1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
new file mode 100644
index 0000000000..d6715d337c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
@@ -0,0 +1,69 @@
+From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:26 +0530
+Subject: [PATCH] pci-host: designware: add pcie-msi read method
+Add pcie-msi mmio read method to avoid NULL pointer dereference
+issue.
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-3-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/pci-host/designware.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
+index f9fb97a..bde3a34 100644
+--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
+@@ -21,6 +21,7 @@
+ #include "qemu/osdep.h"
+ #include "qapi/error.h"
+ #include "qemu/module.h"
+#include "qemu/log.h"
+ #include "hw/pci/msi.h"
+ #include "hw/pci/pci_bridge.h"
+ #include "hw/pci/pci_host.h"
+@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
+     return DESIGNWARE_PCIE_HOST(bus->parent);
+ }
+ 
+static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
+                                              unsigned size)
+{
+    /*
+     * Attempts to read from the MSI address are undefined in
+     * the PCI specifications. For this hardware, the datasheet
+     * specifies that a read from the magic address is simply not
+     * intercepted by the MSI controller, and will go out to the
+     * AHB/AXI bus like any other PCI-device-initiated DMA read.
+     * This is not trivial to implement in QEMU, so since
+     * well-behaved guests won't ever ask a PCI device to DMA from
+     * this address we just log the missing functionality.
+     */
+    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
+    return 0;
+}
+
+ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+                                            uint64_t val, unsigned len)
+ {
+@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+ }
+ 
+ static const MemoryRegionOps designware_pci_host_msi_ops = {
+    .read = designware_pcie_root_msi_read,
+     .write = designware_pcie_root_msi_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .valid = {
+-- 
+1.8.3.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch new file mode 100644 index 0000000000..d6715d337c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
@@ -0,0 +1,69 @@
	1	From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Tue, 11 Aug 2020 17:11:26 +0530
	4	Subject: [PATCH] pci-host: designware: add pcie-msi read method
	5
	6	Add pcie-msi mmio read method to avoid NULL pointer dereference
	7	issue.
	8
	9	Reported-by: Lei Sun <slei.casper@gmail.com>
	10	Reviewed-by: Li Qiang <liq3ea@gmail.com>
	11	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	13	Message-Id: <20200811114133.672647-3-ppandit@redhat.com>
	14	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	15
	16	CVE: CVE-2020-15469
	17	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2]
	18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	19	---
	20	hw/pci-host/designware.c \| 19 +++++++++++++++++++
	21	1 file changed, 19 insertions(+)
	22
	23	diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
	24	index f9fb97a..bde3a34 100644
	25	--- a/hw/pci-host/designware.c
	26	+++ b/hw/pci-host/designware.c
	27	@@ -21,6 +21,7 @@
	28	#include "qemu/osdep.h"
	29	#include "qapi/error.h"
	30	#include "qemu/module.h"
	31	+#include "qemu/log.h"
	32	#include "hw/pci/msi.h"
	33	#include "hw/pci/pci_bridge.h"
	34	#include "hw/pci/pci_host.h"
	35	@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
	36	return DESIGNWARE_PCIE_HOST(bus->parent);
	37	}
	38
	39	+static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
	40	+ unsigned size)
	41	+{
	42	+ /*
	43	+ * Attempts to read from the MSI address are undefined in
	44	+ * the PCI specifications. For this hardware, the datasheet
	45	+ * specifies that a read from the magic address is simply not
	46	+ * intercepted by the MSI controller, and will go out to the
	47	+ * AHB/AXI bus like any other PCI-device-initiated DMA read.
	48	+ * This is not trivial to implement in QEMU, so since
	49	+ * well-behaved guests won't ever ask a PCI device to DMA from
	50	+ * this address we just log the missing functionality.
	51	+ */
	52	+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
	53	+ return 0;
	54	+}
	55	+
	56	static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
	57	uint64_t val, unsigned len)
	58	{
	59	@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
	60	}
	61
	62	static const MemoryRegionOps designware_pci_host_msi_ops = {
	63	+ .read = designware_pcie_root_msi_read,
	64	.write = designware_pcie_root_msi_write,
	65	.endianness = DEVICE_LITTLE_ENDIAN,
	66	.valid = {
	67	--
	68	1.8.3.1
	69