1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
new file mode 100644
index 0000000000..4ff3413f8e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
@@ -0,0 +1,87 @@
+From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 18 Nov 2021 12:57:32 +0100
+Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Per the 82078 datasheet, if the end-of-track (EOT byte in
+the FIFO) is more than the number of sectors per side, the
+command is terminated unsuccessfully:
+* 5.2.5 DATA TRANSFER TERMINATION
+  The 82078 supports terminal count explicitly through
+  the TC pin and implicitly through the underrun/over-
+  run and end-of-track (EOT) functions. For full sector
+  transfers, the EOT parameter can define the last
+  sector to be transferred in a single or multisector
+  transfer. If the last sector to be transferred is a par-
+  tial sector, the host can stop transferring the data in
+  mid-sector, and the 82078 will continue to complete
+  the sector as if a hardware TC was received. The
+  only difference between these implicit functions and
+  TC is that they return "abnormal termination" result
+  status. Such status indications can be ignored if they
+  were expected.
+* 6.1.3 READ TRACK
+  This command terminates when the EOT specified
+  number of sectors have been read. If the 82078
+  does not find an I D Address Mark on the diskette
+  after the second· occurrence of a pulse on the
+  INDX# pin, then it sets the IC code in Status Regis-
+  ter 0 to "01" (Abnormal termination), sets the MA bit
+  in Status Register 1 to "1", and terminates the com-
+  mand.
+* 6.1.6 VERIFY
+  Refer to Table 6-6 and Table 6-7 for information
+  concerning the values of MT and EC versus SC and
+  EOT value.
+* Table 6·6. Result Phase Table
+* Table 6-7. Verify Command Result Phase Table
+Fix by aborting the transfer when EOT > # Sectors Per Side.
+Cc: qemu-stable@nongnu.org
+Cc: Hervé Poussineau <hpoussin@reactos.org>
+Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367]
+CVE: CVE-2021-3507
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ hw/block/fdc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 347875a0cdae..57bb355794a9 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
+         int tmp;
+         fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
+         tmp = (fdctrl->fifo[6] - ks + 1);
+        if (tmp < 0) {
+            FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
+            fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
+            fdctrl->fifo[3] = kt;
+            fdctrl->fifo[4] = kh;
+            fdctrl->fifo[5] = ks;
+            return;
+        }
+         if (fdctrl->fifo[0] & 0x80)
+             tmp += fdctrl->fifo[6];
+         fdctrl->data_len *= tmp;

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch new file mode 100644 index 0000000000..4ff3413f8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
@@ -0,0 +1,87 @@
	1	From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
	3	Date: Thu, 18 Nov 2021 12:57:32 +0100
	4	Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Per the 82078 datasheet, if the end-of-track (EOT byte in
	10	the FIFO) is more than the number of sectors per side, the
	11	command is terminated unsuccessfully:
	12
	13	* 5.2.5 DATA TRANSFER TERMINATION
	14
	15	The 82078 supports terminal count explicitly through
	16	the TC pin and implicitly through the underrun/over-
	17	run and end-of-track (EOT) functions. For full sector
	18	transfers, the EOT parameter can define the last
	19	sector to be transferred in a single or multisector
	20	transfer. If the last sector to be transferred is a par-
	21	tial sector, the host can stop transferring the data in
	22	mid-sector, and the 82078 will continue to complete
	23	the sector as if a hardware TC was received. The
	24	only difference between these implicit functions and
	25	TC is that they return "abnormal termination" result
	26	status. Such status indications can be ignored if they
	27	were expected.
	28
	29	* 6.1.3 READ TRACK
	30
	31	This command terminates when the EOT specified
	32	number of sectors have been read. If the 82078
	33	does not find an I D Address Mark on the diskette
	34	after the second· occurrence of a pulse on the
	35	INDX# pin, then it sets the IC code in Status Regis-
	36	ter 0 to "01" (Abnormal termination), sets the MA bit
	37	in Status Register 1 to "1", and terminates the com-
	38	mand.
	39
	40	* 6.1.6 VERIFY
	41
	42	Refer to Table 6-6 and Table 6-7 for information
	43	concerning the values of MT and EC versus SC and
	44	EOT value.
	45
	46	* Table 6·6. Result Phase Table
	47
	48	* Table 6-7. Verify Command Result Phase Table
	49
	50	Fix by aborting the transfer when EOT > # Sectors Per Side.
	51
	52	Cc: qemu-stable@nongnu.org
	53	Cc: Hervé Poussineau <hpoussin@reactos.org>
	54	Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
	55	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	56	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
	57	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	58	Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
	59	Reviewed-by: Hanna Reitz <hreitz@redhat.com>
	60	Signed-off-by: Kevin Wolf <kwolf@redhat.com>
	61
	62	Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367]
	63	CVE: CVE-2021-3507
	64	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
	65	---
	66	hw/block/fdc.c \| 8 ++++++++
	67	1 file changed, 8 insertions(+)
	68
	69	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
	70	index 347875a0cdae..57bb355794a9 100644
	71	--- a/hw/block/fdc.c
	72	+++ b/hw/block/fdc.c
	73	@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
	74	int tmp;
	75	fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
	76	tmp = (fdctrl->fifo[6] - ks + 1);
	77	+ if (tmp < 0) {
	78	+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
	79	+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
	80	+ fdctrl->fifo[3] = kt;
	81	+ fdctrl->fifo[4] = kh;
	82	+ fdctrl->fifo[5] = ks;
	83	+ return;
	84	+ }
	85	if (fdctrl->fifo[0] & 0x80)
	86	tmp += fdctrl->fifo[6];
	87	fdctrl->data_len *= tmp;