summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorLi Wang <li.wang@windriver.com>2020-12-04 03:44:24 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-01-12 14:25:13 +0000
commitc18d4712dcf368d1acfbae213eff361dd611debc (patch)
treeb9550c5f878c48a2b99d5184d848b2f872af1a66 /meta
parent84a841b5b97c20d5a3f77c61b5fcb177e2b933d0 (diff)
downloadpoky-c18d4712dcf368d1acfbae213eff361dd611debc.tar.gz
qemu: CVE-2020-25723
References: https://nvd.nist.gov/vuln/detail/CVE-2020-25723 https://bugzilla.redhat.com/show_bug.cgi?id=1898579 backport patch from: https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6 (From OE-Core rev: cb41f6656631c15d0996791bce0ac4b7d25adcc9) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3a52f12bd08bd6f0e386c78f9f87acacdb7714cb) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch51
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 274c855d35..ecff54d61d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
35 file://CVE-2020-24352.patch \ 35 file://CVE-2020-24352.patch \
36 file://CVE-2020-29129-CVE-2020-29130.patch \ 36 file://CVE-2020-29129-CVE-2020-29130.patch \
37 file://CVE-2020-25624.patch \ 37 file://CVE-2020-25624.patch \
38 file://CVE-2020-25723.patch \
38 " 39 "
39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 40UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
40 41
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000000..90b3a2f41c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,51 @@
1From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
2From: Li Qiang <liq3ea@163.com>
3Date: Wed, 12 Aug 2020 09:17:27 -0700
4Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
5
6If 'usb_packet_map' fails, we should stop to process the usb
7request.
8
9Signed-off-by: Li Qiang <liq3ea@163.com>
10Message-Id: <20200812161727.29412-1-liq3ea@163.com>
11Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
12
13Upstream-Status: Backport
14CVE: CVE-2020-25723
15[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
16Signed-off-by: Li Wang <li.wang@windriver.com>
17---
18 hw/usb/hcd-ehci.c | 10 ++++++++--
19 1 file changed, 8 insertions(+), 2 deletions(-)
20
21diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
22index 1495e8f..1fbb02a 100644
23--- a/hw/usb/hcd-ehci.c
24+++ b/hw/usb/hcd-ehci.c
25@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
26 spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
27 usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
28 (p->qtd.token & QTD_TOKEN_IOC) != 0);
29- usb_packet_map(&p->packet, &p->sgl);
30+ if (usb_packet_map(&p->packet, &p->sgl)) {
31+ qemu_sglist_destroy(&p->sgl);
32+ return -1;
33+ }
34 p->async = EHCI_ASYNC_INITIALIZED;
35 }
36
37@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci,
38 if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
39 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
40 (itd->transact[i] & ITD_XACT_IOC) != 0);
41- usb_packet_map(&ehci->ipacket, &ehci->isgl);
42+ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
43+ qemu_sglist_destroy(&ehci->isgl);
44+ return -1;
45+ }
46 usb_handle_packet(dev, &ehci->ipacket);
47 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
48 } else {
49--
502.17.1
51