summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorLi Wang <li.wang@windriver.com>2020-12-03 05:46:30 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-12-06 23:17:28 +0000
commit3ac2ba83f24783f5b0793a9faebd28fdca8dd3a4 (patch)
tree55a1a0a327f1ce4eaed743e569ef205b21bd3849 /meta
parente8d24de4a1f5abcf9aa4d0bcd9342ab27d9a6b0b (diff)
downloadpoky-3ac2ba83f24783f5b0793a9faebd28fdca8dd3a4.tar.gz
qemu: CVE-2020-25624
References: https://nvd.nist.gov/vuln/detail/CVE-2020-25624 backport patch from: https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058 (From OE-Core rev: 88d05be28da522fb390ee24f2871a113adf4366e) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch101
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bbe2a39755..274c855d35 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ 34 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
35 file://CVE-2020-24352.patch \ 35 file://CVE-2020-24352.patch \
36 file://CVE-2020-29129-CVE-2020-29130.patch \ 36 file://CVE-2020-29129-CVE-2020-29130.patch \
37 file://CVE-2020-25624.patch \
37 " 38 "
38UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39 40
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
new file mode 100644
index 0000000000..7631bab39f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch
@@ -0,0 +1,101 @@
1From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 15 Sep 2020 23:52:58 +0530
4Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
5
6While servicing the OHCI transfer descriptors(TD), OHCI host
7controller derives variables 'start_addr', 'end_addr', 'len'
8etc. from values supplied by the host controller driver.
9Host controller driver may supply values such that using
10above variables leads to out-of-bounds access issues.
11Add checks to avoid them.
12
13AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
14 READ of size 2 at 0x7ffd53af76a0 thread T0
15 #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
16 #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
17 #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
18 #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
19 #4 timerlist_run_timers ../util/qemu-timer.c:572
20 #5 qemu_clock_run_timers ../util/qemu-timer.c:586
21 #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
22 #7 main_loop_wait ../util/main-loop.c:527
23 #8 qemu_main_loop ../softmmu/vl.c:1676
24 #9 main ../softmmu/main.c:50
25
26Reported-by: Gaoning Pan <pgn@zju.edu.cn>
27Reported-by: Yongkang Jia <j_kangel@163.com>
28Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
29Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
30Message-id: 20200915182259.68522-2-ppandit@redhat.com
31Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
32
33Upstream-Status: Backport
34CVE: CVE-2020-25624
35[https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058]
36Signed-off-by: Li Wang <li.wang@windriver.com>
37---
38 hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
39 1 file changed, 22 insertions(+), 2 deletions(-)
40
41diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
42index 1e6e85e..9dc5910 100644
43--- a/hw/usb/hcd-ohci.c
44+++ b/hw/usb/hcd-ohci.c
45@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
46 }
47
48 start_offset = iso_td.offset[relative_frame_number];
49- next_offset = iso_td.offset[relative_frame_number + 1];
50+ if (relative_frame_number < frame_count) {
51+ next_offset = iso_td.offset[relative_frame_number + 1];
52+ } else {
53+ next_offset = iso_td.be;
54+ }
55
56 if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
57 ((relative_frame_number < frame_count) &&
58@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
59 }
60 } else {
61 /* Last packet in the ISO TD */
62- end_addr = iso_td.be;
63+ end_addr = next_offset;
64+ }
65+
66+ if (start_addr > end_addr) {
67+ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
68+ return 1;
69 }
70
71 if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
72@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
73 } else {
74 len = end_addr - start_addr + 1;
75 }
76+ if (len > sizeof(ohci->usb_buf)) {
77+ len = sizeof(ohci->usb_buf);
78+ }
79
80 if (len && dir != OHCI_TD_DIR_IN) {
81 if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
82@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
83 if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
84 len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
85 } else {
86+ if (td.cbp > td.be) {
87+ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
88+ ohci_die(ohci);
89+ return 1;
90+ }
91 len = (td.be - td.cbp) + 1;
92 }
93+ if (len > sizeof(ohci->usb_buf)) {
94+ len = sizeof(ohci->usb_buf);
95+ }
96
97 pktlen = len;
98 if (len && dir != OHCI_TD_DIR_IN) {
99--
1002.17.1
101