char *blk_size_str; | ||
89 | + | ||
90 | + blk_size_str = size_to_str(blk_size); | ||
91 | + error_setg(errp, "Invalid SD card size: %s", blk_size_str); | ||
92 | + g_free(blk_size_str); | ||
93 | + | ||
94 | + blk_size_str = size_to_str(blk_size_aligned); | ||
95 | + error_append_hint(errp, | ||
96 | + "SD card size has to be a power of 2, e.g. %s.\n" | ||
97 | + "You can resize disk images with" | ||
98 | + " 'qemu-img resize <imagefile> <new-size>'\n" | ||
99 | + "(note that this will lose data if you make the" | ||
100 | + " image smaller than it currently is).\n", | ||
101 | + blk_size_str); | ||
102 | + g_free(blk_size_str); | ||
103 | + | ||
104 | + return; | ||
105 | + } | ||
106 | + | ||
107 | ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, | ||
108 | BLK_PERM_ALL, errp); | ||
109 | if (ret < 0) { | ||
110 | -- | ||
111 | 2.32.0 | ||
112 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch new file mode 100644 index 0000000000..b512b2bd7f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 794d68de2f021a6d3874df41d6bbe8590ec05207 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Mon, 13 Jul 2020 09:27:35 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Update coding style to make checkpatch.pl happy | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | To make the next commit easier to review, clean this code first. | ||
10 | |||
11 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
13 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
14 | Reviewed-by: Alexander Bulekov <alxndr@bu.edu> | ||
15 | Message-Id: <20200630133912.9428-3-f4bug@amsat.org> | ||
16 | |||
17 | Upstram-Status: Backport: | ||
18 | https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=794d68de2f021a6d3874df41d6bbe8590ec05207 | ||
19 | |||
20 | CVE: CVE-2020-13253 | ||
21 | |||
22 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
23 | --- | ||
24 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
25 | --- a/hw/sd/sd.c (revision b0ca999a43a22b38158a222233d3f5881648bb4f) | ||
26 | +++ b/hw/sd/sd.c (date 1647514442924) | ||
27 | @@ -1154,8 +1154,9 @@ | ||
28 | sd->data_start = addr; | ||
29 | sd->data_offset = 0; | ||
30 | |||
31 | - if (sd->data_start + sd->blk_len > sd->size) | ||
32 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
33 | sd->card_status |= ADDRESS_ERROR; | ||
34 | + } | ||
35 | return sd_r1; | ||
36 | |||
37 | default: | ||
38 | @@ -1170,8 +1171,9 @@ | ||
39 | sd->data_start = addr; | ||
40 | sd->data_offset = 0; | ||
41 | |||
42 | - if (sd->data_start + sd->blk_len > sd->size) | ||
43 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
44 | sd->card_status |= ADDRESS_ERROR; | ||
45 | + } | ||
46 | return sd_r1; | ||
47 | |||
48 | default: | ||
49 | @@ -1216,12 +1218,15 @@ | ||
50 | sd->data_offset = 0; | ||
51 | sd->blk_written = 0; | ||
52 | |||
53 | - if (sd->data_start + sd->blk_len > sd->size) | ||
54 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
55 | sd->card_status |= ADDRESS_ERROR; | ||
56 | - if (sd_wp_addr(sd, sd->data_start)) | ||
57 | + } | ||
58 | + if (sd_wp_addr(sd, sd->data_start)) { | ||
59 | sd->card_status |= WP_VIOLATION; | ||
60 | - if (sd->csd[14] & 0x30) | ||
61 | + } | ||
62 | + if (sd->csd[14] & 0x30) { | ||
63 | sd->card_status |= WP_VIOLATION; | ||
64 | + } | ||
65 | return sd_r1; | ||
66 | |||
67 | default: | ||
68 | @@ -1240,12 +1245,15 @@ | ||
69 | sd->data_offset = 0; | ||
70 | sd->blk_written = 0; | ||
71 | |||
72 | - if (sd->data_start + sd->blk_len > sd->size) | ||
73 | + if (sd->data_start + sd->blk_len > sd->size) { | ||
74 | sd->card_status |= ADDRESS_ERROR; | ||
75 | - if (sd_wp_addr(sd, sd->data_start)) | ||
76 | + } | ||
77 | + if (sd_wp_addr(sd, sd->data_start)) { | ||
78 | sd->card_status |= WP_VIOLATION; | ||
79 | - if (sd->csd[14] & 0x30) | ||
80 | + } | ||
81 | + if (sd->csd[14] & 0x30) { | ||
82 | sd->card_status |= WP_VIOLATION; | ||
83 | + } | ||
84 | return sd_r1; | ||
85 | |||
86 | default: | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch new file mode 100644 index 0000000000..6b4c1ec050 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch | |||
@@ -0,0 +1,139 @@ | |||
1 | From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Thu, 4 Jun 2020 19:22:29 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is | ||
5 | invalid | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Only move the state machine to ReceivingData if there is no | ||
11 | pending error. This avoids later OOB access while processing | ||
12 | commands queued. | ||
13 | |||
14 | "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" | ||
15 | |||
16 | 4.3.3 Data Read | ||
17 | |||
18 | Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
19 | occurred and no data transfer is performed. | ||
20 | |||
21 | 4.3.4 Data Write | ||
22 | |||
23 | Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
24 | occurred and no data transfer is performed. | ||
25 | |||
26 | WP_VIOLATION errors are not modified: the error bit is set, we | ||
27 | stay in receive-data state, wait for a stop command. All further | ||
28 | data transfer is ignored. See the check on sd->card_status at the | ||
29 | beginning of sd_read_data() and sd_write_data(). | ||
30 | |||
31 | Fixes: CVE-2020-13253 | ||
32 | |||
33 | Cc: qemu-stable@nongnu.org | ||
34 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
35 | Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 | ||
36 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
37 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
38 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
39 | Message-Id: <20200630133912.9428-6-f4bug@amsat.org> | ||
40 | |||
41 | Upstram-Status: Backport: | ||
42 | https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd | ||
43 | |||
44 | CVE: CVE-2020-13253 | ||
45 | |||
46 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
47 | --- | ||
48 | hw/sd/sd.c | 38 ++++++++++++++++++++++++-------------- | ||
49 | 1 file changed, 24 insertions(+), 14 deletions(-) | ||
50 | |||
51 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
52 | index f4f76f8fd2..fad9cf1ee7 100644 | ||
53 | --- a/hw/sd/sd.c | ||
54 | +++ b/hw/sd/sd.c | ||
55 | @@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
56 | case 17: /* CMD17: READ_SINGLE_BLOCK */ | ||
57 | switch (sd->state) { | ||
58 | case sd_transfer_state: | ||
59 | - sd->state = sd_sendingdata_state; | ||
60 | - sd->data_start = addr; | ||
61 | - sd->data_offset = 0; | ||
62 | |||
63 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
64 | + if (addr + sd->blk_len > sd->size) { | ||
65 | sd->card_status |= ADDRESS_ERROR; | ||
66 | + return sd_r1; | ||
67 | } | ||
68 | + | ||
69 | + sd->state = sd_sendingdata_state; | ||
70 | + sd->data_start = addr; | ||
71 | + sd->data_offset = 0; | ||
72 | return sd_r1; | ||
73 | |||
74 | default: | ||
75 | @@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
76 | case 18: /* CMD18: READ_MULTIPLE_BLOCK */ | ||
77 | switch (sd->state) { | ||
78 | case sd_transfer_state: | ||
79 | - sd->state = sd_sendingdata_state; | ||
80 | - sd->data_start = addr; | ||
81 | - sd->data_offset = 0; | ||
82 | |||
83 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
84 | + if (addr + sd->blk_len > sd->size) { | ||
85 | sd->card_status |= ADDRESS_ERROR; | ||
86 | + return sd_r1; | ||
87 | } | ||
88 | + | ||
89 | + sd->state = sd_sendingdata_state; | ||
90 | + sd->data_start = addr; | ||
91 | + sd->data_offset = 0; | ||
92 | return sd_r1; | ||
93 | |||
94 | default: | ||
95 | @@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
96 | /* Writing in SPI mode not implemented. */ | ||
97 | if (sd->spi) | ||
98 | break; | ||
99 | + | ||
100 | + if (addr + sd->blk_len > sd->size) { | ||
101 | + sd->card_status |= ADDRESS_ERROR; | ||
102 | + return sd_r1; | ||
103 | + } | ||
104 | + | ||
105 | sd->state = sd_receivingdata_state; | ||
106 | sd->data_start = addr; | ||
107 | sd->data_offset = 0; | ||
108 | sd->blk_written = 0; | ||
109 | |||
110 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
111 | - sd->card_status |= ADDRESS_ERROR; | ||
112 | - } | ||
113 | if (sd_wp_addr(sd, sd->data_start)) { | ||
114 | sd->card_status |= WP_VIOLATION; | ||
115 | } | ||
116 | @@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
117 | /* Writing in SPI mode not implemented. */ | ||
118 | if (sd->spi) | ||
119 | break; | ||
120 | + | ||
121 | + if (addr + sd->blk_len > sd->size) { | ||
122 | + sd->card_status |= ADDRESS_ERROR; | ||
123 | + return sd_r1; | ||
124 | + } | ||
125 | + | ||
126 | sd->state = sd_receivingdata_state; | ||
127 | sd->data_start = addr; | ||
128 | sd->data_offset = 0; | ||
129 | sd->blk_written = 0; | ||
130 | |||
131 | - if (sd->data_start + sd->blk_len > sd->size) { | ||
132 | - sd->card_status |= ADDRESS_ERROR; | ||
133 | - } | ||
134 | if (sd_wp_addr(sd, sd->data_start)) { | ||
135 | sd->card_status |= WP_VIOLATION; | ||
136 | } | ||
137 | -- | ||
138 | 2.32.0 | ||
139 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch new file mode 100644 index 0000000000..ffce610f79 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 9157dd597d293ab7f599f4d96c3fe8a6e07c633d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Wed, 3 Jun 2020 19:59:16 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Only SCSD cards support Class 6 (Block Oriented Write Protection) | ||
10 | commands. | ||
11 | |||
12 | "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" | ||
13 | |||
14 | 4.3.14 Command Functional Difference in Card Capacity Types | ||
15 | |||
16 | * Write Protected Group | ||
17 | |||
18 | SDHC and SDXC do not support write-protected groups. Issuing | ||
19 | CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. | ||
20 | |||
21 | Cc: qemu-stable@nongnu.org | ||
22 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
23 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
24 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
25 | Message-Id: <20200630133912.9428-7-f4bug@amsat.org> | ||
26 | |||
27 | Upstram-Status: Backport: | ||
28 | https://git.qemu.org/?p=qemu.git;a=commit;h=9157dd597d293ab7f599f4d96c3fe8a6e07c633d | ||
29 | |||
30 | CVE: CVE-2020-13253 | ||
31 | |||
32 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
33 | --- | ||
34 | hw/sd/sd.c | 5 +++++ | ||
35 | 1 file changed, 5 insertions(+) | ||
36 | |||
37 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
38 | index 5137168..1cc16bf 100644 | ||
39 | --- a/hw/sd/sd.c | ||
40 | +++ b/hw/sd/sd.c | ||
41 | @@ -920,6 +920,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) | ||
42 | sd->multi_blk_cnt = 0; | ||
43 | } | ||
44 | |||
45 | + if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { | ||
46 | + /* Only Standard Capacity cards support class 6 commands */ | ||
47 | + return sd_illegal; | ||
48 | + } | ||
49 | + | ||
50 | switch (req.cmd) { | ||
51 | /* Basic commands (Class 0 and Class 1) */ | ||
52 | case 0: /* CMD0: GO_IDLE_STATE */ | ||
53 | -- | ||
54 | 1.8.3.1 | ||