1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
new file mode 100644
index 0000000000..6b4c1ec050
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
@@ -0,0 +1,139 @@
+From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Thu, 4 Jun 2020 19:22:29 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is
+ invalid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Only move the state machine to ReceivingData if there is no
+pending error. This avoids later OOB access while processing
+commands queued.
+  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
+  4.3.3 Data Read
+  Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+  occurred and no data transfer is performed.
+  4.3.4 Data Write
+  Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+  occurred and no data transfer is performed.
+WP_VIOLATION errors are not modified: the error bit is set, we
+stay in receive-data state, wait for a stop command. All further
+data transfer is ignored. See the check on sd->card_status at the
+beginning of sd_read_data() and sd_write_data().
+Fixes: CVE-2020-13253
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd
+CVE: CVE-2020-13253
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index f4f76f8fd2..fad9cf1ee7 100644
+--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
+@@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+     case 17:   /* CMD17:  READ_SINGLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
+-            sd->state = sd_sendingdata_state;
+-            sd->data_start = addr;
+-            sd->data_offset = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
+            if (addr + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
+             }
+
+            sd->state = sd_sendingdata_state;
+            sd->data_start = addr;
+            sd->data_offset = 0;
+             return sd_r1;
+ 
+         default:
+@@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+     case 18:   /* CMD18:  READ_MULTIPLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
+-            sd->state = sd_sendingdata_state;
+-            sd->data_start = addr;
+-            sd->data_offset = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
+            if (addr + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
+             }
+
+            sd->state = sd_sendingdata_state;
+            sd->data_start = addr;
+            sd->data_offset = 0;
+             return sd_r1;
+ 
+         default:
+@@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
+
+            if (addr + sd->blk_len > sd->size) {
+                sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
+            }
+
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
+-                sd->card_status |= ADDRESS_ERROR;
+-            }
+             if (sd_wp_addr(sd, sd->data_start)) {
+                 sd->card_status |= WP_VIOLATION;
+             }
+@@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
+
+            if (addr + sd->blk_len > sd->size) {
+                sd->card_status |= ADDRESS_ERROR;
+                return sd_r1;
+            }
+
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
+-                sd->card_status |= ADDRESS_ERROR;
+-            }
+             if (sd_wp_addr(sd, sd->data_start)) {
+                 sd->card_status |= WP_VIOLATION;
+             }
+-- 
+2.32.0

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch new file mode 100644 index 0000000000..6b4c1ec050 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
@@ -0,0 +1,139 @@
	1	From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
	3	Date: Thu, 4 Jun 2020 19:22:29 +0200
	4	Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is
	5	invalid
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	Only move the state machine to ReceivingData if there is no
	11	pending error. This avoids later OOB access while processing
	12	commands queued.
	13
	14	"SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
	15
	16	4.3.3 Data Read
	17
	18	Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
	19	occurred and no data transfer is performed.
	20
	21	4.3.4 Data Write
	22
	23	Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
	24	occurred and no data transfer is performed.
	25
	26	WP_VIOLATION errors are not modified: the error bit is set, we
	27	stay in receive-data state, wait for a stop command. All further
	28	data transfer is ignored. See the check on sd->card_status at the
	29	beginning of sd_read_data() and sd_write_data().
	30
	31	Fixes: CVE-2020-13253
	32
	33	Cc: qemu-stable@nongnu.org
	34	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	35	Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
	36	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	37	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
	38	Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
	39	Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
	40
	41	Upstram-Status: Backport:
	42	https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd
	43
	44	CVE: CVE-2020-13253
	45
	46	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
	47	---
	48	hw/sd/sd.c \| 38 ++++++++++++++++++++++++--------------
	49	1 file changed, 24 insertions(+), 14 deletions(-)
	50
	51	diff --git a/hw/sd/sd.c b/hw/sd/sd.c
	52	index f4f76f8fd2..fad9cf1ee7 100644
	53	--- a/hw/sd/sd.c
	54	+++ b/hw/sd/sd.c
	55	@@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
	56	case 17: /* CMD17: READ_SINGLE_BLOCK */
	57	switch (sd->state) {
	58	case sd_transfer_state:
	59	- sd->state = sd_sendingdata_state;
	60	- sd->data_start = addr;
	61	- sd->data_offset = 0;
	62
	63	- if (sd->data_start + sd->blk_len > sd->size) {
	64	+ if (addr + sd->blk_len > sd->size) {
	65	sd->card_status \|= ADDRESS_ERROR;
	66	+ return sd_r1;
	67	}
	68	+
	69	+ sd->state = sd_sendingdata_state;
	70	+ sd->data_start = addr;
	71	+ sd->data_offset = 0;
	72	return sd_r1;
	73
	74	default:
	75	@@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
	76	case 18: /* CMD18: READ_MULTIPLE_BLOCK */
	77	switch (sd->state) {
	78	case sd_transfer_state:
	79	- sd->state = sd_sendingdata_state;
	80	- sd->data_start = addr;
	81	- sd->data_offset = 0;
	82
	83	- if (sd->data_start + sd->blk_len > sd->size) {
	84	+ if (addr + sd->blk_len > sd->size) {
	85	sd->card_status \|= ADDRESS_ERROR;
	86	+ return sd_r1;
	87	}
	88	+
	89	+ sd->state = sd_sendingdata_state;
	90	+ sd->data_start = addr;
	91	+ sd->data_offset = 0;
	92	return sd_r1;
	93
	94	default:
	95	@@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
	96	/* Writing in SPI mode not implemented. */
	97	if (sd->spi)
	98	break;
	99	+
	100	+ if (addr + sd->blk_len > sd->size) {
	101	+ sd->card_status \|= ADDRESS_ERROR;
	102	+ return sd_r1;
	103	+ }
	104	+
	105	sd->state = sd_receivingdata_state;
	106	sd->data_start = addr;
	107	sd->data_offset = 0;
	108	sd->blk_written = 0;
	109
	110	- if (sd->data_start + sd->blk_len > sd->size) {
	111	- sd->card_status \|= ADDRESS_ERROR;
	112	- }
	113	if (sd_wp_addr(sd, sd->data_start)) {
	114	sd->card_status \|= WP_VIOLATION;
	115	}
	116	@@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
	117	/* Writing in SPI mode not implemented. */
	118	if (sd->spi)
	119	break;
	120	+
	121	+ if (addr + sd->blk_len > sd->size) {
	122	+ sd->card_status \|= ADDRESS_ERROR;
	123	+ return sd_r1;
	124	+ }
	125	+
	126	sd->state = sd_receivingdata_state;
	127	sd->data_start = addr;
	128	sd->data_offset = 0;
	129	sd->blk_written = 0;
	130
	131	- if (sd->data_start + sd->blk_len > sd->size) {
	132	- sd->card_status \|= ADDRESS_ERROR;
	133	- }
	134	if (sd_wp_addr(sd, sd->data_start)) {
	135	sd->card_status \|= WP_VIOLATION;
	136	}
	137	--
	138	2.32.0
	139