diff options
author | Li Wang <li.wang@windriver.com> | 2020-12-03 05:46:30 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-12-06 23:17:28 +0000 |
commit | 3ac2ba83f24783f5b0793a9faebd28fdca8dd3a4 (patch) | |
tree | 55a1a0a327f1ce4eaed743e569ef205b21bd3849 /meta/recipes-devtools/qemu | |
parent | e8d24de4a1f5abcf9aa4d0bcd9342ab27d9a6b0b (diff) | |
download | poky-3ac2ba83f24783f5b0793a9faebd28fdca8dd3a4.tar.gz |
qemu: CVE-2020-25624
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-25624
backport patch from:
https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058
(From OE-Core rev: 88d05be28da522fb390ee24f2871a113adf4366e)
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch | 101 |
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index bbe2a39755..274c855d35 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
34 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ | 34 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ |
35 | file://CVE-2020-24352.patch \ | 35 | file://CVE-2020-24352.patch \ |
36 | file://CVE-2020-29129-CVE-2020-29130.patch \ | 36 | file://CVE-2020-29129-CVE-2020-29130.patch \ |
37 | file://CVE-2020-25624.patch \ | ||
37 | " | 38 | " |
38 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 39 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
39 | 40 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch new file mode 100644 index 0000000000..7631bab39f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 15 Sep 2020 23:52:58 +0530 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables | ||
5 | |||
6 | While servicing the OHCI transfer descriptors(TD), OHCI host | ||
7 | controller derives variables 'start_addr', 'end_addr', 'len' | ||
8 | etc. from values supplied by the host controller driver. | ||
9 | Host controller driver may supply values such that using | ||
10 | above variables leads to out-of-bounds access issues. | ||
11 | Add checks to avoid them. | ||
12 | |||
13 | AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 | ||
14 | READ of size 2 at 0x7ffd53af76a0 thread T0 | ||
15 | #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 | ||
16 | #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 | ||
17 | #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 | ||
18 | #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 | ||
19 | #4 timerlist_run_timers ../util/qemu-timer.c:572 | ||
20 | #5 qemu_clock_run_timers ../util/qemu-timer.c:586 | ||
21 | #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 | ||
22 | #7 main_loop_wait ../util/main-loop.c:527 | ||
23 | #8 qemu_main_loop ../softmmu/vl.c:1676 | ||
24 | #9 main ../softmmu/main.c:50 | ||
25 | |||
26 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
27 | Reported-by: Yongkang Jia <j_kangel@163.com> | ||
28 | Reported-by: Yi Ren <yunye.ry@alibaba-inc.com> | ||
29 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
30 | Message-id: 20200915182259.68522-2-ppandit@redhat.com | ||
31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
32 | |||
33 | Upstream-Status: Backport | ||
34 | CVE: CVE-2020-25624 | ||
35 | [https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058] | ||
36 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
37 | --- | ||
38 | hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- | ||
39 | 1 file changed, 22 insertions(+), 2 deletions(-) | ||
40 | |||
41 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
42 | index 1e6e85e..9dc5910 100644 | ||
43 | --- a/hw/usb/hcd-ohci.c | ||
44 | +++ b/hw/usb/hcd-ohci.c | ||
45 | @@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
46 | } | ||
47 | |||
48 | start_offset = iso_td.offset[relative_frame_number]; | ||
49 | - next_offset = iso_td.offset[relative_frame_number + 1]; | ||
50 | + if (relative_frame_number < frame_count) { | ||
51 | + next_offset = iso_td.offset[relative_frame_number + 1]; | ||
52 | + } else { | ||
53 | + next_offset = iso_td.be; | ||
54 | + } | ||
55 | |||
56 | if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || | ||
57 | ((relative_frame_number < frame_count) && | ||
58 | @@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
59 | } | ||
60 | } else { | ||
61 | /* Last packet in the ISO TD */ | ||
62 | - end_addr = iso_td.be; | ||
63 | + end_addr = next_offset; | ||
64 | + } | ||
65 | + | ||
66 | + if (start_addr > end_addr) { | ||
67 | + trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); | ||
68 | + return 1; | ||
69 | } | ||
70 | |||
71 | if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { | ||
72 | @@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
73 | } else { | ||
74 | len = end_addr - start_addr + 1; | ||
75 | } | ||
76 | + if (len > sizeof(ohci->usb_buf)) { | ||
77 | + len = sizeof(ohci->usb_buf); | ||
78 | + } | ||
79 | |||
80 | if (len && dir != OHCI_TD_DIR_IN) { | ||
81 | if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, | ||
82 | @@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) | ||
83 | if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { | ||
84 | len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); | ||
85 | } else { | ||
86 | + if (td.cbp > td.be) { | ||
87 | + trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); | ||
88 | + ohci_die(ohci); | ||
89 | + return 1; | ||
90 | + } | ||
91 | len = (td.be - td.cbp) + 1; | ||
92 | } | ||
93 | + if (len > sizeof(ohci->usb_buf)) { | ||
94 | + len = sizeof(ohci->usb_buf); | ||
95 | + } | ||
96 | |||
97 | pktlen = len; | ||
98 | if (len && dir != OHCI_TD_DIR_IN) { | ||
99 | -- | ||
100 | 2.17.1 | ||
101 | |||