1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
new file mode 100644
index 0000000000..9014ba0f13
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
@@ -0,0 +1,48 @@
+From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 25 Sep 2019 14:16:43 +0200
+Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
+Both, "rom->addr" and "addr" are derived from the binary image
+that can be loaded with the "-kernel" paramer. The code in
+rom_copy() then calculates:
+    d = dest + (rom->addr - addr);
+and uses "d" as destination in a memcpy() some lines later. Now with
+bad kernel images, it is possible that rom->addr is smaller than addr,
+thus "rom->addr - addr" gets negative and the memcpy() then tries to
+copy contents from the image to a bad memory location. This could
+maybe be used to inject code from a kernel image into the QEMU binary,
+so we better fix it with an additional sanity check here.
+Cc: qemu-stable@nongnu.org
+Reported-by: Guangming Liu
+Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
+Message-Id: <20190925130331.27825-1-thuth@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319] 
+CVE: CVE-2020-13765
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ hw/core/loader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/core/loader.c b/hw/core/loader.c
+index 0d60219..5099f27 100644
+--- a/hw/core/loader.c
+++ b/hw/core/loader.c
+@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
+         if (rom->addr + rom->romsize < addr) {
+             continue;
+         }
+-        if (rom->addr > end) {
+        if (rom->addr > end || rom->addr < addr) {
+             break;
+         }
+ 
+-- 
+1.8.3.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch new file mode 100644 index 0000000000..9014ba0f13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
@@ -0,0 +1,48 @@
	1	From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001
	2	From: Thomas Huth <thuth@redhat.com>
	3	Date: Wed, 25 Sep 2019 14:16:43 +0200
	4	Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
	5
	6	Both, "rom->addr" and "addr" are derived from the binary image
	7	that can be loaded with the "-kernel" paramer. The code in
	8	rom_copy() then calculates:
	9
	10	d = dest + (rom->addr - addr);
	11
	12	and uses "d" as destination in a memcpy() some lines later. Now with
	13	bad kernel images, it is possible that rom->addr is smaller than addr,
	14	thus "rom->addr - addr" gets negative and the memcpy() then tries to
	15	copy contents from the image to a bad memory location. This could
	16	maybe be used to inject code from a kernel image into the QEMU binary,
	17	so we better fix it with an additional sanity check here.
	18
	19	Cc: qemu-stable@nongnu.org
	20	Reported-by: Guangming Liu
	21	Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
	22	Message-Id: <20190925130331.27825-1-thuth@redhat.com>
	23	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
	24	Signed-off-by: Thomas Huth <thuth@redhat.com>
	25
	26	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319]
	27	CVE: CVE-2020-13765
	28	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
	29	---
	30	hw/core/loader.c \| 2 +-
	31	1 file changed, 1 insertion(+), 1 deletion(-)
	32
	33	diff --git a/hw/core/loader.c b/hw/core/loader.c
	34	index 0d60219..5099f27 100644
	35	--- a/hw/core/loader.c
	36	+++ b/hw/core/loader.c
	37	@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
	38	if (rom->addr + rom->romsize < addr) {
	39	continue;
	40	}
	41	- if (rom->addr > end) {
	42	+ if (rom->addr > end \|\| rom->addr < addr) {
	43	break;
	44	}
	45
	46	--
	47	1.8.3.1
	48