qemu: CVE-2020-25624

References: https://nvd.nist.gov/vuln/detail/CVE-2020-25624 backport patch from: https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058 (From OE-Core rev: af9e9945ac81885421a6bb8432184a2bd1a3efff) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 88d05be28da522fb390ee24f2871a113adf4366e) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Wang <li.wang@windriver.com> 2020-12-03 05:46:30 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-12-18 23:01:48 +0000
commit: 9a5ad5f02e4455068437ce770e97f50108d25153 (patch)
tree: 38919543abd46ab2c0d651b17ebabe8363242c16 /meta/recipes-devtools
parent: 1153cc59191961d0fe51815186f18ce1ef5e21cb (diff)
download: poky-9a5ad5f02e4455068437ce770e97f50108d25153.tar.gz
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bbe2a39755..274c855d35 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
           file://CVE-2020-24352.patch \
           file://CVE-2020-29129-CVE-2020-29130.patch \
+           file://CVE-2020-25624.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
new file mode 100644
index 0000000000..7631bab39f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
@@ -0,0 +1,101 @@
+From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:58 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
+While servicing the OHCI transfer descriptors(TD), OHCI host
+controller derives variables 'start_addr', 'end_addr', 'len'
+etc. from values supplied by the host controller driver.
+Host controller driver may supply values such that using
+above variables leads to out-of-bounds access issues.
+Add checks to avoid them.
+AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
+  READ of size 2 at 0x7ffd53af76a0 thread T0
+  #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
+  #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
+  #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
+  #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
+  #4 timerlist_run_timers ../util/qemu-timer.c:572
+  #5 qemu_clock_run_timers ../util/qemu-timer.c:586
+  #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
+  #7 main_loop_wait ../util/main-loop.c:527
+  #8 qemu_main_loop ../softmmu/vl.c:1676
+  #9 main ../softmmu/main.c:50
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <j_kangel@163.com>
+Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20200915182259.68522-2-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-25624
+[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1e6e85e..9dc5910 100644
+--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
+@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     }
+ 
+     start_offset = iso_td.offset[relative_frame_number];
+-    next_offset = iso_td.offset[relative_frame_number + 1];
+    if (relative_frame_number < frame_count) {
+        next_offset = iso_td.offset[relative_frame_number + 1];
+    } else {
+        next_offset = iso_td.be;
+    }
+ 
+     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
+         ((relative_frame_number < frame_count) && 
+@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+         }
+     } else {
+         /* Last packet in the ISO TD */
+-        end_addr = iso_td.be;
+        end_addr = next_offset;
+    }
+
+    if (start_addr > end_addr) {
+        trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
+        return 1;
+     }
+ 
+     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     } else {
+         len = end_addr - start_addr + 1;
+     }
+    if (len > sizeof(ohci->usb_buf)) {
+        len = sizeof(ohci->usb_buf);
+    }
+ 
+     if (len && dir != OHCI_TD_DIR_IN) {
+         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
+         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+         } else {
+            if (td.cbp > td.be) {
+                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
+                ohci_die(ohci);
+                return 1;
+            }
+             len = (td.be - td.cbp) + 1;
+         }
+        if (len > sizeof(ohci->usb_buf)) {
+            len = sizeof(ohci->usb_buf);
+        }
+ 
+         pktlen = len;
+         if (len && dir != OHCI_TD_DIR_IN) {
+-- 
+2.17.1
author	Li Wang <li.wang@windriver.com>	2020-12-03 05:46:30 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-12-18 23:01:48 +0000
commit	9a5ad5f02e4455068437ce770e97f50108d25153 (patch)
tree	38919543abd46ab2c0d651b17ebabe8363242c16 /meta/recipes-devtools
parent	1153cc59191961d0fe51815186f18ce1ef5e21cb (diff)
download	poky-9a5ad5f02e4455068437ce770e97f50108d25153.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index bbe2a39755..274c855d35 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \	34	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
35	file://CVE-2020-24352.patch \	35	file://CVE-2020-24352.patch \
36	file://CVE-2020-29129-CVE-2020-29130.patch \	36	file://CVE-2020-29129-CVE-2020-29130.patch \
		37	file://CVE-2020-25624.patch \
37	"	38	"
38	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	39	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39		40


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch new file mode 100644 index 0000000000..7631bab39f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
@@ -0,0 +1,101 @@
		1	From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Tue, 15 Sep 2020 23:52:58 +0530
		4	Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
		5
		6	While servicing the OHCI transfer descriptors(TD), OHCI host
		7	controller derives variables 'start_addr', 'end_addr', 'len'
		8	etc. from values supplied by the host controller driver.
		9	Host controller driver may supply values such that using
		10	above variables leads to out-of-bounds access issues.
		11	Add checks to avoid them.
		12
		13	AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
		14	READ of size 2 at 0x7ffd53af76a0 thread T0
		15	#0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
		16	#1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
		17	#2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
		18	#3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
		19	#4 timerlist_run_timers ../util/qemu-timer.c:572
		20	#5 qemu_clock_run_timers ../util/qemu-timer.c:586
		21	#6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
		22	#7 main_loop_wait ../util/main-loop.c:527
		23	#8 qemu_main_loop ../softmmu/vl.c:1676
		24	#9 main ../softmmu/main.c:50
		25
		26	Reported-by: Gaoning Pan <pgn@zju.edu.cn>
		27	Reported-by: Yongkang Jia <j_kangel@163.com>
		28	Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
		29	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		30	Message-id: 20200915182259.68522-2-ppandit@redhat.com
		31	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		32
		33	Upstream-Status: Backport
		34	CVE: CVE-2020-25624
		35	[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058]
		36	Signed-off-by: Li Wang <li.wang@windriver.com>
		37	---
		38	hw/usb/hcd-ohci.c \| 24 ++++++++++++++++++++++--
		39	1 file changed, 22 insertions(+), 2 deletions(-)
		40
		41	diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
		42	index 1e6e85e..9dc5910 100644
		43	--- a/hw/usb/hcd-ohci.c
		44	+++ b/hw/usb/hcd-ohci.c
		45	@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState ohci, struct ohci_ed ed,
		46	}
		47
		48	start_offset = iso_td.offset[relative_frame_number];
		49	- next_offset = iso_td.offset[relative_frame_number + 1];
		50	+ if (relative_frame_number < frame_count) {
		51	+ next_offset = iso_td.offset[relative_frame_number + 1];
		52	+ } else {
		53	+ next_offset = iso_td.be;
		54	+ }
		55
		56	if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) \|\|
		57	((relative_frame_number < frame_count) &&
		58	@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState ohci, struct ohci_ed ed,
		59	}
		60	} else {
		61	/* Last packet in the ISO TD */
		62	- end_addr = iso_td.be;
		63	+ end_addr = next_offset;
		64	+ }
		65	+
		66	+ if (start_addr > end_addr) {
		67	+ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
		68	+ return 1;
		69	}
		70
		71	if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
		72	@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState ohci, struct ohci_ed ed,
		73	} else {
		74	len = end_addr - start_addr + 1;
		75	}
		76	+ if (len > sizeof(ohci->usb_buf)) {
		77	+ len = sizeof(ohci->usb_buf);
		78	+ }
		79
		80	if (len && dir != OHCI_TD_DIR_IN) {
		81	if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
		82	@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState ohci, struct ohci_ed ed)
		83	if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
		84	len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
		85	} else {
		86	+ if (td.cbp > td.be) {
		87	+ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
		88	+ ohci_die(ohci);
		89	+ return 1;
		90	+ }
		91	len = (td.be - td.cbp) + 1;
		92	}
		93	+ if (len > sizeof(ohci->usb_buf)) {
		94	+ len = sizeof(ohci->usb_buf);
		95	+ }
		96
		97	pktlen = len;
		98	if (len && dir != OHCI_TD_DIR_IN) {
		99	--
		100	2.17.1
		101