diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Laurent Vivier <lvivier@redhat.com> | ||
3 | Date: Tue, 21 Jul 2020 10:33:22 +0200 | ||
4 | Subject: [PATCH] xhci: fix valid.max_access_size to access address registers | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow | ||
10 | 64-bit mode access in "runtime" and "operational" MemoryRegionOps. | ||
11 | |||
12 | Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. | ||
13 | |||
14 | XHCI specs: | ||
15 | "If the xHC supports 64-bit addressing (AC64 = â1â), then software | ||
16 | should write 64-bit registers using only Qword accesses. If a | ||
17 | system is incapable of issuing Qword accesses, then writes to the | ||
18 | 64-bit address fields shall be performed using 2 Dword accesses; | ||
19 | low Dword-first, high-Dword second. If the xHC supports 32-bit | ||
20 | addressing (AC64 = â0â), then the high Dword of registers containing | ||
21 | 64-bit address fields are unused and software should write addresses | ||
22 | using only Dword accesses" | ||
23 | |||
24 | The problem has been detected with SLOF, as linux kernel always accesses | ||
25 | registers using 32-bit access even if AC64 is set and revealed by | ||
26 | 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") | ||
27 | |||
28 | Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> | ||
29 | Signed-off-by: Laurent Vivier <lvivier@redhat.com> | ||
30 | Message-id: 20200721083322.90651-1-lvivier@redhat.com | ||
31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
32 | |||
33 | https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 | ||
34 | CVE: CVE-2020-13754 | ||
35 | Upstream-Status: Backport | ||
36 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
37 | --- | ||
38 | hw/usb/hcd-xhci.c | 4 ++-- | ||
39 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
40 | |||
41 | diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c | ||
42 | index b330e36..67a18fe 100644 | ||
43 | --- a/hw/usb/hcd-xhci.c | ||
44 | +++ b/hw/usb/hcd-xhci.c | ||
45 | @@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { | ||
46 | .read = xhci_oper_read, | ||
47 | .write = xhci_oper_write, | ||
48 | .valid.min_access_size = 4, | ||
49 | - .valid.max_access_size = 4, | ||
50 | + .valid.max_access_size = sizeof(dma_addr_t), | ||
51 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
52 | }; | ||
53 | |||
54 | @@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { | ||
55 | .read = xhci_runtime_read, | ||
56 | .write = xhci_runtime_write, | ||
57 | .valid.min_access_size = 4, | ||
58 | - .valid.max_access_size = 4, | ||
59 | + .valid.max_access_size = sizeof(dma_addr_t), | ||
60 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
61 | }; | ||
62 | |||
63 | -- | ||
64 | 1.8.3.1 | ||
65 | |||