qemu: CVE-2020-25723

References: https://nvd.nist.gov/vuln/detail/CVE-2020-25723 https://bugzilla.redhat.com/show_bug.cgi?id=1898579 backport patch from: https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6 (From OE-Core rev: cb41f6656631c15d0996791bce0ac4b7d25adcc9) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3a52f12bd08bd6f0e386c78f9f87acacdb7714cb) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Wang <li.wang@windriver.com> 2020-12-04 03:44:24 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-01-12 14:25:13 +0000
commit: c18d4712dcf368d1acfbae213eff361dd611debc (patch)
tree: b9550c5f878c48a2b99d5184d848b2f872af1a66 /meta
parent: 84a841b5b97c20d5a3f77c61b5fcb177e2b933d0 (diff)
download: poky-c18d4712dcf368d1acfbae213eff361dd611debc.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 274c855d35..ecff54d61d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-24352.patch \
           file://CVE-2020-29129-CVE-2020-29130.patch \
           file://CVE-2020-25624.patch \
+           file://CVE-2020-25723.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000000..90b3a2f41c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,51 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-25723
+[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 1495e8f..1fbb02a 100644
+--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+         spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+         usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+                          (p->qtd.token & QTD_TOKEN_IOC) != 0);
+-        usb_packet_map(&p->packet, &p->sgl);
+        if (usb_packet_map(&p->packet, &p->sgl)) {
+            qemu_sglist_destroy(&p->sgl);
+            return -1;
+        }
+         p->async = EHCI_ASYNC_INITIALIZED;
+     }
+ 
+@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci,
+             if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+                 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+                                  (itd->transact[i] & ITD_XACT_IOC) != 0);
+-                usb_packet_map(&ehci->ipacket, &ehci->isgl);
+                if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
+                    qemu_sglist_destroy(&ehci->isgl);
+                    return -1;
+                }
+                 usb_handle_packet(dev, &ehci->ipacket);
+                 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+             } else {
+-- 
+2.17.1
author	Li Wang <li.wang@windriver.com>	2020-12-04 03:44:24 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-01-12 14:25:13 +0000
commit	c18d4712dcf368d1acfbae213eff361dd611debc (patch)
tree	b9550c5f878c48a2b99d5184d848b2f872af1a66 /meta
parent	84a841b5b97c20d5a3f77c61b5fcb177e2b933d0 (diff)
download	poky-c18d4712dcf368d1acfbae213eff361dd611debc.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 274c855d35..ecff54d61d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
35	file://CVE-2020-24352.patch \	35	file://CVE-2020-24352.patch \
36	file://CVE-2020-29129-CVE-2020-29130.patch \	36	file://CVE-2020-29129-CVE-2020-29130.patch \
37	file://CVE-2020-25624.patch \	37	file://CVE-2020-25624.patch \
		38	file://CVE-2020-25723.patch \
38	"	39	"
39	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	40	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
40		41


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch new file mode 100644 index 0000000000..90b3a2f41c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,51 @@
		1	From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
		2	From: Li Qiang <liq3ea@163.com>
		3	Date: Wed, 12 Aug 2020 09:17:27 -0700
		4	Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
		5
		6	If 'usb_packet_map' fails, we should stop to process the usb
		7	request.
		8
		9	Signed-off-by: Li Qiang <liq3ea@163.com>
		10	Message-Id: <20200812161727.29412-1-liq3ea@163.com>
		11	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2020-25723
		15	[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
		16	Signed-off-by: Li Wang <li.wang@windriver.com>
		17	---
		18	hw/usb/hcd-ehci.c \| 10 ++++++++--
		19	1 file changed, 8 insertions(+), 2 deletions(-)
		20
		21	diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
		22	index 1495e8f..1fbb02a 100644
		23	--- a/hw/usb/hcd-ehci.c
		24	+++ b/hw/usb/hcd-ehci.c
		25	@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket p, const char action)
		26	spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
		27	usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
		28	(p->qtd.token & QTD_TOKEN_IOC) != 0);
		29	- usb_packet_map(&p->packet, &p->sgl);
		30	+ if (usb_packet_map(&p->packet, &p->sgl)) {
		31	+ qemu_sglist_destroy(&p->sgl);
		32	+ return -1;
		33	+ }
		34	p->async = EHCI_ASYNC_INITIALIZED;
		35	}
		36
		37	@@ -1452,7 +1455,10 @@ static int ehci_process_itd(EHCIState *ehci,
		38	if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
		39	usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
		40	(itd->transact[i] & ITD_XACT_IOC) != 0);
		41	- usb_packet_map(&ehci->ipacket, &ehci->isgl);
		42	+ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
		43	+ qemu_sglist_destroy(&ehci->isgl);
		44	+ return -1;
		45	+ }
		46	usb_handle_packet(dev, &ehci->ipacket);
		47	usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
		48	} else {
		49	--
		50	2.17.1
		51