diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch new file mode 100644 index 0000000000..53145d059f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 7 Jul 2020 13:02:34 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | QEMU allows to create SD card with unrealistic sizes. This could | ||
10 | work, but some guests (at least Linux) consider sizes that are not | ||
11 | a power of 2 as a firmware bug and fix the card size to the next | ||
12 | power of 2. | ||
13 | |||
14 | While the possibility to use small SD card images has been seen as | ||
15 | a feature, it became a bug with CVE-2020-13253, where the guest is | ||
16 | able to do OOB read/write accesses past the image size end. | ||
17 | |||
18 | In a pair of commits we will fix CVE-2020-13253 as: | ||
19 | |||
20 | Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
21 | occurred and no data transfer is performed. | ||
22 | |||
23 | Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR | ||
24 | occurred and no data transfer is performed. | ||
25 | |||
26 | WP_VIOLATION errors are not modified: the error bit is set, we | ||
27 | stay in receive-data state, wait for a stop command. All further | ||
28 | data transfer is ignored. See the check on sd->card_status at the | ||
29 | beginning of sd_read_data() and sd_write_data(). | ||
30 | |||
31 | While this is the correct behavior, in case QEMU create smaller SD | ||
32 | cards, guests still try to access past the image size end, and QEMU | ||
33 | considers this is an invalid address, thus "all further data transfer | ||
34 | is ignored". This is wrong and make the guest looping until | ||
35 | eventually timeouts. | ||
36 | |||
37 | Fix by not allowing invalid SD card sizes (suggesting the expected | ||
38 | size as a hint): | ||
39 | |||
40 | $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw | ||
41 | qemu-system-arm: Invalid SD card size: 60 MiB | ||
42 | SD card size has to be a power of 2, e.g. 64 MiB. | ||
43 | You can resize disk images with 'qemu-img resize <imagefile> <new-size>' | ||
44 | (note that this will lose data if you make the image smaller than it currently is). | ||
45 | |||
46 | Cc: qemu-stable@nongnu.org | ||
47 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
48 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> | ||
49 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
50 | Message-Id: <20200713183209.26308-8-f4bug@amsat.org> | ||
51 | |||
52 | Upstram-Status: Backport: | ||
53 | https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 | ||
54 | |||
55 | CVE: CVE-2020-13253 | ||
56 | |||
57 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
58 | --- | ||
59 | hw/sd/sd.c | 25 +++++++++++++++++++++++++ | ||
60 | 1 file changed, 25 insertions(+) | ||
61 | |||
62 | diff --git a/hw/sd/sd.c b/hw/sd/sd.c | ||
63 | index edd60a09c0..76d68359a4 100644 | ||
64 | --- a/hw/sd/sd.c | ||
65 | +++ b/hw/sd/sd.c | ||
66 | @@ -32,6 +32,7 @@ | ||
67 | |||
68 | #include "qemu/osdep.h" | ||
69 | #include "qemu/units.h" | ||
70 | +#include "qemu/cutils.h" | ||
71 | #include "hw/irq.h" | ||
72 | #include "hw/registerfields.h" | ||
73 | #include "sysemu/block-backend.h" | ||
74 | @@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp) | ||
75 | } | ||
76 | |||
77 | if (sd->blk) { | ||
78 | + int64_t blk_size; | ||
79 | + | ||
80 | if (blk_is_read_only(sd->blk)) { | ||
81 | error_setg(errp, "Cannot use read-only drive as SD card"); | ||
82 | return; | ||
83 | } | ||
84 | |||
85 | + blk_size = blk_getlength(sd->blk); | ||
86 | + if (blk_size > 0 && !is_power_of_2(blk_size)) { | ||
87 | + int64_t blk_size_aligned = pow2ceil(blk_size); | ||
88 | + char *blk_size_str; | ||
89 | + | ||
90 | + blk_size_str = size_to_str(blk_size); | ||
91 | + error_setg(errp, "Invalid SD card size: %s", blk_size_str); | ||
92 | + g_free(blk_size_str); | ||
93 | + | ||
94 | + blk_size_str = size_to_str(blk_size_aligned); | ||
95 | + error_append_hint(errp, | ||
96 | + "SD card size has to be a power of 2, e.g. %s.\n" | ||
97 | + "You can resize disk images with" | ||
98 | + " 'qemu-img resize <imagefile> <new-size>'\n" | ||
99 | + "(note that this will lose data if you make the" | ||
100 | + " image smaller than it currently is).\n", | ||
101 | + blk_size_str); | ||
102 | + g_free(blk_size_str); | ||
103 | + | ||
104 | + return; | ||
105 | + } | ||
106 | + | ||
107 | ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, | ||
108 | BLK_PERM_ALL, errp); | ||
109 | if (ret < 0) { | ||
110 | -- | ||
111 | 2.32.0 | ||
112 | |||