1 files changed, 164 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
new file mode 100644
index 0000000000..6fee4f640d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
@@ -0,0 +1,164 @@
+From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Some places already use qemu_log_mask() to log unimplemented features
+or errors but some others have printf() then abort(). Convert these to
+qemu_log_mask() and avoid aborting to prevent guests to easily cause
+denial of service.
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 30 deletions(-)
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index acc692531a..bd3ccfe311 100644
+--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
+@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+ 
+     if (addressing != 0x0) {
+-        printf("%s: only XY addressing is supported.\n", __func__);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
+        return;
+     }
+ 
+     if (rop_mode == 0) {
+@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
+ 
+     if ((s->twoD_source_base & 0x08000000) ||
+         (s->twoD_destination_base & 0x08000000)) {
+-        printf("%s: only local memory is supported.\n", __func__);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+        return;
+     }
+ 
+     switch (operation) {
+@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
+         break;
+ 
+     default:
+-        printf("non-implemented SM501 2D operation. %d\n", operation);
+-        abort();
+-        break;
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+                      operation);
+        return;
+     }
+ 
+     if (dst_base >= get_fb_addr(s, crt) &&
+@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
+         break;
+ 
+     default:
+-        printf("sm501 system config : not implemented register read."
+-               " addr=%x\n", (int)addr);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
+                      "register read. addr=%" HWADDR_PRIx "\n", addr);
+     }
+ 
+     return ret;
+@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
+         break;
+     case SM501_ENDIAN_CONTROL:
+         if (value & 0x00000001) {
+-            printf("sm501 system config : big endian mode not implemented.\n");
+-            abort();
+            qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
+                          " implemented.\n");
+         }
+         break;
+ 
+     default:
+-        printf("sm501 system config : not implemented register write."
+-               " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
+                      "register write. addr=%" HWADDR_PRIx
+                      ", val=%" PRIx64 "\n", addr, value);
+     }
+ }
+ 
+@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
+         break;
+ 
+     default:
+-        printf("sm501 disp ctrl : not implemented register read."
+-               " addr=%x\n", (int)addr);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
+                      "read. addr=%" HWADDR_PRIx "\n", addr);
+     }
+ 
+     return ret;
+@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
+         break;
+ 
+     default:
+-        printf("sm501 disp ctrl : not implemented register write."
+-               " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
+                      "write. addr=%" HWADDR_PRIx
+                      ", val=%" PRIx64 "\n", addr, value);
+     }
+ }
+ 
+@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
+         ret = 0; /* Should return interrupt status */
+         break;
+     default:
+-        printf("sm501 disp ctrl : not implemented register read."
+-               " addr=%x\n", (int)addr);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
+                      "read. addr=%" HWADDR_PRIx "\n", addr);
+     }
+ 
+     return ret;
+@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
+         /* ignored, writing 0 should clear interrupt status */
+         break;
+     default:
+-        printf("sm501 2d engine : not implemented register write."
+-               " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+-        abort();
+        qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
+                      "write. addr=%" HWADDR_PRIx
+                      ", val=%" PRIx64 "\n", addr, value);
+     }
+ }
+ 
+@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
+         draw_line = draw_line32_funcs[dst_depth_index];
+         break;
+     default:
+-        printf("sm501 update display : invalid control register value.\n");
+-        abort();
+-        break;
+        qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
+                      "invalid control register value.\n");
+        return;
+     }
+ 
+     /* set up to draw hardware cursor */
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch new file mode 100644 index 0000000000..6fee4f640d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
@@ -0,0 +1,164 @@
	1	From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001
	2	From: BALATON Zoltan <balaton@eik.bme.hu>
	3	Date: Thu, 21 May 2020 21:39:44 +0200
	4	Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Some places already use qemu_log_mask() to log unimplemented features
	10	or errors but some others have printf() then abort(). Convert these to
	11	qemu_log_mask() and avoid aborting to prevent guests to easily cause
	12	denial of service.
	13
	14	Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
	15	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	16	Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
	17	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	18
	19	Upstream-Status: Backport
	20	CVE: CVE-2020-12829 dep#1
	21	Signed-off-by: Armin Kuster <akuster@mvista.com>
	22
	23	---
	24	hw/display/sm501.c \| 57 ++++++++++++++++++++++------------------------
	25	1 file changed, 27 insertions(+), 30 deletions(-)
	26
	27	diff --git a/hw/display/sm501.c b/hw/display/sm501.c
	28	index acc692531a..bd3ccfe311 100644
	29	--- a/hw/display/sm501.c
	30	+++ b/hw/display/sm501.c
	31	@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
	32	int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
	33
	34	if (addressing != 0x0) {
	35	- printf("%s: only XY addressing is supported.\n", __func__);
	36	- abort();
	37	+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
	38	+ return;
	39	}
	40
	41	if (rop_mode == 0) {
	42	@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
	43
	44	if ((s->twoD_source_base & 0x08000000) \|\|
	45	(s->twoD_destination_base & 0x08000000)) {
	46	- printf("%s: only local memory is supported.\n", __func__);
	47	- abort();
	48	+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
	49	+ return;
	50	}
	51
	52	switch (operation) {
	53	@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
	54	break;
	55
	56	default:
	57	- printf("non-implemented SM501 2D operation. %d\n", operation);
	58	- abort();
	59	- break;
	60	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
	61	+ operation);
	62	+ return;
	63	}
	64
	65	if (dst_base >= get_fb_addr(s, crt) &&
	66	@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
	67	break;
	68
	69	default:
	70	- printf("sm501 system config : not implemented register read."
	71	- " addr=%x\n", (int)addr);
	72	- abort();
	73	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
	74	+ "register read. addr=%" HWADDR_PRIx "\n", addr);
	75	}
	76
	77	return ret;
	78	@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
	79	break;
	80	case SM501_ENDIAN_CONTROL:
	81	if (value & 0x00000001) {
	82	- printf("sm501 system config : big endian mode not implemented.\n");
	83	- abort();
	84	+ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
	85	+ " implemented.\n");
	86	}
	87	break;
	88
	89	default:
	90	- printf("sm501 system config : not implemented register write."
	91	- " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
	92	- abort();
	93	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
	94	+ "register write. addr=%" HWADDR_PRIx
	95	+ ", val=%" PRIx64 "\n", addr, value);
	96	}
	97	}
	98
	99	@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
	100	break;
	101
	102	default:
	103	- printf("sm501 disp ctrl : not implemented register read."
	104	- " addr=%x\n", (int)addr);
	105	- abort();
	106	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
	107	+ "read. addr=%" HWADDR_PRIx "\n", addr);
	108	}
	109
	110	return ret;
	111	@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
	112	break;
	113
	114	default:
	115	- printf("sm501 disp ctrl : not implemented register write."
	116	- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
	117	- abort();
	118	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
	119	+ "write. addr=%" HWADDR_PRIx
	120	+ ", val=%" PRIx64 "\n", addr, value);
	121	}
	122	}
	123
	124	@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
	125	ret = 0; /* Should return interrupt status */
	126	break;
	127	default:
	128	- printf("sm501 disp ctrl : not implemented register read."
	129	- " addr=%x\n", (int)addr);
	130	- abort();
	131	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
	132	+ "read. addr=%" HWADDR_PRIx "\n", addr);
	133	}
	134
	135	return ret;
	136	@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
	137	/* ignored, writing 0 should clear interrupt status */
	138	break;
	139	default:
	140	- printf("sm501 2d engine : not implemented register write."
	141	- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
	142	- abort();
	143	+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
	144	+ "write. addr=%" HWADDR_PRIx
	145	+ ", val=%" PRIx64 "\n", addr, value);
	146	}
	147	}
	148
	149	@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
	150	draw_line = draw_line32_funcs[dst_depth_index];
	151	break;
	152	default:
	153	- printf("sm501 update display : invalid control register value.\n");
	154	- abort();
	155	- break;
	156	+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
	157	+ "invalid control register value.\n");
	158	+ return;
	159	}
	160
	161	/* set up to draw hardware cursor */
	162	--
	163	2.25.1
	164