1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
new file mode 100644
index 0000000000..40c0b1e74f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
@@ -0,0 +1,45 @@
+Backport of:
+From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001
+From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Date: Wed, 7 Apr 2021 20:57:55 +0100
+Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+When about to execute a SCSI command, ensure that cmdfifo is not empty and
+current_dev is non-NULL. This can happen if the guest tries to execute a TI
+(Transfer Information) command without issuing one of the select commands
+first.
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
+CVE: CVE-2020-35505
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89  ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com>
+---
+ hw/scsi/esp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index c7d701bf..c2a67bc8 100644
+--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
+@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
+ 
+     trace_esp_do_busid_cmd(busid);
+     lun = busid & 7;
+
+    if (!s->current_dev) {
+        return;
+    }
+     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+     datalen = scsi_req_enqueue(s->current_req);

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch new file mode 100644 index 0000000000..40c0b1e74f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
@@ -0,0 +1,45 @@
	1	Backport of:
	2
	3	From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001
	4	From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
	5	Date: Wed, 7 Apr 2021 20:57:55 +0100
	6	Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL
	7	MIME-Version: 1.0
	8	Content-Type: text/plain; charset=utf8
	9	Content-Transfer-Encoding: 8bit
	10
	11	When about to execute a SCSI command, ensure that cmdfifo is not empty and
	12	current_dev is non-NULL. This can happen if the guest tries to execute a TI
	13	(Transfer Information) command without issuing one of the select commands
	14	first.
	15
	16	Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
	17	Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
	18	Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
	19	Reviewed-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	20	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	21	Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
	22
	23	CVE: CVE-2020-35505
	24	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ]
	25	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	26	Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com>
	27	---
	28	hw/scsi/esp.c \| 4 ++++
	29	1 file changed, 4 insertions(+)
	30
	31	diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
	32	index c7d701bf..c2a67bc8 100644
	33	--- a/hw/scsi/esp.c
	34	+++ b/hw/scsi/esp.c
	35	@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState s, uint8_t buf, uint8_t busid)
	36
	37	trace_esp_do_busid_cmd(busid);
	38	lun = busid & 7;
	39	+
	40	+ if (!s->current_dev) {
	41	+ return;
	42	+ }
	43	current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
	44	s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
	45	datalen = scsi_req_enqueue(s->current_req);