qemu: fix CVE-2020-24352

(From OE-Core rev: 7610ffec71e20556bde32f00a08c4c5a40cd31ce) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-11-19 19:00:35 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-11-24 13:17:59 +0000
commit: 235dff82276a8a2ff4d0ee1cf93243925537551c (patch)
tree: 3f7c46f13e2faebb039ada6b90f98c11581fd8e8 /meta/recipes-devtools
parent: 9c5ec3fd7b65cebe2b570cfc0638a0e0c6f09230 (diff)
download: poky-235dff82276a8a2ff4d0ee1cf93243925537551c.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index b6941403ea..067179fdeb 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -50,6 +50,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-16092.patch \
           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
           file://CVE-2019-20175.patch \
+           file://CVE-2020-24352.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 0000000000..861ff6c3b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
+From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 16:08:18 +0530
+Subject: [PATCH 1/1] ati: check x y display parameter values
+The source and destination x,y display parameters in ati_2d_blt()
+may run off the vga limits if either of s->regs.[src|dst]_[xy] is
+zero. Check the parameter values to avoid potential crash.
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20201021103818.1704030-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
+CVE: CVE-2020-24352
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
+@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride *= bpp;
+     }
+     uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+-    if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+-        dst_stride >= end) {
+    if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
+        || dst_bits + dst_x
+         + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+         qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+         return;
+     }
+@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+             src_bits += s->regs.crtc_offset & 0x07ffffff;
+             src_stride *= bpp;
+         }
+-        if (src_bits >= end || src_bits + src_x +
+-            (src_y + s->regs.dst_height) * src_stride >= end) {
+        if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
+            || src_bits + src_x
+             + (src_y + s->regs.dst_height) * src_stride >= end) {
+             qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+             return;
+         }
+-- 
+1.8.3.1
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-11-19 19:00:35 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-11-24 13:17:59 +0000
commit	235dff82276a8a2ff4d0ee1cf93243925537551c (patch)
tree	3f7c46f13e2faebb039ada6b90f98c11581fd8e8 /meta/recipes-devtools
parent	9c5ec3fd7b65cebe2b570cfc0638a0e0c6f09230 (diff)
download	poky-235dff82276a8a2ff4d0ee1cf93243925537551c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b6941403ea..067179fdeb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -50,6 +50,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
50	file://CVE-2020-16092.patch \	50	file://CVE-2020-16092.patch \
51	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \	51	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
52	file://CVE-2019-20175.patch \	52	file://CVE-2019-20175.patch \
		53	file://CVE-2020-24352.patch \
53	"	54	"
54	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	55	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
55		56


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch new file mode 100644 index 0000000000..861ff6c3b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
		1	From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Wed, 21 Oct 2020 16:08:18 +0530
		4	Subject: [PATCH 1/1] ati: check x y display parameter values
		5
		6	The source and destination x,y display parameters in ati_2d_blt()
		7	may run off the vga limits if either of s->regs.[src\|dst]_[xy] is
		8	zero. Check the parameter values to avoid potential crash.
		9
		10	Reported-by: Gaoning Pan <pgn@zju.edu.cn>
		11	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		12	Message-id: 20201021103818.1704030-1-ppandit@redhat.com
		13	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		14
		15	Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
		16	CVE: CVE-2020-24352
		17	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		18	---
		19	hw/display/ati_2d.c \| 10 ++++++----
		20	1 file changed, 6 insertions(+), 4 deletions(-)
		21
		22	diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
		23	index 23a8ae0..4dc10ea 100644
		24	--- a/hw/display/ati_2d.c
		25	+++ b/hw/display/ati_2d.c
		26	@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
		27	dst_stride *= bpp;
		28	}
		29	uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
		30	- if (dst_bits >= end \|\| dst_bits + dst_x + (dst_y + s->regs.dst_height) *
		31	- dst_stride >= end) {
		32	+ if (dst_x > 0x3fff \|\| dst_y > 0x3fff \|\| dst_bits >= end
		33	+ \|\| dst_bits + dst_x
		34	+ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
		35	qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
		36	return;
		37	}
		38	@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
		39	src_bits += s->regs.crtc_offset & 0x07ffffff;
		40	src_stride *= bpp;
		41	}
		42	- if (src_bits >= end \|\| src_bits + src_x +
		43	- (src_y + s->regs.dst_height) * src_stride >= end) {
		44	+ if (src_x > 0x3fff \|\| src_y > 0x3fff \|\| src_bits >= end
		45	+ \|\| src_bits + src_x
		46	+ + (src_y + s->regs.dst_height) * src_stride >= end) {
		47	qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
		48	return;
		49	}
		50	--
		51	1.8.3.1
		52