diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch new file mode 100644 index 0000000000..7b436809e9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bin Meng <bmeng.cn@gmail.com> | ||
3 | Date: Wed, 3 Mar 2021 20:26:39 +0800 | ||
4 | Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when | ||
5 | a different block size is programmed | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=utf8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If the block size is programmed to a different value from the | ||
11 | previous one, reset the data pointer of s->fifo_buffer[] so that | ||
12 | s->fifo_buffer[] can be filled in using the new block size in | ||
13 | the next transfer. | ||
14 | |||
15 | With this fix, the following reproducer: | ||
16 | |||
17 | outl 0xcf8 0x80001010 | ||
18 | outl 0xcfc 0xe0000000 | ||
19 | outl 0xcf8 0x80001001 | ||
20 | outl 0xcfc 0x06000000 | ||
21 | write 0xe000002c 0x1 0x05 | ||
22 | write 0xe0000005 0x1 0x02 | ||
23 | write 0xe0000007 0x1 0x01 | ||
24 | write 0xe0000028 0x1 0x10 | ||
25 | write 0x0 0x1 0x23 | ||
26 | write 0x2 0x1 0x08 | ||
27 | write 0xe000000c 0x1 0x01 | ||
28 | write 0xe000000e 0x1 0x20 | ||
29 | write 0xe000000f 0x1 0x00 | ||
30 | write 0xe000000c 0x1 0x32 | ||
31 | write 0xe0000004 0x2 0x0200 | ||
32 | write 0xe0000028 0x1 0x00 | ||
33 | write 0xe0000003 0x1 0x40 | ||
34 | |||
35 | cannot be reproduced with the following QEMU command line: | ||
36 | |||
37 | $ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ | ||
38 | -nodefaults -device sdhci-pci,sd-spec-version=3 \ | ||
39 | -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ | ||
40 | -device sd-card,drive=mydrive -qtest stdio | ||
41 | |||
42 | Cc: qemu-stable@nongnu.org | ||
43 | Fixes: CVE-2020-17380 | ||
44 | Fixes: CVE-2020-25085 | ||
45 | Fixes: CVE-2021-3409 | ||
46 | Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") | ||
47 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
48 | Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) | ||
49 | Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) | ||
50 | Reported-by: Simon Wörner (Ruhr-Universität Bochum) | ||
51 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
52 | Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 | ||
53 | Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 | ||
54 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
55 | Signed-off-by: Bin Meng <bmeng.cn@gmail.com> | ||
56 | Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> | ||
57 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
58 | |||
59 | CVE: CVE-2021-3409 CVE-2020-17380 | ||
60 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ] | ||
61 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
62 | --- | ||
63 | hw/sd/sdhci.c | 12 ++++++++++++ | ||
64 | 1 file changed, 12 insertions(+) | ||
65 | |||
66 | --- a/hw/sd/sdhci.c | ||
67 | +++ b/hw/sd/sdhci.c | ||
68 | @@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset, | ||
69 | break; | ||
70 | case SDHC_BLKSIZE: | ||
71 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
72 | + uint16_t blksize = s->blksize; | ||
73 | + | ||
74 | MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
75 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
76 | |||
77 | @@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset, | ||
78 | |||
79 | s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); | ||
80 | } | ||
81 | + | ||
82 | + /* | ||
83 | + * If the block size is programmed to a different value from | ||
84 | + * the previous one, reset the data pointer of s->fifo_buffer[] | ||
85 | + * so that s->fifo_buffer[] can be filled in using the new block | ||
86 | + * size in the next transfer. | ||
87 | + */ | ||
88 | + if (blksize != s->blksize) { | ||
89 | + s->data_count = 0; | ||
90 | + } | ||
91 | } | ||
92 | |||
93 | break; | ||