diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch new file mode 100644 index 0000000000..d53383247e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:35 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | At the end of sdhci_send_command(), it starts a data transfer if the | ||
10 | command register indicates data is associated. But the data transfer | ||
11 | should only be initiated when the command execution has succeeded. | ||
12 | |||
13 | With this fix, the following reproducer: | ||
14 | |||
15 | outl 0xcf8 0x80001810 | ||
16 | outl 0xcfc 0xe1068000 | ||
17 | outl 0xcf8 0x80001804 | ||
18 | outw 0xcfc 0x7 | ||
19 | write 0xe106802c 0x1 0x0f | ||
20 | write 0xe1068004 0xc 0x2801d10101fffffbff28a384 | ||
21 | write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f | ||
22 | write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 | ||
23 | write 0xe1068003 0x1 0xfe | ||
24 | |||
25 | cannot be reproduced with the following QEMU command line: | ||
26 | |||
27 | $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ | ||
28 | -device sdhci-pci,sd-spec-version=3 \ | ||
29 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
30 | -device sd-card,drive=mydrive \ | ||
31 | -monitor none -serial none -qtest stdio | ||
32 | |||
33 | Cc: qemu-stable@nongnu.org | ||
34 | Fixes: CVE-2020-17380 | ||
35 | Fixes: CVE-2020-25085 | ||
36 | Fixes: CVE-2021-3409 | ||
37 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
38 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
39 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
40 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
41 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
42 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
43 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
44 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
45 | Acked-by: Alistair Francis <alistair.francis@wdc.com> | ||
46 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
47 | Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
48 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
49 | Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> | ||
50 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
51 | |||
52 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
53 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ] | ||
54 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
55 | --- | ||
56 | hw/sd/sdhci.c | 4 +++- | ||
57 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
58 | |||
59 | --- a/hw/sd/sdhci.c | ||
60 | +++ b/hw/sd/sdhci.c | ||
61 | @@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat | ||
62 | SDRequest request; | ||
63 | uint8_t response[16]; | ||
64 | int rlen; | ||
65 | + bool timeout = false; | ||
66 | |||
67 | s->errintsts = 0; | ||
68 | s->acmd12errsts = 0; | ||
69 | @@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat | ||
70 | trace_sdhci_response16(s->rspreg[3], s->rspreg[2], | ||
71 | s->rspreg[1], s->rspreg[0]); | ||
72 | } else { | ||
73 | + timeout = true; | ||
74 | trace_sdhci_error("timeout waiting for command response"); | ||
75 | if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { | ||
76 | s->errintsts |= SDHC_EIS_CMDTIMEOUT; | ||
77 | @@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat | ||
78 | |||
79 | sdhci_update_irq(s); | ||
80 | |||
81 | - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
82 | + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { | ||
83 | s->data_count = 0; | ||
84 | sdhci_data_transfer(s); | ||
85 | } | ||