1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
new file mode 100644
index 0000000000..46c9ab4184
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,67 @@
+From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 31 Jan 2021 11:34:01 +0100
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+  - 4.3 Distributor register descriptions
+  - 4.3.15 Software Generated Interrupt Register, GICD_SG
+    - Table 4-21 GICD_SGIR bit assignments
+    The Interrupt ID of the SGI to forward to the specified CPU
+    interfaces. The value of this field is the Interrupt ID, in
+    the range 0-15, for example a value of 0b0011 specifies
+    Interrupt ID 3.
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+   [I 1612088147.116987] OPENED
+  [R +0.278293] writel 0x8000f00 0xff4affb0
+  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Upstream-Status: Backport
+CVE: CVE-2021-20221
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: qemu-4.2.0/hw/intc/arm_gic.c
+===================================================================
+--- qemu-4.2.0.orig/hw/intc/arm_gic.c
+++ qemu-4.2.0/hw/intc/arm_gic.c
+@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque
+         int target_cpu;
+ 
+         cpu = gic_get_current_cpu(s);
+-        irq = value & 0x3ff;
+        irq = value & 0xf;
+         switch ((value >> 24) & 3) {
+         case 0:
+             mask = (value >> 16) & ALL_CPU_MASK;

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch new file mode 100644 index 0000000000..46c9ab4184 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,67 @@
	1	From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
	3	Date: Sun, 31 Jan 2021 11:34:01 +0100
	4	Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Per the ARM Generic Interrupt Controller Architecture specification
	10	(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
	11	not 10:
	12
	13	- 4.3 Distributor register descriptions
	14	- 4.3.15 Software Generated Interrupt Register, GICD_SG
	15
	16	- Table 4-21 GICD_SGIR bit assignments
	17
	18	The Interrupt ID of the SGI to forward to the specified CPU
	19	interfaces. The value of this field is the Interrupt ID, in
	20	the range 0-15, for example a value of 0b0011 specifies
	21	Interrupt ID 3.
	22
	23	Correct the irq mask to fix an undefined behavior (which eventually
	24	lead to a heap-buffer-overflow, see [Buglink]):
	25
	26	$ echo 'writel 0x8000f00 0xff4affb0' \| qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
	27	[I 1612088147.116987] OPENED
	28	[R +0.278293] writel 0x8000f00 0xff4affb0
	29	../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
	30	SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
	31
	32	This fixes a security issue when running with KVM on Arm with
	33	kernel-irqchip=off. (The default is kernel-irqchip=on, which is
	34	unaffected, and which is also the correct choice for performance.)
	35
	36	Cc: qemu-stable@nongnu.org
	37	Fixes: CVE-2021-20221
	38	Fixes: 9ee6e8bb853 ("ARMv7 support.")
	39	Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
	40	Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
	41	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	42	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
	43	Message-id: 20210131103401.217160-1-f4bug@amsat.org
	44	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	45	Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
	46
	47	Upstream-Status: Backport
	48	CVE: CVE-2021-20221
	49	Signed-off-by: Armin Kuster <akuster@mvista.com>
	50
	51	---
	52	hw/intc/arm_gic.c \| 2 +-
	53	1 file changed, 1 insertion(+), 1 deletion(-)
	54
	55	Index: qemu-4.2.0/hw/intc/arm_gic.c
	56	===================================================================
	57	--- qemu-4.2.0.orig/hw/intc/arm_gic.c
	58	+++ qemu-4.2.0/hw/intc/arm_gic.c
	59	@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque
	60	int target_cpu;
	61
	62	cpu = gic_get_current_cpu(s);
	63	- irq = value & 0x3ff;
	64	+ irq = value & 0xf;
	65	switch ((value >> 24) & 3) {
	66	case 0:
	67	mask = (value >> 16) & ALL_CPU_MASK;