1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
new file mode 100644
index 0000000000..53145d059f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
@@ -0,0 +1,112 @@
+From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 7 Jul 2020 13:02:34 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+QEMU allows to create SD card with unrealistic sizes. This could
+work, but some guests (at least Linux) consider sizes that are not
+a power of 2 as a firmware bug and fix the card size to the next
+power of 2.
+While the possibility to use small SD card images has been seen as
+a feature, it became a bug with CVE-2020-13253, where the guest is
+able to do OOB read/write accesses past the image size end.
+In a pair of commits we will fix CVE-2020-13253 as:
+    Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+    occurred and no data transfer is performed.
+    Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+    occurred and no data transfer is performed.
+    WP_VIOLATION errors are not modified: the error bit is set, we
+    stay in receive-data state, wait for a stop command. All further
+    data transfer is ignored. See the check on sd->card_status at the
+    beginning of sd_read_data() and sd_write_data().
+While this is the correct behavior, in case QEMU create smaller SD
+cards, guests still try to access past the image size end, and QEMU
+considers this is an invalid address, thus "all further data transfer
+is ignored". This is wrong and make the guest looping until
+eventually timeouts.
+Fix by not allowing invalid SD card sizes (suggesting the expected
+size as a hint):
+  $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
+  qemu-system-arm: Invalid SD card size: 60 MiB
+  SD card size has to be a power of 2, e.g. 64 MiB.
+  You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
+  (note that this will lose data if you make the image smaller than it currently is).
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
+CVE: CVE-2020-13253
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index edd60a09c0..76d68359a4 100644
+--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
+@@ -32,6 +32,7 @@
+ 
+ #include "qemu/osdep.h"
+ #include "qemu/units.h"
+#include "qemu/cutils.h"
+ #include "hw/irq.h"
+ #include "hw/registerfields.h"
+ #include "sysemu/block-backend.h"
+@@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
+     }
+ 
+     if (sd->blk) {
+        int64_t blk_size;
+
+         if (blk_is_read_only(sd->blk)) {
+             error_setg(errp, "Cannot use read-only drive as SD card");
+             return;
+         }
+ 
+        blk_size = blk_getlength(sd->blk);
+        if (blk_size > 0 && !is_power_of_2(blk_size)) {
+            int64_t blk_size_aligned = pow2ceil(blk_size);
+            char *blk_size_str;
+
+            blk_size_str = size_to_str(blk_size);
+            error_setg(errp, "Invalid SD card size: %s", blk_size_str);
+            g_free(blk_size_str);
+
+            blk_size_str = size_to_str(blk_size_aligned);
+            error_append_hint(errp,
+                              "SD card size has to be a power of 2, e.g. %s.\n"
+                              "You can resize disk images with"
+                              " 'qemu-img resize <imagefile> <new-size>'\n"
+                              "(note that this will lose data if you make the"
+                              " image smaller than it currently is).\n",
+                              blk_size_str);
+            g_free(blk_size_str);
+
+            return;
+        }
+
+         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
+                            BLK_PERM_ALL, errp);
+         if (ret < 0) {
+-- 
+2.32.0

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch new file mode 100644 index 0000000000..53145d059f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
@@ -0,0 +1,112 @@
	1	From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
	3	Date: Tue, 7 Jul 2020 13:02:34 +0200
	4	Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	QEMU allows to create SD card with unrealistic sizes. This could
	10	work, but some guests (at least Linux) consider sizes that are not
	11	a power of 2 as a firmware bug and fix the card size to the next
	12	power of 2.
	13
	14	While the possibility to use small SD card images has been seen as
	15	a feature, it became a bug with CVE-2020-13253, where the guest is
	16	able to do OOB read/write accesses past the image size end.
	17
	18	In a pair of commits we will fix CVE-2020-13253 as:
	19
	20	Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
	21	occurred and no data transfer is performed.
	22
	23	Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
	24	occurred and no data transfer is performed.
	25
	26	WP_VIOLATION errors are not modified: the error bit is set, we
	27	stay in receive-data state, wait for a stop command. All further
	28	data transfer is ignored. See the check on sd->card_status at the
	29	beginning of sd_read_data() and sd_write_data().
	30
	31	While this is the correct behavior, in case QEMU create smaller SD
	32	cards, guests still try to access past the image size end, and QEMU
	33	considers this is an invalid address, thus "all further data transfer
	34	is ignored". This is wrong and make the guest looping until
	35	eventually timeouts.
	36
	37	Fix by not allowing invalid SD card sizes (suggesting the expected
	38	size as a hint):
	39
	40	$ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
	41	qemu-system-arm: Invalid SD card size: 60 MiB
	42	SD card size has to be a power of 2, e.g. 64 MiB.
	43	You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
	44	(note that this will lose data if you make the image smaller than it currently is).
	45
	46	Cc: qemu-stable@nongnu.org
	47	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
	48	Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
	49	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	50	Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
	51
	52	Upstram-Status: Backport:
	53	https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
	54
	55	CVE: CVE-2020-13253
	56
	57	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
	58	---
	59	hw/sd/sd.c \| 25 +++++++++++++++++++++++++
	60	1 file changed, 25 insertions(+)
	61
	62	diff --git a/hw/sd/sd.c b/hw/sd/sd.c
	63	index edd60a09c0..76d68359a4 100644
	64	--- a/hw/sd/sd.c
	65	+++ b/hw/sd/sd.c
	66	@@ -32,6 +32,7 @@
	67
	68	#include "qemu/osdep.h"
	69	#include "qemu/units.h"
	70	+#include "qemu/cutils.h"
	71	#include "hw/irq.h"
	72	#include "hw/registerfields.h"
	73	#include "sysemu/block-backend.h"
	74	@@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState dev, Error *errp)
	75	}
	76
	77	if (sd->blk) {
	78	+ int64_t blk_size;
	79	+
	80	if (blk_is_read_only(sd->blk)) {
	81	error_setg(errp, "Cannot use read-only drive as SD card");
	82	return;
	83	}
	84
	85	+ blk_size = blk_getlength(sd->blk);
	86	+ if (blk_size > 0 && !is_power_of_2(blk_size)) {
	87	+ int64_t blk_size_aligned = pow2ceil(blk_size);
	88	+ char *blk_size_str;
	89	+
	90	+ blk_size_str = size_to_str(blk_size);
	91	+ error_setg(errp, "Invalid SD card size: %s", blk_size_str);
	92	+ g_free(blk_size_str);
	93	+
	94	+ blk_size_str = size_to_str(blk_size_aligned);
	95	+ error_append_hint(errp,
	96	+ "SD card size has to be a power of 2, e.g. %s.\n"
	97	+ "You can resize disk images with"
	98	+ " 'qemu-img resize <imagefile> <new-size>'\n"
	99	+ "(note that this will lose data if you make the"
	100	+ " image smaller than it currently is).\n",
	101	+ blk_size_str);
	102	+ g_free(blk_size_str);
	103	+
	104	+ return;
	105	+ }
	106	+
	107	ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ \| BLK_PERM_WRITE,
	108	BLK_PERM_ALL, errp);
	109	if (ret < 0) {
	110	--
	111	2.32.0
	112