1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
new file mode 100644
index 0000000000..7354edc54d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
@@ -0,0 +1,69 @@
+From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Mon, 20 Jul 2020 19:06:27 +0300
+Subject: [PATCH] acpi: accept byte and word access to core ACPI registers
+All ISA registers should be accessible as bytes, words or dwords
+(if wide enough).  Fix the access constraints for acpi-pm-evt,
+acpi-pm-tmr & acpi-cnt registers.
+Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
+Fixes: afafe4bbe0 (apci: switch cnt to memory api)
+Fixes: 77d58b1e47 (apci: switch timer to memory api)
+Fixes: b5a7c024d2 (apci: switch evt to memory api)
+Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
+Buglink: https://bugs.debian.org/964793
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
+BugLink: https://bugs.launchpad.net/bugs/1886318
+Reported-By: Simon John <git@the-jedi.co.uk>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/acpi/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index f6d9ec4..ac06db3 100644
+--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
+@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_evt_ops = {
+     .read = acpi_pm_evt_read,
+     .write = acpi_pm_evt_write,
+-    .valid.min_access_size = 2,
+    .impl.min_access_size = 2,
+    .valid.min_access_size = 1,
+     .valid.max_access_size = 2,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_tmr_ops = {
+     .read = acpi_pm_tmr_read,
+     .write = acpi_pm_tmr_write,
+-    .valid.min_access_size = 4,
+    .impl.min_access_size = 4,
+    .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_cnt_ops = {
+     .read = acpi_pm_cnt_read,
+     .write = acpi_pm_cnt_write,
+-    .valid.min_access_size = 2,
+    .impl.min_access_size = 2,
+    .valid.min_access_size = 1,
+     .valid.max_access_size = 2,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+-- 
+1.8.3.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
@@ -0,0 +1,69 @@
	1	From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001
	2	From: Michael Tokarev <mjt@tls.msk.ru>
	3	Date: Mon, 20 Jul 2020 19:06:27 +0300
	4	Subject: [PATCH] acpi: accept byte and word access to core ACPI registers
	5
	6	All ISA registers should be accessible as bytes, words or dwords
	7	(if wide enough). Fix the access constraints for acpi-pm-evt,
	8	acpi-pm-tmr & acpi-cnt registers.
	9
	10	Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
	11	Fixes: afafe4bbe0 (apci: switch cnt to memory api)
	12	Fixes: 77d58b1e47 (apci: switch timer to memory api)
	13	Fixes: b5a7c024d2 (apci: switch evt to memory api)
	14	Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
	15	Buglink: https://bugs.debian.org/964793
	16	BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
	17	BugLink: https://bugs.launchpad.net/bugs/1886318
	18	Reported-By: Simon John <git@the-jedi.co.uk>
	19	Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
	20	Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
	21	Cc: qemu-stable@nongnu.org
	22	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
	23	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
	24
	25	https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb
	26	CVE: CVE-2020-13754
	27	Upstream-Status: Backport
	28	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	29	---
	30	hw/acpi/core.c \| 9 ++++++---
	31	1 file changed, 6 insertions(+), 3 deletions(-)
	32
	33	diff --git a/hw/acpi/core.c b/hw/acpi/core.c
	34	index f6d9ec4..ac06db3 100644
	35	--- a/hw/acpi/core.c
	36	+++ b/hw/acpi/core.c
	37	@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
	38	static const MemoryRegionOps acpi_pm_evt_ops = {
	39	.read = acpi_pm_evt_read,
	40	.write = acpi_pm_evt_write,
	41	- .valid.min_access_size = 2,
	42	+ .impl.min_access_size = 2,
	43	+ .valid.min_access_size = 1,
	44	.valid.max_access_size = 2,
	45	.endianness = DEVICE_LITTLE_ENDIAN,
	46	};
	47	@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
	48	static const MemoryRegionOps acpi_pm_tmr_ops = {
	49	.read = acpi_pm_tmr_read,
	50	.write = acpi_pm_tmr_write,
	51	- .valid.min_access_size = 4,
	52	+ .impl.min_access_size = 4,
	53	+ .valid.min_access_size = 1,
	54	.valid.max_access_size = 4,
	55	.endianness = DEVICE_LITTLE_ENDIAN,
	56	};
	57	@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
	58	static const MemoryRegionOps acpi_pm_cnt_ops = {
	59	.read = acpi_pm_cnt_read,
	60	.write = acpi_pm_cnt_write,
	61	- .valid.min_access_size = 2,
	62	+ .impl.min_access_size = 2,
	63	+ .valid.min_access_size = 1,
	64	.valid.max_access_size = 2,
	65	.endianness = DEVICE_LITTLE_ENDIAN,
	66	};
	67	--
	68	1.8.3.1
	69