diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch new file mode 100644 index 0000000000..40c0b1e74f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001 | ||
4 | From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
5 | Date: Wed, 7 Apr 2021 20:57:55 +0100 | ||
6 | Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=utf8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | When about to execute a SCSI command, ensure that cmdfifo is not empty and | ||
12 | current_dev is non-NULL. This can happen if the guest tries to execute a TI | ||
13 | (Transfer Information) command without issuing one of the select commands | ||
14 | first. | ||
15 | |||
16 | Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 | ||
17 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 | ||
18 | Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | ||
19 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
20 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> | ||
22 | |||
23 | CVE: CVE-2020-35505 | ||
24 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ] | ||
25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
26 | Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com> | ||
27 | --- | ||
28 | hw/scsi/esp.c | 4 ++++ | ||
29 | 1 file changed, 4 insertions(+) | ||
30 | |||
31 | diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c | ||
32 | index c7d701bf..c2a67bc8 100644 | ||
33 | --- a/hw/scsi/esp.c | ||
34 | +++ b/hw/scsi/esp.c | ||
35 | @@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) | ||
36 | |||
37 | trace_esp_do_busid_cmd(busid); | ||
38 | lun = busid & 7; | ||
39 | + | ||
40 | + if (!s->current_dev) { | ||
41 | + return; | ||
42 | + } | ||
43 | current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); | ||
44 | s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); | ||
45 | datalen = scsi_req_enqueue(s->current_req); | ||