diff options
author | Armin Kuster <akuster@mvista.com> | 2021-08-20 16:55:15 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-01 16:27:08 +0100 |
commit | c00a882bd66158f1dbce59bc45340ef81d3af2ed (patch) | |
tree | 92d3eb9a594de6d402b7833e65c292ba529a364b /meta | |
parent | ea562eaec5c7bc0c8ec7cada2fc544d05686fe6e (diff) | |
download | poky-c00a882bd66158f1dbce59bc45340ef81d3af2ed.tar.gz |
Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380
Source: Qemu.org
MR: 105781, 109964, 108621
Type: Security Fix
Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05905.html
ChangeID: 0acf082885e7ab3ac2fb41d6e503449869dd46a8
Description:
This address:
CVE-2020-25625
and its two fixes address an incomplete fix for CVE-2020-25625
CVE-2021-3409
CVE-2020-17380
(From OE-Core rev: 721a14f13005dc0b5bddaac131c444b97be700a8)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch | 42 |
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6978be951e..76bfb4fcf9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -58,6 +58,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
58 | file://CVE-2020-25085.patch \ | 58 | file://CVE-2020-25085.patch \ |
59 | file://CVE-2020-25624_1.patch \ | 59 | file://CVE-2020-25624_1.patch \ |
60 | file://CVE-2020-25624_2.patch \ | 60 | file://CVE-2020-25624_2.patch \ |
61 | file://CVE-2020-25625.patch \ | ||
61 | " | 62 | " |
62 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 63 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
63 | 64 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch new file mode 100644 index 0000000000..374d7c4562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 15 Sep 2020 23:52:59 +0530 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire | ||
5 | |||
6 | While servicing OHCI transfer descriptors(TD), ohci_service_iso_td | ||
7 | retires a TD if it has passed its time frame. It does not check if | ||
8 | the TD was already processed once and holds an error code in TD_CC. | ||
9 | It may happen if the TD list has a loop. Add check to avoid an | ||
10 | infinite loop condition. | ||
11 | |||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
14 | Message-id: 20200915182259.68522-3-ppandit@redhat.com | ||
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2020-25625 | ||
19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
20 | |||
21 | --- | ||
22 | hw/usb/hcd-ohci.c | 4 ++++ | ||
23 | 1 file changed, 4 insertions(+) | ||
24 | |||
25 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
26 | index 9dc59101f9..8b912e95d3 100644 | ||
27 | --- a/hw/usb/hcd-ohci.c | ||
28 | +++ b/hw/usb/hcd-ohci.c | ||
29 | @@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
30 | the next ISO TD of the same ED */ | ||
31 | trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number, | ||
32 | frame_count); | ||
33 | + if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) { | ||
34 | + /* avoid infinite loop */ | ||
35 | + return 1; | ||
36 | + } | ||
37 | OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN); | ||
38 | ed->head &= ~OHCI_DPTR_MASK; | ||
39 | ed->head |= (iso_td.next & OHCI_DPTR_MASK); | ||
40 | -- | ||
41 | 2.25.1 | ||
42 | |||