1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
new file mode 100644
index 0000000000..dd442ccb8f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
+From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20196
+Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-3-philmd@redhat.com
+BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233]
+CVE: CVE-2021-20196
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 854b4f172..a736c4d14 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -1365,7 +1365,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+ 
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+-    return get_drv(fdctrl, fdctrl->cur_drv);
+    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
+
+    if (!cur_drv->blk) {
+        /*
+         * Kludge: empty drive line selected. Create an anonymous
+         * BlockBackend to avoid NULL deref with various BlockBackend
+         * API calls within this model (CVE-2021-20196).
+         * Due to the controller QOM model limitations, we don't
+         * attach the created to the controller device.
+         */
+        cur_drv->blk = blk_create_empty_drive();
+    }
+    return cur_drv;
+ }
+ 
+ /* Status A register : 0x00 (read-only) */
+-- 
+2.31.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch new file mode 100644 index 0000000000..dd442ccb8f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196_2.patch
@@ -0,0 +1,67 @@
	1	From 1d48445a951fd5504190a38abeda70ea9372cf77 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
	3	Date: Wed, 24 Nov 2021 17:15:35 +0100
	4	Subject: [PATCH 12/12] hw/block/fdc: Kludge missing floppy drive to fix
	5	CVE-2021-20196
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	Guest might select another drive on the bus by setting the
	11	DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
	12	The current controller model doesn't expect a BlockBackend
	13	to be NULL. A simple way to fix CVE-2021-20196 is to create
	14	an empty BlockBackend when it is missing. All further
	15	accesses will be safely handled, and the controller state
	16	machines keep behaving correctly.
	17
	18	Cc: qemu-stable@nongnu.org
	19	Fixes: CVE-2021-20196
	20	Reported-by: Gaoning Pan (Ant Security Light-Year Lab) <pgn@zju.edu.cn>
	21	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
	22	Reviewed-by: Hanna Reitz <hreitz@redhat.com>
	23	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	24	Message-id: 20211124161536.631563-3-philmd@redhat.com
	25	BugLink: https://bugs.launchpad.net/qemu/+bug/1912780
	26	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338
	27	Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
	28	Reviewed-by: Hanna Reitz <hreitz@redhat.com>
	29	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	30	Signed-off-by: John Snow <jsnow@redhat.com>
	31
	32	Upstream-Status: Backport [1ab95af033a419e7a64e2d58e67dd96b20af5233]
	33	CVE: CVE-2021-20196
	34
	35	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	36	---
	37	hw/block/fdc.c \| 14 +++++++++++++-
	38	1 file changed, 13 insertions(+), 1 deletion(-)
	39
	40	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
	41	index 854b4f172..a736c4d14 100644
	42	--- a/hw/block/fdc.c
	43	+++ b/hw/block/fdc.c
	44	@@ -1365,7 +1365,19 @@ static FDrive get_drv(FDCtrl fdctrl, int unit)
	45
	46	static FDrive get_cur_drv(FDCtrl fdctrl)
	47	{
	48	- return get_drv(fdctrl, fdctrl->cur_drv);
	49	+ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
	50	+
	51	+ if (!cur_drv->blk) {
	52	+ /*
	53	+ * Kludge: empty drive line selected. Create an anonymous
	54	+ * BlockBackend to avoid NULL deref with various BlockBackend
	55	+ * API calls within this model (CVE-2021-20196).
	56	+ * Due to the controller QOM model limitations, we don't
	57	+ * attach the created to the controller device.
	58	+ */
	59	+ cur_drv->blk = blk_create_empty_drive();
	60	+ }
	61	+ return cur_drv;
	62	}
	63
	64	/* Status A register : 0x00 (read-only) */
	65	--
	66	2.31.1
	67