1 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..9927584d11
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
+From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Fri, 10 Jul 2020 11:19:41 +0200
+Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
+A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
+occurs while sending an Ethernet frame due to missing break statements
+and improper checking of the buffer size.
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+CVE: CVE-2020-15863
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/xgmac.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
+index f49df95..f496f7e 100644
+--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
+@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
+         }
+         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
+ 
+        /*
+         * FIXME: these cases of malformed tx descriptors (bad sizes)
+         * should probably be reported back to the guest somehow
+         * rather than simply silently stopping processing, but we
+         * don't know what the hardware does in this situation.
+         * This will only happen for buggy guests anyway.
+         */
+         if ((bd.buffer1_size & 0xfff) > 2048) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
+                          __func__, bd.buffer1_size & 0xfff);
+            break;
+         }
+         if ((bd.buffer2_size & 0xfff) != 0) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
+                         __func__, bd.buffer2_size & 0xfff);
+            break;
+         }
+-        if (len >= sizeof(frame)) {
+        if (frame_size + len >= sizeof(frame)) {
+             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
+-                        "buffer\n" , __func__, len, sizeof(frame));
+                        "buffer\n" , __func__, frame_size + len, sizeof(frame));
+             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
+                         __func__, bd.buffer1_size, bd.buffer2_size);
+            break;
+         }
+ 
+         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
+-- 
+1.9.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
	1	From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
	2	From: Mauro Matteo Cascella <mcascell@redhat.com>
	3	Date: Fri, 10 Jul 2020 11:19:41 +0200
	4	Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
	5
	6	A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
	7	occurs while sending an Ethernet frame due to missing break statements
	8	and improper checking of the buffer size.
	9
	10	Reported-by: Ziming Zhang <ezrakiez@gmail.com>
	11	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
	12	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	13	Signed-off-by: Jason Wang <jasowang@redhat.com>
	14
	15	CVE: CVE-2020-15863
	16	Upstream-Status: Backport
	17	[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
	18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	19	Signed-off-by: Li Wang <li.wang@windriver.com>
	20	---
	21	hw/net/xgmac.c \| 14 ++++++++++++--
	22	1 file changed, 12 insertions(+), 2 deletions(-)
	23
	24	diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
	25	index f49df95..f496f7e 100644
	26	--- a/hw/net/xgmac.c
	27	+++ b/hw/net/xgmac.c
	28	@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
	29	}
	30	len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
	31
	32	+ /*
	33	+ * FIXME: these cases of malformed tx descriptors (bad sizes)
	34	+ * should probably be reported back to the guest somehow
	35	+ * rather than simply silently stopping processing, but we
	36	+ * don't know what the hardware does in this situation.
	37	+ * This will only happen for buggy guests anyway.
	38	+ */
	39	if ((bd.buffer1_size & 0xfff) > 2048) {
	40	DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
	41	"xgmac buffer 1 len on send > 2048 (0x%x)\n",
	42	__func__, bd.buffer1_size & 0xfff);
	43	+ break;
	44	}
	45	if ((bd.buffer2_size & 0xfff) != 0) {
	46	DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
	47	"xgmac buffer 2 len on send != 0 (0x%x)\n",
	48	__func__, bd.buffer2_size & 0xfff);
	49	+ break;
	50	}
	51	- if (len >= sizeof(frame)) {
	52	+ if (frame_size + len >= sizeof(frame)) {
	53	DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
	54	- "buffer\n" , __func__, len, sizeof(frame));
	55	+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
	56	DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
	57	__func__, bd.buffer1_size, bd.buffer2_size);
	58	+ break;
	59	}
	60
	61	cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
	62	--
	63	1.9.1
	64