1 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
new file mode 100644
index 0000000000..dc00f76ec9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
@@ -0,0 +1,103 @@
+From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:36 +0800
+Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
+ transfer is in progress
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+Per "SD Host Controller Standard Specification Version 7.00"
+chapter 2.2.1 SDMA System Address Register:
+This register can be accessed only if no transaction is executing
+(i.e., after a transaction has stopped).
+With this fix, the following reproducer:
+outl 0xcf8 0x80001010
+outl 0xcfc 0xfbefff00
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xfbefff2c 0x1 0x05
+write 0xfbefff0f 0x1 0x37
+write 0xfbefff0a 0x1 0x01
+write 0xfbefff0f 0x1 0x29
+write 0xfbefff0f 0x1 0x02
+write 0xfbefff0f 0x1 0x03
+write 0xfbefff04 0x1 0x01
+write 0xfbefff05 0x1 0x01
+write 0xfbefff07 0x1 0x02
+write 0xfbefff0c 0x1 0x33
+write 0xfbefff0e 0x1 0x20
+write 0xfbefff0f 0x1 0x00
+write 0xfbefff2a 0x1 0x01
+write 0xfbefff0c 0x1 0x00
+write 0xfbefff03 0x1 0x00
+write 0xfbefff05 0x1 0x00
+write 0xfbefff2a 0x1 0x02
+write 0xfbefff0c 0x1 0x32
+write 0xfbefff01 0x1 0x01
+write 0xfbefff02 0x1 0x01
+write 0xfbefff03 0x1 0x01
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+       -nodefaults -device sdhci-pci,sd-spec-version=3 \
+       -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+       -device sd-card,drive=mydrive -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-UniversitÃ¤t Bochum)
+Reported-by: Sergej Schumilo (Ruhr-UniversitÃ¤t Bochum)
+Reported-by: Simon WÃ¶rner (Ruhr-UniversitÃ¤t Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset,
+ 
+     switch (offset & ~0x3) {
+     case SDHC_SYSAD:
+-        s->sdmasysad = (s->sdmasysad & mask) | value;
+-        MASKED_WRITE(s->sdmasysad, mask, value);
+-        /* Writing to last byte of sdmasysad might trigger transfer */
+-        if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+-                s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+-            if (s->trnmod & SDHC_TRNS_MULTI) {
+-                sdhci_sdma_transfer_multi_blocks(s);
+-            } else {
+-                sdhci_sdma_transfer_single_block(s);
+        if (!TRANSFERRING_DATA(s->prnsts)) {
+            s->sdmasysad = (s->sdmasysad & mask) | value;
+            MASKED_WRITE(s->sdmasysad, mask, value);
+            /* Writing to last byte of sdmasysad might trigger transfer */
+            if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
+                SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+                if (s->trnmod & SDHC_TRNS_MULTI) {
+                    sdhci_sdma_transfer_multi_blocks(s);
+                } else {
+                    sdhci_sdma_transfer_single_block(s);
+                }
+             }
+         }
+         break;

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch new file mode 100644 index 0000000000..dc00f76ec9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
@@ -0,0 +1,103 @@
	1	From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001
	2	From: Bin Meng <bmeng.cn@gmail.com>
	3	Date: Wed, 3 Mar 2021 20:26:36 +0800
	4	Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
	5	transfer is in progress
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=utf8
	8	Content-Transfer-Encoding: 8bit
	9
	10	Per "SD Host Controller Standard Specification Version 7.00"
	11	chapter 2.2.1 SDMA System Address Register:
	12
	13	This register can be accessed only if no transaction is executing
	14	(i.e., after a transaction has stopped).
	15
	16	With this fix, the following reproducer:
	17
	18	outl 0xcf8 0x80001010
	19	outl 0xcfc 0xfbefff00
	20	outl 0xcf8 0x80001001
	21	outl 0xcfc 0x06000000
	22	write 0xfbefff2c 0x1 0x05
	23	write 0xfbefff0f 0x1 0x37
	24	write 0xfbefff0a 0x1 0x01
	25	write 0xfbefff0f 0x1 0x29
	26	write 0xfbefff0f 0x1 0x02
	27	write 0xfbefff0f 0x1 0x03
	28	write 0xfbefff04 0x1 0x01
	29	write 0xfbefff05 0x1 0x01
	30	write 0xfbefff07 0x1 0x02
	31	write 0xfbefff0c 0x1 0x33
	32	write 0xfbefff0e 0x1 0x20
	33	write 0xfbefff0f 0x1 0x00
	34	write 0xfbefff2a 0x1 0x01
	35	write 0xfbefff0c 0x1 0x00
	36	write 0xfbefff03 0x1 0x00
	37	write 0xfbefff05 0x1 0x00
	38	write 0xfbefff2a 0x1 0x02
	39	write 0xfbefff0c 0x1 0x32
	40	write 0xfbefff01 0x1 0x01
	41	write 0xfbefff02 0x1 0x01
	42	write 0xfbefff03 0x1 0x01
	43
	44	cannot be reproduced with the following QEMU command line:
	45
	46	$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
	47	-nodefaults -device sdhci-pci,sd-spec-version=3 \
	48	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
	49	-device sd-card,drive=mydrive -qtest stdio
	50
	51	Cc: qemu-stable@nongnu.org
	52	Fixes: CVE-2020-17380
	53	Fixes: CVE-2020-25085
	54	Fixes: CVE-2021-3409
	55	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
	56	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	57	Reported-by: Cornelius Aschermann (Ruhr-UniversitÃ¤t Bochum)
	58	Reported-by: Sergej Schumilo (Ruhr-UniversitÃ¤t Bochum)
	59	Reported-by: Simon WÃ¶rner (Ruhr-UniversitÃ¤t Bochum)
	60	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
	61	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
	62	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
	63	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	64	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
	65	Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
	66	Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	67
	68	CVE: CVE-2021-3409 CVE-2020-17380
	69	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ]
	70	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	71	---
	72	hw/sd/sdhci.c \| 20 +++++++++++---------
	73	1 file changed, 11 insertions(+), 9 deletions(-)
	74
	75	--- a/hw/sd/sdhci.c
	76	+++ b/hw/sd/sdhci.c
	77	@@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset,
	78
	79	switch (offset & ~0x3) {
	80	case SDHC_SYSAD:
	81	- s->sdmasysad = (s->sdmasysad & mask) \| value;
	82	- MASKED_WRITE(s->sdmasysad, mask, value);
	83	- /* Writing to last byte of sdmasysad might trigger transfer */
	84	- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
	85	- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
	86	- if (s->trnmod & SDHC_TRNS_MULTI) {
	87	- sdhci_sdma_transfer_multi_blocks(s);
	88	- } else {
	89	- sdhci_sdma_transfer_single_block(s);
	90	+ if (!TRANSFERRING_DATA(s->prnsts)) {
	91	+ s->sdmasysad = (s->sdmasysad & mask) \| value;
	92	+ MASKED_WRITE(s->sdmasysad, mask, value);
	93	+ /* Writing to last byte of sdmasysad might trigger transfer */
	94	+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
	95	+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
	96	+ if (s->trnmod & SDHC_TRNS_MULTI) {
	97	+ sdhci_sdma_transfer_multi_blocks(s);
	98	+ } else {
	99	+ sdhci_sdma_transfer_single_block(s);
	100	+ }
	101	}
	102	}
	103	break;