1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
new file mode 100644
index 0000000000..2e49e3bc18
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
@@ -0,0 +1,52 @@
+Backport of:
+From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:38 +0800
+Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
+ register is writable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+The codes to limit the maximum block size is only necessary when
+SDHC_BLKSIZE register is writable.
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset,
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+-        }
+ 
+-        /* Limit block size to the maximum buffer size */
+-        if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+-            qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \
+-                          "the maximum buffer 0x%x", __func__, s->blksize,
+-                          s->buf_maxsz);
+            /* Limit block size to the maximum buffer size */
+            if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+                qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+                              "the maximum buffer 0x%x\n", __func__, s->blksize,
+                              s->buf_maxsz);
+ 
+-            s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+                s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+            }
+         }
+ 
+         break;

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch new file mode 100644 index 0000000000..2e49e3bc18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
@@ -0,0 +1,52 @@
	1	Backport of:
	2
	3	From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001
	4	From: Bin Meng <bmeng.cn@gmail.com>
	5	Date: Wed, 3 Mar 2021 20:26:38 +0800
	6	Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
	7	register is writable
	8	MIME-Version: 1.0
	9	Content-Type: text/plain; charset=utf8
	10	Content-Transfer-Encoding: 8bit
	11
	12	The codes to limit the maximum block size is only necessary when
	13	SDHC_BLKSIZE register is writable.
	14
	15	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	16	Reviewed-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	17	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
	18	Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
	19	Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	20
	21	CVE: CVE-2021-3409 CVE-2020-17380
	22	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ]
	23	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	24	---
	25	hw/sd/sdhci.c \| 14 +++++++-------
	26	1 file changed, 7 insertions(+), 7 deletions(-)
	27
	28	--- a/hw/sd/sdhci.c
	29	+++ b/hw/sd/sdhci.c
	30	@@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset,
	31	if (!TRANSFERRING_DATA(s->prnsts)) {
	32	MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
	33	MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
	34	- }
	35
	36	- /* Limit block size to the maximum buffer size */
	37	- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
	38	- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \
	39	- "the maximum buffer 0x%x", __func__, s->blksize,
	40	- s->buf_maxsz);
	41	+ /* Limit block size to the maximum buffer size */
	42	+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
	43	+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
	44	+ "the maximum buffer 0x%x\n", __func__, s->blksize,
	45	+ s->buf_maxsz);
	46
	47	- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
	48	+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
	49	+ }
	50	}
	51
	52	break;