diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch new file mode 100644 index 0000000000..2e49e3bc18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001 | ||
4 | From: Bin Meng <bmeng.cn@gmail.com> | ||
5 | Date: Wed, 3 Mar 2021 20:26:38 +0800 | ||
6 | Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE | ||
7 | register is writable | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=utf8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | The codes to limit the maximum block size is only necessary when | ||
13 | SDHC_BLKSIZE register is writable. | ||
14 | |||
15 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
16 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
17 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
18 | Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> | ||
19 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
20 | |||
21 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
22 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ] | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/sd/sdhci.c | 14 +++++++------- | ||
26 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
27 | |||
28 | --- a/hw/sd/sdhci.c | ||
29 | +++ b/hw/sd/sdhci.c | ||
30 | @@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset, | ||
31 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
32 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
33 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
34 | - } | ||
35 | |||
36 | - /* Limit block size to the maximum buffer size */ | ||
37 | - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { | ||
38 | - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \ | ||
39 | - "the maximum buffer 0x%x", __func__, s->blksize, | ||
40 | - s->buf_maxsz); | ||
41 | + /* Limit block size to the maximum buffer size */ | ||
42 | + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " | ||
44 | + "the maximum buffer 0x%x\n", __func__, s->blksize, | ||
45 | + s->buf_maxsz); | ||
46 | |||
47 | - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
48 | + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
49 | + } | ||
50 | } | ||
51 | |||
52 | break; | ||