1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
new file mode 100644
index 0000000000..7b436809e9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
@@ -0,0 +1,93 @@
+From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:39 +0800
+Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when
+ a different block size is programmed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+If the block size is programmed to a different value from the
+previous one, reset the data pointer of s->fifo_buffer[] so that
+s->fifo_buffer[] can be filled in using the new block size in
+the next transfer.
+With this fix, the following reproducer:
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xe000002c 0x1 0x05
+write 0xe0000005 0x1 0x02
+write 0xe0000007 0x1 0x01
+write 0xe0000028 0x1 0x10
+write 0x0 0x1 0x23
+write 0x2 0x1 0x08
+write 0xe000000c 0x1 0x01
+write 0xe000000e 0x1 0x20
+write 0xe000000f 0x1 0x00
+write 0xe000000c 0x1 0x32
+write 0xe0000004 0x2 0x0200
+write 0xe0000028 0x1 0x00
+write 0xe0000003 0x1 0x40
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+      -nodefaults -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-UniversitÃ¤t Bochum)
+Reported-by: Sergej Schumilo (Ruhr-UniversitÃ¤t Bochum)
+Reported-by: Simon WÃ¶rner (Ruhr-UniversitÃ¤t Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset,
+         break;
+     case SDHC_BLKSIZE:
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+            uint16_t blksize = s->blksize;
+
+             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ 
+@@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset,
+ 
+                 s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+             }
+
+            /*
+             * If the block size is programmed to a different value from
+             * the previous one, reset the data pointer of s->fifo_buffer[]
+             * so that s->fifo_buffer[] can be filled in using the new block
+             * size in the next transfer.
+             */
+            if (blksize != s->blksize) {
+                s->data_count = 0;
+            }
+         }
+ 
+         break;

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch new file mode 100644 index 0000000000..7b436809e9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
@@ -0,0 +1,93 @@
	1	From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001
	2	From: Bin Meng <bmeng.cn@gmail.com>
	3	Date: Wed, 3 Mar 2021 20:26:39 +0800
	4	Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when
	5	a different block size is programmed
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=utf8
	8	Content-Transfer-Encoding: 8bit
	9
	10	If the block size is programmed to a different value from the
	11	previous one, reset the data pointer of s->fifo_buffer[] so that
	12	s->fifo_buffer[] can be filled in using the new block size in
	13	the next transfer.
	14
	15	With this fix, the following reproducer:
	16
	17	outl 0xcf8 0x80001010
	18	outl 0xcfc 0xe0000000
	19	outl 0xcf8 0x80001001
	20	outl 0xcfc 0x06000000
	21	write 0xe000002c 0x1 0x05
	22	write 0xe0000005 0x1 0x02
	23	write 0xe0000007 0x1 0x01
	24	write 0xe0000028 0x1 0x10
	25	write 0x0 0x1 0x23
	26	write 0x2 0x1 0x08
	27	write 0xe000000c 0x1 0x01
	28	write 0xe000000e 0x1 0x20
	29	write 0xe000000f 0x1 0x00
	30	write 0xe000000c 0x1 0x32
	31	write 0xe0000004 0x2 0x0200
	32	write 0xe0000028 0x1 0x00
	33	write 0xe0000003 0x1 0x40
	34
	35	cannot be reproduced with the following QEMU command line:
	36
	37	$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
	38	-nodefaults -device sdhci-pci,sd-spec-version=3 \
	39	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
	40	-device sd-card,drive=mydrive -qtest stdio
	41
	42	Cc: qemu-stable@nongnu.org
	43	Fixes: CVE-2020-17380
	44	Fixes: CVE-2020-25085
	45	Fixes: CVE-2021-3409
	46	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
	47	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	48	Reported-by: Cornelius Aschermann (Ruhr-UniversitÃ¤t Bochum)
	49	Reported-by: Sergej Schumilo (Ruhr-UniversitÃ¤t Bochum)
	50	Reported-by: Simon WÃ¶rner (Ruhr-UniversitÃ¤t Bochum)
	51	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
	52	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
	53	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
	54	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	55	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
	56	Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
	57	Signed-off-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
	58
	59	CVE: CVE-2021-3409 CVE-2020-17380
	60	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ]
	61	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	62	---
	63	hw/sd/sdhci.c \| 12 ++++++++++++
	64	1 file changed, 12 insertions(+)
	65
	66	--- a/hw/sd/sdhci.c
	67	+++ b/hw/sd/sdhci.c
	68	@@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset,
	69	break;
	70	case SDHC_BLKSIZE:
	71	if (!TRANSFERRING_DATA(s->prnsts)) {
	72	+ uint16_t blksize = s->blksize;
	73	+
	74	MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
	75	MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
	76
	77	@@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset,
	78
	79	s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
	80	}
	81	+
	82	+ /*
	83	+ * If the block size is programmed to a different value from
	84	+ * the previous one, reset the data pointer of s->fifo_buffer[]
	85	+ * so that s->fifo_buffer[] can be filled in using the new block
	86	+ * size in the next transfer.
	87	+ */
	88	+ if (blksize != s->blksize) {
	89	+ s->data_count = 0;
	90	+ }
	91	}
	92
	93	break;