1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
new file mode 100644
index 0000000000..485af05e1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
@@ -0,0 +1,100 @@
+From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Make variables local to the block they are used in to make it clearer
+which operation they are needed for.
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/display/sm501.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 97660090bb..5ed57703d8 100644
+--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
+@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ 
+ static void sm501_2d_operation(SM501State *s)
+ {
+-    /* obtain operation parameters */
+     int cmd = (s->twoD_control >> 16) & 0x1F;
+     int rtl = s->twoD_control & BIT(27);
+-    int src_x = (s->twoD_source >> 16) & 0x01FFF;
+-    int src_y = s->twoD_source & 0xFFFF;
+-    int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+-    int dst_y = s->twoD_destination & 0xFFFF;
+-    int width = (s->twoD_dimension >> 16) & 0x1FFF;
+-    int height = s->twoD_dimension & 0xFFFF;
+-    uint32_t color = s->twoD_foreground;
+     int format = (s->twoD_stretch >> 20) & 0x3;
+     int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+     /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+     int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+     int rop = s->twoD_control & 0xFF;
+-    uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
+    int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+    int dst_y = s->twoD_destination & 0xFFFF;
+    int width = (s->twoD_dimension >> 16) & 0x1FFF;
+    int height = s->twoD_dimension & 0xFFFF;
+     uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+-
+-    /* get frame buffer info */
+-    uint8_t *src = s->local_mem + src_base;
+     uint8_t *dst = s->local_mem + dst_base;
+-    int src_pitch = s->twoD_pitch & 0x1FFF;
+     int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+     int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
+ 
+     switch (cmd) {
+     case 0x00: /* copy area */
+    {
+        int src_x = (s->twoD_source >> 16) & 0x01FFF;
+        int src_y = s->twoD_source & 0xFFFF;
+        uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
+        uint8_t *src = s->local_mem + src_base;
+        int src_pitch = s->twoD_pitch & 0x1FFF;
+
+ #define COPY_AREA(_bpp, _pixel_type, rtl) {                                   \
+         int y, x, index_d, index_s;                                           \
+         for (y = 0; y < height; y++) {                              \
+@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
+             break;
+         }
+         break;
+-
+    }
+     case 0x01: /* fill rectangle */
+    {
+        uint32_t color = s->twoD_foreground;
+
+ #define FILL_RECT(_bpp, _pixel_type) {                                      \
+         int y, x;                                                           \
+         for (y = 0; y < height; y++) {                            \
+@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
+             break;
+         }
+         break;
+-
+    }
+     default:
+         qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+                       cmd);
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch new file mode 100644 index 0000000000..485af05e1e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
@@ -0,0 +1,100 @@
	1	From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001
	2	From: BALATON Zoltan <balaton@eik.bme.hu>
	3	Date: Thu, 21 May 2020 21:39:44 +0200
	4	Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Make variables local to the block they are used in to make it clearer
	10	which operation they are needed for.
	11
	12	Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
	13	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	14	Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
	15	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	16
	17	Upstream-Status: Backport
	18	CVE: CVE-2020-12829 dep#4
	19	Signed-off-by: Armin Kuster <akuster@mvista.com>
	20
	21	---
	22	hw/display/sm501.c \| 31 ++++++++++++++++---------------
	23	1 file changed, 16 insertions(+), 15 deletions(-)
	24
	25	diff --git a/hw/display/sm501.c b/hw/display/sm501.c
	26	index 97660090bb..5ed57703d8 100644
	27	--- a/hw/display/sm501.c
	28	+++ b/hw/display/sm501.c
	29	@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
	30
	31	static void sm501_2d_operation(SM501State *s)
	32	{
	33	- /* obtain operation parameters */
	34	int cmd = (s->twoD_control >> 16) & 0x1F;
	35	int rtl = s->twoD_control & BIT(27);
	36	- int src_x = (s->twoD_source >> 16) & 0x01FFF;
	37	- int src_y = s->twoD_source & 0xFFFF;
	38	- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
	39	- int dst_y = s->twoD_destination & 0xFFFF;
	40	- int width = (s->twoD_dimension >> 16) & 0x1FFF;
	41	- int height = s->twoD_dimension & 0xFFFF;
	42	- uint32_t color = s->twoD_foreground;
	43	int format = (s->twoD_stretch >> 20) & 0x3;
	44	int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
	45	/* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
	46	int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
	47	int rop = s->twoD_control & 0xFF;
	48	- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
	49	+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
	50	+ int dst_y = s->twoD_destination & 0xFFFF;
	51	+ int width = (s->twoD_dimension >> 16) & 0x1FFF;
	52	+ int height = s->twoD_dimension & 0xFFFF;
	53	uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
	54	-
	55	- /* get frame buffer info */
	56	- uint8_t *src = s->local_mem + src_base;
	57	uint8_t *dst = s->local_mem + dst_base;
	58	- int src_pitch = s->twoD_pitch & 0x1FFF;
	59	int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
	60	int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
	61	int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
	62	@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
	63
	64	switch (cmd) {
	65	case 0x00: /* copy area */
	66	+ {
	67	+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
	68	+ int src_y = s->twoD_source & 0xFFFF;
	69	+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
	70	+ uint8_t *src = s->local_mem + src_base;
	71	+ int src_pitch = s->twoD_pitch & 0x1FFF;
	72	+
	73	#define COPY_AREA(_bpp, _pixel_type, rtl) { \
	74	int y, x, index_d, index_s; \
	75	for (y = 0; y < height; y++) { \
	76	@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
	77	break;
	78	}
	79	break;
	80	-
	81	+ }
	82	case 0x01: /* fill rectangle */
	83	+ {
	84	+ uint32_t color = s->twoD_foreground;
	85	+
	86	#define FILL_RECT(_bpp, _pixel_type) { \
	87	int y, x; \
	88	for (y = 0; y < height; y++) { \
	89	@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
	90	break;
	91	}
	92	break;
	93	-
	94	+ }
	95	default:
	96	qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
	97	cmd);
	98	--
	99	2.25.1
	100