1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
new file mode 100644
index 0000000000..115be68295
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
@@ -0,0 +1,61 @@
+Backport of:
+From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:30 +0530
+Subject: [PATCH] spapr_pci: add spapr msi read method
+Add spapr msi mmio read method to avoid NULL pointer dereference
+issue.
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Acked-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-7-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/ppc/spapr_pci.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
+@@ -52,6 +52,7 @@
+ #include "sysemu/kvm.h"
+ #include "sysemu/hostmem.h"
+ #include "sysemu/numa.h"
+#include "qemu/log.h"
+ 
+ /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */
+ #define RTAS_QUERY_FN           0
+@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin
+     return route;
+ }
+ 
+static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size)
+{
+    qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
+    return 0;
+}
+
+ /*
+  * MSI/MSIX memory region implementation.
+  * The handler handles both MSI and MSIX.
+@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque
+ }
+ 
+ static const MemoryRegionOps spapr_msi_ops = {
+-    /* There is no .read as the read result is undefined by PCI spec */
+-    .read = NULL,
+    /*
+     * .read result is undefined by PCI spec.
+     * define .read method to avoid assert failure in memory_region_init_io
+     */
+    .read = spapr_msi_read,
+     .write = spapr_msi_write,
+     .endianness = DEVICE_LITTLE_ENDIAN
+ };

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch new file mode 100644 index 0000000000..115be68295 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
@@ -0,0 +1,61 @@
	1	Backport of:
	2
	3	From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001
	4	From: Prasad J Pandit <pjp@fedoraproject.org>
	5	Date: Tue, 11 Aug 2020 17:11:30 +0530
	6	Subject: [PATCH] spapr_pci: add spapr msi read method
	7
	8	Add spapr msi mmio read method to avoid NULL pointer dereference
	9	issue.
	10
	11	Reported-by: Lei Sun <slei.casper@gmail.com>
	12	Acked-by: David Gibson <david@gibson.dropbear.id.au>
	13	Reviewed-by: Li Qiang <liq3ea@gmail.com>
	14	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	15	Message-Id: <20200811114133.672647-7-ppandit@redhat.com>
	16	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	17
	18	CVE: CVE-2020-15469
	19	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e]
	20	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	21	---
	22	hw/ppc/spapr_pci.c \| 14 ++++++++++++--
	23	1 file changed, 12 insertions(+), 2 deletions(-)
	24
	25	--- a/hw/ppc/spapr_pci.c
	26	+++ b/hw/ppc/spapr_pci.c
	27	@@ -52,6 +52,7 @@
	28	#include "sysemu/kvm.h"
	29	#include "sysemu/hostmem.h"
	30	#include "sysemu/numa.h"
	31	+#include "qemu/log.h"
	32
	33	/* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */
	34	#define RTAS_QUERY_FN 0
	35	@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin
	36	return route;
	37	}
	38
	39	+static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size)
	40	+{
	41	+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
	42	+ return 0;
	43	+}
	44	+
	45	/*
	46	* MSI/MSIX memory region implementation.
	47	* The handler handles both MSI and MSIX.
	48	@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque
	49	}
	50
	51	static const MemoryRegionOps spapr_msi_ops = {
	52	- /* There is no .read as the read result is undefined by PCI spec */
	53	- .read = NULL,
	54	+ /*
	55	+ * .read result is undefined by PCI spec.
	56	+ * define .read method to avoid assert failure in memory_region_init_io
	57	+ */
	58	+ .read = spapr_msi_read,
	59	.write = spapr_msi_write,
	60	.endianness = DEVICE_LITTLE_ENDIAN
	61	};