diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | 63 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a9ef3b78bf..618cc50180 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
34 | file://CVE-2020-10761.patch \ | 34 | file://CVE-2020-10761.patch \ |
35 | file://CVE-2020-13362.patch \ | 35 | file://CVE-2020-13362.patch \ |
36 | file://CVE-2020-13659.patch \ | 36 | file://CVE-2020-13659.patch \ |
37 | file://CVE-2020-13800.patch \ | ||
37 | " | 38 | " |
38 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 39 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
39 | 40 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch new file mode 100644 index 0000000000..52bfafbbae --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 4 Jun 2020 14:38:30 +0530 | ||
4 | Subject: [PATCH] ati-vga: check mm_index before recursive call | ||
5 | (CVE-2020-13800) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | While accessing VGA registers via ati_mm_read/write routines, | ||
11 | a guest may set 's->regs.mm_index' such that it leads to infinite | ||
12 | recursion. Check mm_index value to avoid such recursion. Log an | ||
13 | error message for wrong values. | ||
14 | |||
15 | Reported-by: Ren Ding <rding@gatech.edu> | ||
16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
17 | Reported-by: Yi Ren <c4tren@gmail.com> | ||
18 | Message-id: 20200604090830.33885-1-ppandit@redhat.com | ||
19 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
20 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] | ||
25 | CVE: CVE-2020-13800 | ||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/display/ati.c | 10 ++++++++-- | ||
29 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/display/ati.c b/hw/display/ati.c | ||
32 | index 065f197678..67604e68de 100644 | ||
33 | --- a/hw/display/ati.c | ||
34 | +++ b/hw/display/ati.c | ||
35 | @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) | ||
36 | if (idx <= s->vga.vram_size - size) { | ||
37 | val = ldn_le_p(s->vga.vram_ptr + idx, size); | ||
38 | } | ||
39 | - } else { | ||
40 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
41 | val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); | ||
42 | + } else { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
44 | + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); | ||
45 | } | ||
46 | break; | ||
47 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
48 | @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, | ||
49 | if (idx <= s->vga.vram_size - size) { | ||
50 | stn_le_p(s->vga.vram_ptr + idx, size, data); | ||
51 | } | ||
52 | - } else { | ||
53 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
54 | ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); | ||
55 | + } else { | ||
56 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
57 | + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); | ||
58 | } | ||
59 | break; | ||
60 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
61 | -- | ||
62 | 2.20.1 | ||
63 | |||