1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
new file mode 100644
index 0000000000..e7258a43d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
+From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
+This increases readability and cleans up some confusing naming.
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index bd3ccfe311..f42d05e1e4 100644
+--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
+@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ static void sm501_2d_operation(SM501State *s)
+ {
+     /* obtain operation parameters */
+-    int operation = (s->twoD_control >> 16) & 0x1f;
+    int cmd = (s->twoD_control >> 16) & 0x1F;
+     int rtl = s->twoD_control & 0x8000000;
+     int src_x = (s->twoD_source >> 16) & 0x01FFF;
+     int src_y = s->twoD_source & 0xFFFF;
+     int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+     int dst_y = s->twoD_destination & 0xFFFF;
+-    int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
+-    int operation_height = s->twoD_dimension & 0xFFFF;
+    int width = (s->twoD_dimension >> 16) & 0x1FFF;
+    int height = s->twoD_dimension & 0xFFFF;
+     uint32_t color = s->twoD_foreground;
+-    int format_flags = (s->twoD_stretch >> 20) & 0x3;
+-    int addressing = (s->twoD_stretch >> 16) & 0xF;
+    int format = (s->twoD_stretch >> 20) & 0x3;
+     int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+     /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+     int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
+     /* get frame buffer info */
+     uint8_t *src = s->local_mem + src_base;
+     uint8_t *dst = s->local_mem + dst_base;
+-    int src_width = s->twoD_pitch & 0x1FFF;
+-    int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
+    int src_pitch = s->twoD_pitch & 0x1FFF;
+    int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+     int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+ 
+-    if (addressing != 0x0) {
+    if ((s->twoD_stretch >> 16) & 0xF) {
+         qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
+         return;
+     }
+@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
+         return;
+     }
+ 
+-    switch (operation) {
+    switch (cmd) {
+     case 0x00: /* copy area */
+ #define COPY_AREA(_bpp, _pixel_type, rtl) {                                   \
+         int y, x, index_d, index_s;                                           \
+-        for (y = 0; y < operation_height; y++) {                              \
+-            for (x = 0; x < operation_width; x++) {                           \
+        for (y = 0; y < height; y++) {                              \
+            for (x = 0; x < width; x++) {                           \
+                 _pixel_type val;                                              \
+                                                                               \
+                 if (rtl) {                                                    \
+-                    index_s = ((src_y - y) * src_width + src_x - x) * _bpp;   \
+-                    index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp;   \
+                    index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp;   \
+                    index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp;   \
+                 } else {                                                      \
+-                    index_s = ((src_y + y) * src_width + src_x + x) * _bpp;   \
+-                    index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp;   \
+                    index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp;   \
+                    index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \
+                 }                                                             \
+                 if (rop_mode == 1 && rop == 5) {                              \
+                     /* Invert dest */                                         \
+@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
+             }                                                                 \
+         }                                                                     \
+     }
+-        switch (format_flags) {
+        switch (format) {
+         case 0:
+             COPY_AREA(1, uint8_t, rtl);
+             break;
+@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
+     case 0x01: /* fill rectangle */
+ #define FILL_RECT(_bpp, _pixel_type) {                                      \
+         int y, x;                                                           \
+-        for (y = 0; y < operation_height; y++) {                            \
+-            for (x = 0; x < operation_width; x++) {                         \
+-                int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp;   \
+        for (y = 0; y < height; y++) {                            \
+            for (x = 0; x < width; x++) {                         \
+                int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \
+                 *(_pixel_type *)&dst[index] = (_pixel_type)color;           \
+             }                                                               \
+         }                                                                   \
+     }
+ 
+-        switch (format_flags) {
+        switch (format) {
+         case 0:
+             FILL_RECT(1, uint8_t);
+             break;
+@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
+ 
+     default:
+         qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+-                      operation);
+                      cmd);
+         return;
+     }
+ 
+     if (dst_base >= get_fb_addr(s, crt) &&
+         dst_base <= get_fb_addr(s, crt) + fb_len) {
+-        int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
+-                           dst_x + operation_width) * (1 << format_flags));
+        int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
+                          dst_x + width) * (1 << format));
+         if (dst_len) {
+             memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
+         }
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch new file mode 100644 index 0000000000..e7258a43d3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
	1	From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
	2	From: BALATON Zoltan <balaton@eik.bme.hu>
	3	Date: Thu, 21 May 2020 21:39:44 +0200
	4	Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
	5
	6	This increases readability and cleans up some confusing naming.
	7
	8	Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
	9	Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
	10	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	11
	12	Upstream-Status: Backport
	13	CVE: CVE-2020-12829 dep#2
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16	---
	17	hw/display/sm501.c \| 45 ++++++++++++++++++++++-----------------------
	18	1 file changed, 22 insertions(+), 23 deletions(-)
	19
	20	diff --git a/hw/display/sm501.c b/hw/display/sm501.c
	21	index bd3ccfe311..f42d05e1e4 100644
	22	--- a/hw/display/sm501.c
	23	+++ b/hw/display/sm501.c
	24	@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
	25	static void sm501_2d_operation(SM501State *s)
	26	{
	27	/* obtain operation parameters */
	28	- int operation = (s->twoD_control >> 16) & 0x1f;
	29	+ int cmd = (s->twoD_control >> 16) & 0x1F;
	30	int rtl = s->twoD_control & 0x8000000;
	31	int src_x = (s->twoD_source >> 16) & 0x01FFF;
	32	int src_y = s->twoD_source & 0xFFFF;
	33	int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
	34	int dst_y = s->twoD_destination & 0xFFFF;
	35	- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
	36	- int operation_height = s->twoD_dimension & 0xFFFF;
	37	+ int width = (s->twoD_dimension >> 16) & 0x1FFF;
	38	+ int height = s->twoD_dimension & 0xFFFF;
	39	uint32_t color = s->twoD_foreground;
	40	- int format_flags = (s->twoD_stretch >> 20) & 0x3;
	41	- int addressing = (s->twoD_stretch >> 16) & 0xF;
	42	+ int format = (s->twoD_stretch >> 20) & 0x3;
	43	int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
	44	/* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
	45	int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
	46	@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
	47	/* get frame buffer info */
	48	uint8_t *src = s->local_mem + src_base;
	49	uint8_t *dst = s->local_mem + dst_base;
	50	- int src_width = s->twoD_pitch & 0x1FFF;
	51	- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
	52	+ int src_pitch = s->twoD_pitch & 0x1FFF;
	53	+ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
	54	int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
	55	int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
	56
	57	- if (addressing != 0x0) {
	58	+ if ((s->twoD_stretch >> 16) & 0xF) {
	59	qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
	60	return;
	61	}
	62	@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
	63	return;
	64	}
	65
	66	- switch (operation) {
	67	+ switch (cmd) {
	68	case 0x00: /* copy area */
	69	#define COPY_AREA(_bpp, _pixel_type, rtl) { \
	70	int y, x, index_d, index_s; \
	71	- for (y = 0; y < operation_height; y++) { \
	72	- for (x = 0; x < operation_width; x++) { \
	73	+ for (y = 0; y < height; y++) { \
	74	+ for (x = 0; x < width; x++) { \
	75	_pixel_type val; \
	76	\
	77	if (rtl) { \
	78	- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
	79	- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
	80	+ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
	81	+ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
	82	} else { \
	83	- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
	84	- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
	85	+ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
	86	+ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
	87	} \
	88	if (rop_mode == 1 && rop == 5) { \
	89	/* Invert dest */ \
	90	@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
	91	} \
	92	} \
	93	}
	94	- switch (format_flags) {
	95	+ switch (format) {
	96	case 0:
	97	COPY_AREA(1, uint8_t, rtl);
	98	break;
	99	@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
	100	case 0x01: /* fill rectangle */
	101	#define FILL_RECT(_bpp, _pixel_type) { \
	102	int y, x; \
	103	- for (y = 0; y < operation_height; y++) { \
	104	- for (x = 0; x < operation_width; x++) { \
	105	- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
	106	+ for (y = 0; y < height; y++) { \
	107	+ for (x = 0; x < width; x++) { \
	108	+ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
	109	(_pixel_type )&dst[index] = (_pixel_type)color; \
	110	} \
	111	} \
	112	}
	113
	114	- switch (format_flags) {
	115	+ switch (format) {
	116	case 0:
	117	FILL_RECT(1, uint8_t);
	118	break;
	119	@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
	120
	121	default:
	122	qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
	123	- operation);
	124	+ cmd);
	125	return;
	126	}
	127
	128	if (dst_base >= get_fb_addr(s, crt) &&
	129	dst_base <= get_fb_addr(s, crt) + fb_len) {
	130	- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
	131	- dst_x + operation_width) * (1 << format_flags));
	132	+ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
	133	+ dst_x + width) * (1 << format));
	134	if (dst_len) {
	135	memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
	136	}
	137	--
	138	2.25.1
	139