qemu: Security fix CVE-2020-25085

Source: qemu.org MR: 105773 Type: Security Fix Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html ChangeID: 77c8a9e75b94da3c03c64c95d9e6ab9d45037572 Description: (From OE-Core rev: 6b4c58a31ec11e557d40c31f2532985dd53e61eb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-08-20 16:55:13 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-01 16:27:08 +0100
commit: e142f4ebfba18bc798c5361fbc360b598a30f96e (patch)
tree: e6e1cbeac2b3f59b8c294647c0aa46bbd886a489 /meta
parent: 02108b6dbc78f291a64b78112234fd0c11675e0c (diff)
download: poky-e142f4ebfba18bc798c5361fbc360b598a30f96e.tar.gz
2 files changed, 67 insertions, 20 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e25c2524aa..a33008670b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,27 +35,28 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-7039-2.patch \
           file://CVE-2020-7039-3.patch \
           file://0001-Add-enable-disable-udev.patch \
-           file://CVE-2020-7211.patch \
+           file://CVE-2020-7211.patch \
-           file://0001-qemu-Do-not-include-file-if-not-exists.patch \
+           file://0001-qemu-Do-not-include-file-if-not-exists.patch \
           file://CVE-2020-11102.patch \
-           file://CVE-2020-11869.patch \
+           file://CVE-2020-11869.patch \
-           file://CVE-2020-13361.patch \
+           file://CVE-2020-13361.patch \
-           file://CVE-2020-10761.patch \
+           file://CVE-2020-10761.patch \
-           file://CVE-2020-10702.patch \
+           file://CVE-2020-10702.patch \
-           file://CVE-2020-13659.patch \
+           file://CVE-2020-13659.patch \
-           file://CVE-2020-13800.patch \
+           file://CVE-2020-13800.patch \
-           file://CVE-2020-13362.patch \
+           file://CVE-2020-13362.patch \
-           file://CVE-2020-15863.patch \
+           file://CVE-2020-15863.patch \
-           file://CVE-2020-14364.patch \
+           file://CVE-2020-14364.patch \
-           file://CVE-2020-14415.patch \
+           file://CVE-2020-14415.patch \
-           file://CVE-2020-16092.patch \
+           file://CVE-2020-16092.patch \
-           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
-           file://CVE-2019-20175.patch \
+           file://CVE-2019-20175.patch \
-           file://CVE-2020-24352.patch \
+           file://CVE-2020-24352.patch \
-           file://CVE-2020-25723.patch \
+           file://CVE-2020-25723.patch \
-           file://CVE-2021-20203.patch \
+           file://CVE-2021-20203.patch \
-           file://CVE-2021-3392.patch \
+           file://CVE-2021-3392.patch \
-           "
+           file://CVE-2020-25085.patch \
+           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
new file mode 100644
index 0000000000..be19256cef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
@@ -0,0 +1,46 @@
+From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 1 Sep 2020 15:22:06 +0200
+Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The 'Transfer Block Size' field is 12-bit wide.
+See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
+Two different bug reproducer available:
+- https://bugs.launchpad.net/qemu/+bug/1892960
+- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
+Upstream-Status: Backport
+CVE: CVE-2020-25085
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/sd/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: qemu-4.2.0/hw/sd/sdhci.c
+===================================================================
+--- qemu-4.2.0.orig/hw/sd/sdhci.c
+++ qemu-4.2.0/hw/sd/sdhci.c
+@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset,
+         break;
+     case SDHC_BLKSIZE:
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+-            MASKED_WRITE(s->blksize, mask, value);
+            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+         }
+
author	Armin Kuster <akuster@mvista.com>	2021-08-20 16:55:13 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-01 16:27:08 +0100
commit	e142f4ebfba18bc798c5361fbc360b598a30f96e (patch)
tree	e6e1cbeac2b3f59b8c294647c0aa46bbd886a489 /meta
parent	02108b6dbc78f291a64b78112234fd0c11675e0c (diff)
download	poky-e142f4ebfba18bc798c5361fbc360b598a30f96e.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e25c2524aa..a33008670b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,27 +35,28 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
35	file://CVE-2020-7039-2.patch \	35	file://CVE-2020-7039-2.patch \
36	file://CVE-2020-7039-3.patch \	36	file://CVE-2020-7039-3.patch \
37	file://0001-Add-enable-disable-udev.patch \	37	file://0001-Add-enable-disable-udev.patch \
38	file://CVE-2020-7211.patch \	38	file://CVE-2020-7211.patch \
39	file://0001-qemu-Do-not-include-file-if-not-exists.patch \	39	file://0001-qemu-Do-not-include-file-if-not-exists.patch \
40	file://CVE-2020-11102.patch \	40	file://CVE-2020-11102.patch \
41	file://CVE-2020-11869.patch \	41	file://CVE-2020-11869.patch \
42	file://CVE-2020-13361.patch \	42	file://CVE-2020-13361.patch \
43	file://CVE-2020-10761.patch \	43	file://CVE-2020-10761.patch \
44	file://CVE-2020-10702.patch \	44	file://CVE-2020-10702.patch \
45	file://CVE-2020-13659.patch \	45	file://CVE-2020-13659.patch \
46	file://CVE-2020-13800.patch \	46	file://CVE-2020-13800.patch \
47	file://CVE-2020-13362.patch \	47	file://CVE-2020-13362.patch \
48	file://CVE-2020-15863.patch \	48	file://CVE-2020-15863.patch \
49	file://CVE-2020-14364.patch \	49	file://CVE-2020-14364.patch \
50	file://CVE-2020-14415.patch \	50	file://CVE-2020-14415.patch \
51	file://CVE-2020-16092.patch \	51	file://CVE-2020-16092.patch \
52	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \	52	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
53	file://CVE-2019-20175.patch \	53	file://CVE-2019-20175.patch \
54	file://CVE-2020-24352.patch \	54	file://CVE-2020-24352.patch \
55	file://CVE-2020-25723.patch \	55	file://CVE-2020-25723.patch \
56	file://CVE-2021-20203.patch \	56	file://CVE-2021-20203.patch \
57	file://CVE-2021-3392.patch \	57	file://CVE-2021-3392.patch \
58	"	58	file://CVE-2020-25085.patch \
		59	"
59	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	60	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
60		61
61	SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"	62	SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch new file mode 100644 index 0000000000..be19256cef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
@@ -0,0 +1,46 @@
		1	From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
		3	Date: Tue, 1 Sep 2020 15:22:06 +0200
		4	Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	The 'Transfer Block Size' field is 12-bit wide.
		10
		11	See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
		12
		13	Two different bug reproducer available:
		14	- https://bugs.launchpad.net/qemu/+bug/1892960
		15	- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
		16
		17	Cc: qemu-stable@nongnu.org
		18	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
		19	Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
		20	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		21	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		22	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
		23	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		24	Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
		25
		26	Upstream-Status: Backport
		27	CVE: CVE-2020-25085
		28	Signed-off-by: Armin Kuster <akuster@mvista.com>
		29
		30	---
		31	hw/sd/sdhci.c \| 2 +-
		32	1 file changed, 1 insertion(+), 1 deletion(-)
		33
		34	Index: qemu-4.2.0/hw/sd/sdhci.c
		35	===================================================================
		36	--- qemu-4.2.0.orig/hw/sd/sdhci.c
		37	+++ qemu-4.2.0/hw/sd/sdhci.c
		38	@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset,
		39	break;
		40	case SDHC_BLKSIZE:
		41	if (!TRANSFERRING_DATA(s->prnsts)) {
		42	- MASKED_WRITE(s->blksize, mask, value);
		43	+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
		44	MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
		45	}
		46