1 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
new file mode 100644
index 0000000000..0f43adeea8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
@@ -0,0 +1,39 @@
+From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 22 Jul 2020 16:57:46 +0800
+Subject: [PATCH] net: forbid the reentrant RX
+The memory API allows DMA into NIC's MMIO area. This means the NIC's
+RX routine must be reentrant. Instead of auditing all the NIC, we can
+simply detect the reentrancy and return early. The queue->delivering
+is set and cleared by qemu_net_queue_deliver() for other queue helpers
+to know whether the delivering in on going (NIC's receive is being
+called). We can check it and return early in qemu_net_queue_flush() to
+forbid reentrant RX.
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+CVE: CVE-2020-15859
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ net/queue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/net/queue.c b/net/queue.c
+index 0164727..19e32c8 100644
+--- a/net/queue.c
+++ b/net/queue.c
+@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from)
+ 
+ bool qemu_net_queue_flush(NetQueue *queue)
+ {
+    if (queue->delivering)
+        return false;
+
+     while (!QTAILQ_EMPTY(&queue->packets)) {
+         NetPacket *packet;
+         int ret;
+-- 
+1.8.3.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch new file mode 100644 index 0000000000..0f43adeea8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
@@ -0,0 +1,39 @@
	1	From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001
	2	From: Jason Wang <jasowang@redhat.com>
	3	Date: Wed, 22 Jul 2020 16:57:46 +0800
	4	Subject: [PATCH] net: forbid the reentrant RX
	5
	6	The memory API allows DMA into NIC's MMIO area. This means the NIC's
	7	RX routine must be reentrant. Instead of auditing all the NIC, we can
	8	simply detect the reentrancy and return early. The queue->delivering
	9	is set and cleared by qemu_net_queue_deliver() for other queue helpers
	10	to know whether the delivering in on going (NIC's receive is being
	11	called). We can check it and return early in qemu_net_queue_flush() to
	12	forbid reentrant RX.
	13
	14	Signed-off-by: Jason Wang <jasowang@redhat.com>
	15
	16	CVE: CVE-2020-15859
	17	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ]
	18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	19	---
	20	net/queue.c \| 3 +++
	21	1 file changed, 3 insertions(+)
	22
	23	diff --git a/net/queue.c b/net/queue.c
	24	index 0164727..19e32c8 100644
	25	--- a/net/queue.c
	26	+++ b/net/queue.c
	27	@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue queue, NetClientState from)
	28
	29	bool qemu_net_queue_flush(NetQueue *queue)
	30	{
	31	+ if (queue->delivering)
	32	+ return false;
	33	+
	34	while (!QTAILQ_EMPTY(&queue->packets)) {
	35	NetPacket *packet;
	36	int ret;
	37	--
	38	1.8.3.1
	39