1 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
new file mode 100644
index 0000000000..d53383247e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
@@ -0,0 +1,85 @@
+From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:35 +0800
+Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+At the end of sdhci_send_command(), it starts a data transfer if the
+command register indicates data is associated. But the data transfer
+should only be initiated when the command execution has succeeded.
+With this fix, the following reproducer:
+outl 0xcf8 0x80001810
+outl 0xcfc 0xe1068000
+outl 0xcf8 0x80001804
+outw 0xcfc 0x7
+write 0xe106802c 0x1 0x0f
+write 0xe1068004 0xc 0x2801d10101fffffbff28a384
+write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
+write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
+write 0xe1068003 0x1 0xfe
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
+      -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive \
+      -monitor none -serial none -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-UniversitÃ¤t Bochum)
+Reported-by: Sergej Schumilo (Ruhr-UniversitÃ¤t Bochum)
+Reported-by: Simon WÃ¶rner (Ruhr-UniversitÃ¤t Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Tested-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat
+     SDRequest request;
+     uint8_t response[16];
+     int rlen;
+    bool timeout = false;
+ 
+     s->errintsts = 0;
+     s->acmd12errsts = 0;
+@@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat
+             trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
+                                    s->rspreg[1], s->rspreg[0]);
+         } else {
+            timeout = true;
+             trace_sdhci_error("timeout waiting for command response");
+             if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+                 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+@@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat
+ 
+     sdhci_update_irq(s);
+ 
+-    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+    if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+         s->data_count = 0;
+         sdhci_data_transfer(s);
+     }

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch new file mode 100644 index 0000000000..d53383247e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
@@ -0,0 +1,85 @@
	1	From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001
	2	From: Bin Meng <bmeng.cn@gmail.com>
	3	Date: Wed, 3 Mar 2021 20:26:35 +0800
	4	Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=utf8
	7	Content-Transfer-Encoding: 8bit
	8
	9	At the end of sdhci_send_command(), it starts a data transfer if the
	10	command register indicates data is associated. But the data transfer
	11	should only be initiated when the command execution has succeeded.
	12
	13	With this fix, the following reproducer:
	14
	15	outl 0xcf8 0x80001810
	16	outl 0xcfc 0xe1068000
	17	outl 0xcf8 0x80001804
	18	outw 0xcfc 0x7
	19	write 0xe106802c 0x1 0x0f
	20	write 0xe1068004 0xc 0x2801d10101fffffbff28a384
	21	write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
	22	write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
	23	write 0xe1068003 0x1 0xfe
	24
	25	cannot be reproduced with the following QEMU command line:
	26
	27	$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
	28	-device sdhci-pci,sd-spec-version=3 \
	29	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
	30	-device sd-card,drive=mydrive \
	31	-monitor none -serial none -qtest stdio
	32
	33	Cc: qemu-stable@nongnu.org
	34	Fixes: CVE-2020-17380
	35	Fixes: CVE-2020-25085
	36	Fixes: CVE-2021-3409
	37	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
	38	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	39	Reported-by: Cornelius Aschermann (Ruhr-UniversitÃ¤t Bochum)
	40	Reported-by: Sergej Schumilo (Ruhr-UniversitÃ¤t Bochum)
	41	Reported-by: Simon WÃ¶rner (Ruhr-UniversitÃ¤t Bochum)
	42	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
	43	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
	44	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
	45	Acked-by: Alistair Francis <alistair.francis@wdc.com>
	46	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	47	Tested-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	48	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
	49	Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
	50	Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	51
	52	CVE: CVE-2021-3409 CVE-2020-17380
	53	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ]
	54	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	55	---
	56	hw/sd/sdhci.c \| 4 +++-
	57	1 file changed, 3 insertions(+), 1 deletion(-)
	58
	59	--- a/hw/sd/sdhci.c
	60	+++ b/hw/sd/sdhci.c
	61	@@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat
	62	SDRequest request;
	63	uint8_t response[16];
	64	int rlen;
	65	+ bool timeout = false;
	66
	67	s->errintsts = 0;
	68	s->acmd12errsts = 0;
	69	@@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat
	70	trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
	71	s->rspreg[1], s->rspreg[0]);
	72	} else {
	73	+ timeout = true;
	74	trace_sdhci_error("timeout waiting for command response");
	75	if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
	76	s->errintsts \|= SDHC_EIS_CMDTIMEOUT;
	77	@@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat
	78
	79	sdhci_update_irq(s);
	80
	81	- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
	82	+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
	83	s->data_count = 0;
	84	sdhci_data_transfer(s);
	85	}