diff options
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch | 97 |
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7a1ccf2115..126e7d442c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 37 | file://CVE-2020-7211.patch \ | 37 | file://CVE-2020-7211.patch \ |
| 38 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ | 38 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ |
| 39 | file://CVE-2020-11102.patch \ | 39 | file://CVE-2020-11102.patch \ |
| 40 | file://CVE-2020-11869.patch \ | ||
| 40 | " | 41 | " |
| 41 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 42 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 42 | 43 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch new file mode 100644 index 0000000000..ca7ffed934 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch | |||
| @@ -0,0 +1,97 @@ | |||
| 1 | From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
| 3 | Date: Mon, 6 Apr 2020 22:34:26 +0200 | ||
| 4 | Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash | ||
| 5 | |||
| 6 | In some corner cases (that never happen during normal operation but a | ||
| 7 | malicious guest could program wrong values) pixman functions were | ||
| 8 | called with parameters that result in a crash. Fix this and add more | ||
| 9 | checks to disallow such cases. | ||
| 10 | |||
| 11 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
| 12 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
| 13 | Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu | ||
| 14 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 15 | |||
| 16 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7] | ||
| 17 | CVE: CVE-2020-11869 | ||
| 18 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
| 19 | --- | ||
| 20 | hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- | ||
| 21 | 1 file changed, 26 insertions(+), 11 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c | ||
| 24 | index 42e8231..23a8ae0 100644 | ||
| 25 | --- a/hw/display/ati_2d.c | ||
| 26 | +++ b/hw/display/ati_2d.c | ||
| 27 | @@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) | ||
| 28 | s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), | ||
| 29 | surface_bits_per_pixel(ds), | ||
| 30 | (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); | ||
| 31 | - int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
| 32 | - s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); | ||
| 33 | - int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
| 34 | - s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); | ||
| 35 | + unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
| 36 | + s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); | ||
| 37 | + unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
| 38 | + s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); | ||
| 39 | int bpp = ati_bpp_from_datatype(s); | ||
| 40 | + if (!bpp) { | ||
| 41 | + qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); | ||
| 42 | + return; | ||
| 43 | + } | ||
| 44 | int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; | ||
| 45 | + if (!dst_stride) { | ||
| 46 | + qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); | ||
| 47 | + return; | ||
| 48 | + } | ||
| 49 | uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? | ||
| 50 | s->regs.dst_offset : s->regs.default_offset); | ||
| 51 | |||
| 52 | @@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) | ||
| 53 | switch (s->regs.dp_mix & GMC_ROP3_MASK) { | ||
| 54 | case ROP3_SRCCOPY: | ||
| 55 | { | ||
| 56 | - int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
| 57 | - s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); | ||
| 58 | - int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
| 59 | - s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); | ||
| 60 | + unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
| 61 | + s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); | ||
| 62 | + unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
| 63 | + s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); | ||
| 64 | int src_stride = DEFAULT_CNTL ? | ||
| 65 | s->regs.src_pitch : s->regs.default_pitch; | ||
| 66 | + if (!src_stride) { | ||
| 67 | + qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); | ||
| 68 | + return; | ||
| 69 | + } | ||
| 70 | uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? | ||
| 71 | s->regs.src_offset : s->regs.default_offset); | ||
| 72 | |||
| 73 | @@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) | ||
| 74 | dst_y * surface_stride(ds), | ||
| 75 | s->regs.dst_height * surface_stride(ds)); | ||
| 76 | } | ||
| 77 | - s->regs.dst_x += s->regs.dst_width; | ||
| 78 | - s->regs.dst_y += s->regs.dst_height; | ||
| 79 | + s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
| 80 | + dst_x + s->regs.dst_width : dst_x); | ||
| 81 | + s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
| 82 | + dst_y + s->regs.dst_height : dst_y); | ||
| 83 | break; | ||
| 84 | } | ||
| 85 | case ROP3_PATCOPY: | ||
| 86 | @@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) | ||
| 87 | dst_y * surface_stride(ds), | ||
| 88 | s->regs.dst_height * surface_stride(ds)); | ||
| 89 | } | ||
| 90 | - s->regs.dst_y += s->regs.dst_height; | ||
| 91 | + s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
| 92 | + dst_y + s->regs.dst_height : dst_y); | ||
| 93 | break; | ||
| 94 | } | ||
| 95 | default: | ||
| 96 | -- | ||
| 97 | 1.8.3.1 | ||