diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch new file mode 100644 index 0000000000..dc00f76ec9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:36 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when | ||
5 | transfer is in progress | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Per "SD Host Controller Standard Specification Version 7.00" | ||
11 | chapter 2.2.1 SDMA System Address Register: | ||
12 | |||
13 | This register can be accessed only if no transaction is executing | ||
14 | (i.e., after a transaction has stopped). | ||
15 | |||
16 | With this fix, the following reproducer: | ||
17 | |||
18 | outl 0xcf8 0x80001010 | ||
19 | outl 0xcfc 0xfbefff00 | ||
20 | outl 0xcf8 0x80001001 | ||
21 | outl 0xcfc 0x06000000 | ||
22 | write 0xfbefff2c 0x1 0x05 | ||
23 | write 0xfbefff0f 0x1 0x37 | ||
24 | write 0xfbefff0a 0x1 0x01 | ||
25 | write 0xfbefff0f 0x1 0x29 | ||
26 | write 0xfbefff0f 0x1 0x02 | ||
27 | write 0xfbefff0f 0x1 0x03 | ||
28 | write 0xfbefff04 0x1 0x01 | ||
29 | write 0xfbefff05 0x1 0x01 | ||
30 | write 0xfbefff07 0x1 0x02 | ||
31 | write 0xfbefff0c 0x1 0x33 | ||
32 | write 0xfbefff0e 0x1 0x20 | ||
33 | write 0xfbefff0f 0x1 0x00 | ||
34 | write 0xfbefff2a 0x1 0x01 | ||
35 | write 0xfbefff0c 0x1 0x00 | ||
36 | write 0xfbefff03 0x1 0x00 | ||
37 | write 0xfbefff05 0x1 0x00 | ||
38 | write 0xfbefff2a 0x1 0x02 | ||
39 | write 0xfbefff0c 0x1 0x32 | ||
40 | write 0xfbefff01 0x1 0x01 | ||
41 | write 0xfbefff02 0x1 0x01 | ||
42 | write 0xfbefff03 0x1 0x01 | ||
43 | |||
44 | cannot be reproduced with the following QEMU command line: | ||
45 | |||
46 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
47 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
48 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
49 | -device sd-card,drive=mydrive -qtest stdio | ||
50 | |||
51 | Cc: qemu-stable@nongnu.org | ||
52 | Fixes: CVE-2020-17380 | ||
53 | Fixes: CVE-2020-25085 | ||
54 | Fixes: CVE-2021-3409 | ||
55 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
56 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
57 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
58 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
59 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
60 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
61 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
62 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
63 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
64 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
65 | Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> | ||
66 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
67 | |||
68 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
69 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ] | ||
70 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
71 | --- | ||
72 | hw/sd/sdhci.c | 20 +++++++++++--------- | ||
73 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
74 | |||
75 | --- a/hw/sd/sdhci.c | ||
76 | +++ b/hw/sd/sdhci.c | ||
77 | @@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset, | ||
78 | |||
79 | switch (offset & ~0x3) { | ||
80 | case SDHC_SYSAD: | ||
81 | - s->sdmasysad = (s->sdmasysad & mask) | value; | ||
82 | - MASKED_WRITE(s->sdmasysad, mask, value); | ||
83 | - /* Writing to last byte of sdmasysad might trigger transfer */ | ||
84 | - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && | ||
85 | - s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { | ||
86 | - if (s->trnmod & SDHC_TRNS_MULTI) { | ||
87 | - sdhci_sdma_transfer_multi_blocks(s); | ||
88 | - } else { | ||
89 | - sdhci_sdma_transfer_single_block(s); | ||
90 | + if (!TRANSFERRING_DATA(s->prnsts)) { | ||
91 | + s->sdmasysad = (s->sdmasysad & mask) | value; | ||
92 | + MASKED_WRITE(s->sdmasysad, mask, value); | ||
93 | + /* Writing to last byte of sdmasysad might trigger transfer */ | ||
94 | + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && | ||
95 | + SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { | ||
96 | + if (s->trnmod & SDHC_TRNS_MULTI) { | ||
97 | + sdhci_sdma_transfer_multi_blocks(s); | ||
98 | + } else { | ||
99 | + sdhci_sdma_transfer_single_block(s); | ||
100 | + } | ||
101 | } | ||
102 | } | ||
103 | break; | ||