summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2020-07-14 15:51:17 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-07-18 11:06:31 +0100
commit10e2b84149560cc59cd73dd8b438a00538f1873b (patch)
tree9d4b22ce0bb9da542aac193f52394f10ae18d1fd /meta/recipes-devtools/qemu
parent55b7c62b76a3f1b3912074725e23b90023980e38 (diff)
downloadpoky-10e2b84149560cc59cd73dd8b438a00538f1873b.tar.gz
qemu: fix CVE-2020-13659
(From OE-Core rev: 1bf0e91512b2c157259ed529d1fc7ea7cdac1889) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch58
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 98bdff7ac6..a9ef3b78bf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
33 file://find_datadir.patch \ 33 file://find_datadir.patch \
34 file://CVE-2020-10761.patch \ 34 file://CVE-2020-10761.patch \
35 file://CVE-2020-13362.patch \ 35 file://CVE-2020-13362.patch \
36 file://CVE-2020-13659.patch \
36 " 37 "
37UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 38UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
38 39
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
new file mode 100644
index 0000000000..4d12ae8f16
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
@@ -0,0 +1,58 @@
1From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 26 May 2020 16:47:43 +0530
4Subject: [PATCH] exec: set map length to zero when returning NULL
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9When mapping physical memory into host's virtual address space,
10'address_space_map' may return NULL if BounceBuffer is in_use.
11Set and return '*plen = 0' to avoid later NULL pointer dereference.
12
13Reported-by: Alexander Bulekov <alxndr@bu.edu>
14Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
15Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
16Suggested-by: Peter Maydell <peter.maydell@linaro.org>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
19Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
20Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
21
22Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
23CVE: CVE-2020-13659
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 exec.c | 1 +
27 include/exec/memory.h | 3 ++-
28 2 files changed, 3 insertions(+), 1 deletion(-)
29
30diff --git a/exec.c b/exec.c
31index 9cbde85d8c..778263f1c6 100644
32--- a/exec.c
33+++ b/exec.c
34@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as,
35
36 if (!memory_access_is_direct(mr, is_write)) {
37 if (atomic_xchg(&bounce.in_use, true)) {
38+ *plen = 0;
39 return NULL;
40 }
41 /* Avoid unbounded allocations */
42diff --git a/include/exec/memory.h b/include/exec/memory.h
43index bd7fdd6081..af8ca7824e 100644
44--- a/include/exec/memory.h
45+++ b/include/exec/memory.h
46@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
47 /* address_space_map: map a physical memory region into a host virtual address
48 *
49 * May map a subset of the requested range, given by and returned in @plen.
50- * May return %NULL if resources needed to perform the mapping are exhausted.
51+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
52+ * the mapping are exhausted.
53 * Use only for reads OR writes - not for read-modify-write operations.
54 * Use cpu_register_map_client() to know when retrying the map operation is
55 * likely to succeed.
56--
572.20.1
58