diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 10 Jun 2020 09:47:49 -0400 | ||
4 | Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in | ||
5 | memory_region_access_valid" | ||
6 | |||
7 | Memory API documentation documents valid .min_access_size and .max_access_size | ||
8 | fields and explains that any access outside these boundaries is blocked. | ||
9 | |||
10 | This is what devices seem to assume. | ||
11 | |||
12 | However this is not what the implementation does: it simply | ||
13 | ignores the boundaries unless there's an "accepts" callback. | ||
14 | |||
15 | Naturally, this breaks a bunch of devices. | ||
16 | |||
17 | Revert to the documented behaviour. | ||
18 | |||
19 | Devices that want to allow any access can just drop the valid field, | ||
20 | or add the impl field to have accesses converted to appropriate | ||
21 | length. | ||
22 | |||
23 | Cc: qemu-stable@nongnu.org | ||
24 | Reviewed-by: Richard Henderson <rth@twiddle.net> | ||
25 | Fixes: CVE-2020-13754 | ||
26 | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 | ||
27 | Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") | ||
28 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
29 | Message-Id: <20200610134731.1514409-1-mst@redhat.com> | ||
30 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
31 | |||
32 | https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 | ||
33 | CVE: CVE-2020-13754 | ||
34 | Upstream-Status: Backport | ||
35 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
36 | --- | ||
37 | memory.c | 29 +++++++++-------------------- | ||
38 | 1 file changed, 9 insertions(+), 20 deletions(-) | ||
39 | |||
40 | diff --git a/memory.c b/memory.c | ||
41 | index 2f15a4b..9200b20 100644 | ||
42 | --- a/memory.c | ||
43 | +++ b/memory.c | ||
44 | @@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, | ||
45 | bool is_write, | ||
46 | MemTxAttrs attrs) | ||
47 | { | ||
48 | - int access_size_min, access_size_max; | ||
49 | - int access_size, i; | ||
50 | - | ||
51 | - if (!mr->ops->valid.unaligned && (addr & (size - 1))) { | ||
52 | + if (mr->ops->valid.accepts | ||
53 | + && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { | ||
54 | return false; | ||
55 | } | ||
56 | |||
57 | - if (!mr->ops->valid.accepts) { | ||
58 | - return true; | ||
59 | - } | ||
60 | - | ||
61 | - access_size_min = mr->ops->valid.min_access_size; | ||
62 | - if (!mr->ops->valid.min_access_size) { | ||
63 | - access_size_min = 1; | ||
64 | + if (!mr->ops->valid.unaligned && (addr & (size - 1))) { | ||
65 | + return false; | ||
66 | } | ||
67 | |||
68 | - access_size_max = mr->ops->valid.max_access_size; | ||
69 | + /* Treat zero as compatibility all valid */ | ||
70 | if (!mr->ops->valid.max_access_size) { | ||
71 | - access_size_max = 4; | ||
72 | + return true; | ||
73 | } | ||
74 | |||
75 | - access_size = MAX(MIN(size, access_size_max), access_size_min); | ||
76 | - for (i = 0; i < size; i += access_size) { | ||
77 | - if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, | ||
78 | - is_write, attrs)) { | ||
79 | - return false; | ||
80 | - } | ||
81 | + if (size > mr->ops->valid.max_access_size | ||
82 | + || size < mr->ops->valid.min_access_size) { | ||
83 | + return false; | ||
84 | } | ||
85 | - | ||
86 | return true; | ||
87 | } | ||
88 | |||
89 | -- | ||
90 | 1.8.3.1 | ||
91 | |||