diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Tokarev <mjt@tls.msk.ru> | ||
3 | Date: Mon, 20 Jul 2020 19:06:27 +0300 | ||
4 | Subject: [PATCH] acpi: accept byte and word access to core ACPI registers | ||
5 | |||
6 | All ISA registers should be accessible as bytes, words or dwords | ||
7 | (if wide enough). Fix the access constraints for acpi-pm-evt, | ||
8 | acpi-pm-tmr & acpi-cnt registers. | ||
9 | |||
10 | Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") | ||
11 | Fixes: afafe4bbe0 (apci: switch cnt to memory api) | ||
12 | Fixes: 77d58b1e47 (apci: switch timer to memory api) | ||
13 | Fixes: b5a7c024d2 (apci: switch evt to memory api) | ||
14 | Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ | ||
15 | Buglink: https://bugs.debian.org/964793 | ||
16 | BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 | ||
17 | BugLink: https://bugs.launchpad.net/bugs/1886318 | ||
18 | Reported-By: Simon John <git@the-jedi.co.uk> | ||
19 | Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | ||
20 | Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> | ||
21 | Cc: qemu-stable@nongnu.org | ||
22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
24 | |||
25 | https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb | ||
26 | CVE: CVE-2020-13754 | ||
27 | Upstream-Status: Backport | ||
28 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | hw/acpi/core.c | 9 ++++++--- | ||
31 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
32 | |||
33 | diff --git a/hw/acpi/core.c b/hw/acpi/core.c | ||
34 | index f6d9ec4..ac06db3 100644 | ||
35 | --- a/hw/acpi/core.c | ||
36 | +++ b/hw/acpi/core.c | ||
37 | @@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, | ||
38 | static const MemoryRegionOps acpi_pm_evt_ops = { | ||
39 | .read = acpi_pm_evt_read, | ||
40 | .write = acpi_pm_evt_write, | ||
41 | - .valid.min_access_size = 2, | ||
42 | + .impl.min_access_size = 2, | ||
43 | + .valid.min_access_size = 1, | ||
44 | .valid.max_access_size = 2, | ||
45 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
46 | }; | ||
47 | @@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, | ||
48 | static const MemoryRegionOps acpi_pm_tmr_ops = { | ||
49 | .read = acpi_pm_tmr_read, | ||
50 | .write = acpi_pm_tmr_write, | ||
51 | - .valid.min_access_size = 4, | ||
52 | + .impl.min_access_size = 4, | ||
53 | + .valid.min_access_size = 1, | ||
54 | .valid.max_access_size = 4, | ||
55 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
56 | }; | ||
57 | @@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, | ||
58 | static const MemoryRegionOps acpi_pm_cnt_ops = { | ||
59 | .read = acpi_pm_cnt_read, | ||
60 | .write = acpi_pm_cnt_write, | ||
61 | - .valid.min_access_size = 2, | ||
62 | + .impl.min_access_size = 2, | ||
63 | + .valid.min_access_size = 1, | ||
64 | .valid.max_access_size = 2, | ||
65 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
66 | }; | ||
67 | -- | ||
68 | 1.8.3.1 | ||
69 | |||