1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
new file mode 100644
index 0000000000..2a8781050f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
@@ -0,0 +1,65 @@
+From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Tue, 21 Jul 2020 10:33:22 +0200
+Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
+64-bit mode access in "runtime" and "operational" MemoryRegionOps.
+Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
+XHCI specs:
+"If the xHC supports 64-bit addressing (AC64 = â1â), then software
+should write 64-bit registers using only Qword accesses.  If a
+system is incapable of issuing Qword accesses, then writes to the
+64-bit address fields shall be performed using 2 Dword accesses;
+low Dword-first, high-Dword second.  If the xHC supports 32-bit
+addressing (AC64 = â0â), then the high Dword of registers containing
+64-bit address fields are unused and software should write addresses
+using only Dword accesses"
+The problem has been detected with SLOF, as linux kernel always accesses
+registers using 32-bit access even if AC64 is set and revealed by
+5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
+Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-id: 20200721083322.90651-1-lvivier@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/hcd-xhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index b330e36..67a18fe 100644
+--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
+@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
+     .read = xhci_oper_read,
+     .write = xhci_oper_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
+    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
+     .read = xhci_runtime_read,
+     .write = xhci_runtime_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
+    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+-- 
+1.8.3.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
@@ -0,0 +1,65 @@
	1	From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
	2	From: Laurent Vivier <lvivier@redhat.com>
	3	Date: Tue, 21 Jul 2020 10:33:22 +0200
	4	Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=utf8
	7	Content-Transfer-Encoding: 8bit
	8
	9	QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
	10	64-bit mode access in "runtime" and "operational" MemoryRegionOps.
	11
	12	Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
	13
	14	XHCI specs:
	15	"If the xHC supports 64-bit addressing (AC64 = â1â), then software
	16	should write 64-bit registers using only Qword accesses. If a
	17	system is incapable of issuing Qword accesses, then writes to the
	18	64-bit address fields shall be performed using 2 Dword accesses;
	19	low Dword-first, high-Dword second. If the xHC supports 32-bit
	20	addressing (AC64 = â0â), then the high Dword of registers containing
	21	64-bit address fields are unused and software should write addresses
	22	using only Dword accesses"
	23
	24	The problem has been detected with SLOF, as linux kernel always accesses
	25	registers using 32-bit access even if AC64 is set and revealed by
	26	5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
	27
	28	Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
	29	Signed-off-by: Laurent Vivier <lvivier@redhat.com>
	30	Message-id: 20200721083322.90651-1-lvivier@redhat.com
	31	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	32
	33	https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17
	34	CVE: CVE-2020-13754
	35	Upstream-Status: Backport
	36	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	37	---
	38	hw/usb/hcd-xhci.c \| 4 ++--
	39	1 file changed, 2 insertions(+), 2 deletions(-)
	40
	41	diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
	42	index b330e36..67a18fe 100644
	43	--- a/hw/usb/hcd-xhci.c
	44	+++ b/hw/usb/hcd-xhci.c
	45	@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
	46	.read = xhci_oper_read,
	47	.write = xhci_oper_write,
	48	.valid.min_access_size = 4,
	49	- .valid.max_access_size = 4,
	50	+ .valid.max_access_size = sizeof(dma_addr_t),
	51	.endianness = DEVICE_LITTLE_ENDIAN,
	52	};
	53
	54	@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
	55	.read = xhci_runtime_read,
	56	.write = xhci_runtime_write,
	57	.valid.min_access_size = 4,
	58	- .valid.max_access_size = 4,
	59	+ .valid.max_access_size = sizeof(dma_addr_t),
	60	.endianness = DEVICE_LITTLE_ENDIAN,
	61	};
	62
	63	--
	64	1.8.3.1
	65