qemu: fix CVE-2020-29443

(From OE-Core rev: 27cc6761ecd7dbe5b7972706f2a21cb3ee5eef3f) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 481e012de865ee232fa5a233e9f1d4fc7a2232ab) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2021-04-23 00:45:01 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-04-30 14:37:26 +0100
commit: 686f9147332bf3b5610123d869cbba6f71a56a7c (patch)
tree: 3eaf59372647654e6052e68362787bd827b3ce5f /meta
parent: 53390d2261d2d35cdd637cf12a0fb4dc63f0f88c (diff)
download: poky-686f9147332bf3b5610123d869cbba6f71a56a7c.tar.gz
2 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 65e0489a97..fc9c9e15f9 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-35517_2.patch \
           file://CVE-2020-35517_3.patch \
           file://CVE-2021-20181.patch \
+           file://CVE-2020-29443.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..c72324fce6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,107 @@
+From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Jan 2021 17:21:30 +0530
+Subject: [PATCH] ide: atapi: check logical block address and read size
+ (CVE-2020-29443)
+While processing ATAPI cmd_read/cmd_read_cd commands,
+Logical Block Address (LBA) maybe invalid OR closer to the last block,
+leading to an OOB access issues. Add range check to avoid it.
+Fixes: CVE-2020-29443
+Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
+CVE: CVE-2020-29443
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index e79157863..b626199e3 100644
+--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
+@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
+ static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
+                                    int sector_size)
+ {
+    assert(0 <= lba && lba < (s->nb_sectors >> 2));
+
+     s->lba = lba;
+     s->packet_transfer_size = nb_sectors * sector_size;
+     s->elementary_transfer_size = 0;
+@@ -420,6 +422,8 @@ eot:
+ static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
+                                    int sector_size)
+ {
+    assert(0 <= lba && lba < (s->nb_sectors >> 2));
+
+     s->lba = lba;
+     s->packet_transfer_size = nb_sectors * sector_size;
+     s->io_buffer_size = 0;
+@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
+ 
+ static void cmd_read(IDEState *s, uint8_t* buf)
+ {
+-    int nb_sectors, lba;
+    unsigned int nb_sectors, lba;
+
+    /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
+    uint64_t total_sectors = s->nb_sectors >> 2;
+ 
+     if (buf[0] == GPCMD_READ_10) {
+         nb_sectors = lduw_be_p(buf + 7);
+     } else {
+         nb_sectors = ldl_be_p(buf + 6);
+     }
+-
+-    lba = ldl_be_p(buf + 2);
+     if (nb_sectors == 0) {
+         ide_atapi_cmd_ok(s);
+         return;
+     }
+ 
+    lba = ldl_be_p(buf + 2);
+    if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
+        ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
+        return;
+    }
+
+     ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
+ }
+ 
+ static void cmd_read_cd(IDEState *s, uint8_t* buf)
+ {
+-    int nb_sectors, lba, transfer_request;
+    unsigned int nb_sectors, lba, transfer_request;
+ 
+-    nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
+-    lba = ldl_be_p(buf + 2);
+    /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
+    uint64_t total_sectors = s->nb_sectors >> 2;
+ 
+    nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
+     if (nb_sectors == 0) {
+         ide_atapi_cmd_ok(s);
+         return;
+     }
+ 
+    lba = ldl_be_p(buf + 2);
+    if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
+        ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
+        return;
+    }
+
+     transfer_request = buf[9] & 0xf8;
+     if (transfer_request == 0x00) {
+         /* nothing */
+-- 
+2.29.2
author	Sakib Sajal <sakib.sajal@windriver.com>	2021-04-23 00:45:01 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-04-30 14:37:26 +0100
commit	686f9147332bf3b5610123d869cbba6f71a56a7c (patch)
tree	3eaf59372647654e6052e68362787bd827b3ce5f /meta
parent	53390d2261d2d35cdd637cf12a0fb4dc63f0f88c (diff)
download	poky-686f9147332bf3b5610123d869cbba6f71a56a7c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 65e0489a97..fc9c9e15f9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
35	file://CVE-2020-35517_2.patch \	35	file://CVE-2020-35517_2.patch \
36	file://CVE-2020-35517_3.patch \	36	file://CVE-2020-35517_3.patch \
37	file://CVE-2021-20181.patch \	37	file://CVE-2021-20181.patch \
		38	file://CVE-2020-29443.patch \
38	"	39	"
39	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	40	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
40		41


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..c72324fce6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,107 @@
		1	From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Mon, 18 Jan 2021 17:21:30 +0530
		4	Subject: [PATCH] ide: atapi: check logical block address and read size
		5	(CVE-2020-29443)
		6
		7	While processing ATAPI cmd_read/cmd_read_cd commands,
		8	Logical Block Address (LBA) maybe invalid OR closer to the last block,
		9	leading to an OOB access issues. Add range check to avoid it.
		10
		11	Fixes: CVE-2020-29443
		12	Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
		13	Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
		14	Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
		15	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		16	Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
		17	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		18
		19	Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
		20	CVE: CVE-2020-29443
		21
		22	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		23	---
		24	hw/ide/atapi.c \| 30 ++++++++++++++++++++++++------
		25	1 file changed, 24 insertions(+), 6 deletions(-)
		26
		27	diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
		28	index e79157863..b626199e3 100644
		29	--- a/hw/ide/atapi.c
		30	+++ b/hw/ide/atapi.c
		31	@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
		32	static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
		33	int sector_size)
		34	{
		35	+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
		36	+
		37	s->lba = lba;
		38	s->packet_transfer_size = nb_sectors * sector_size;
		39	s->elementary_transfer_size = 0;
		40	@@ -420,6 +422,8 @@ eot:
		41	static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
		42	int sector_size)
		43	{
		44	+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
		45	+
		46	s->lba = lba;
		47	s->packet_transfer_size = nb_sectors * sector_size;
		48	s->io_buffer_size = 0;
		49	@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState s, uint8_t buf)
		50
		51	static void cmd_read(IDEState s, uint8_t buf)
		52	{
		53	- int nb_sectors, lba;
		54	+ unsigned int nb_sectors, lba;
		55	+
		56	+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
		57	+ uint64_t total_sectors = s->nb_sectors >> 2;
		58
		59	if (buf[0] == GPCMD_READ_10) {
		60	nb_sectors = lduw_be_p(buf + 7);
		61	} else {
		62	nb_sectors = ldl_be_p(buf + 6);
		63	}
		64	-
		65	- lba = ldl_be_p(buf + 2);
		66	if (nb_sectors == 0) {
		67	ide_atapi_cmd_ok(s);
		68	return;
		69	}
		70
		71	+ lba = ldl_be_p(buf + 2);
		72	+ if (lba >= total_sectors \|\| lba + nb_sectors - 1 >= total_sectors) {
		73	+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
		74	+ return;
		75	+ }
		76	+
		77	ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
		78	}
		79
		80	static void cmd_read_cd(IDEState s, uint8_t buf)
		81	{
		82	- int nb_sectors, lba, transfer_request;
		83	+ unsigned int nb_sectors, lba, transfer_request;
		84
		85	- nb_sectors = (buf[6] << 16) \| (buf[7] << 8) \| buf[8];
		86	- lba = ldl_be_p(buf + 2);
		87	+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
		88	+ uint64_t total_sectors = s->nb_sectors >> 2;
		89
		90	+ nb_sectors = (buf[6] << 16) \| (buf[7] << 8) \| buf[8];
		91	if (nb_sectors == 0) {
		92	ide_atapi_cmd_ok(s);
		93	return;
		94	}
		95
		96	+ lba = ldl_be_p(buf + 2);
		97	+ if (lba >= total_sectors \|\| lba + nb_sectors - 1 >= total_sectors) {
		98	+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
		99	+ return;
		100	+ }
		101	+
		102	transfer_request = buf[9] & 0xf8;
		103	if (transfer_request == 0x00) {
		104	/* nothing */
		105	--
		106	2.29.2
		107