1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
new file mode 100644
index 0000000000..97d32589d8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
@@ -0,0 +1,51 @@
+Backport of:
+From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001
+From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Date: Wed, 7 Apr 2021 20:57:50 +0100
+Subject: [PATCH] esp: always check current_req is not NULL before use in DMA
+ callbacks
+After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
+callback which resets both current_req and current_dev to NULL. If any data
+is left in the transfer buffer (async_len != 0) then the next TI (Transfer
+Information) command will attempt to reference the NULL pointer causing a
+segfault.
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
+CVE: CVE-2020-35504
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/esp.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
+@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s)
+         do_cmd(s, s->cmdbuf);
+         return;
+     }
+
+    if (!s->current_req) {
+        return;
+    }
+
+     s->dma_left -= len;
+     s->async_buf += len;
+     s->async_len -= len;
+@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s)
+         do_cmd(s, s->cmdbuf);
+         return;
+     }
+    if (!s->current_req) {
+        return;
+    }
+     if (s->async_len == 0) {
+         /* Defer until data is available.  */
+         return;

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch new file mode 100644 index 0000000000..97d32589d8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
@@ -0,0 +1,51 @@
	1	Backport of:
	2
	3	From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001
	4	From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
	5	Date: Wed, 7 Apr 2021 20:57:50 +0100
	6	Subject: [PATCH] esp: always check current_req is not NULL before use in DMA
	7	callbacks
	8
	9	After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
	10	callback which resets both current_req and current_dev to NULL. If any data
	11	is left in the transfer buffer (async_len != 0) then the next TI (Transfer
	12	Information) command will attempt to reference the NULL pointer causing a
	13	segfault.
	14
	15	Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
	16	Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
	17	Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
	18	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	19	Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
	20
	21	CVE: CVE-2020-35504
	22	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ]
	23	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	24	---
	25	hw/scsi/esp.c \| 19 ++++++++++++++-----
	26	1 file changed, 14 insertions(+), 5 deletions(-)
	27
	28	--- a/hw/scsi/esp.c
	29	+++ b/hw/scsi/esp.c
	30	@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s)
	31	do_cmd(s, s->cmdbuf);
	32	return;
	33	}
	34	+
	35	+ if (!s->current_req) {
	36	+ return;
	37	+ }
	38	+
	39	s->dma_left -= len;
	40	s->async_buf += len;
	41	s->async_len -= len;
	42	@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s)
	43	do_cmd(s, s->cmdbuf);
	44	return;
	45	}
	46	+ if (!s->current_req) {
	47	+ return;
	48	+ }
	49	if (s->async_len == 0) {
	50	/* Defer until data is available. */
	51	return;