diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch new file mode 100644 index 0000000000..4ff3413f8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> | ||
3 | Date: Thu, 18 Nov 2021 12:57:32 +0100 | ||
4 | Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Per the 82078 datasheet, if the end-of-track (EOT byte in | ||
10 | the FIFO) is more than the number of sectors per side, the | ||
11 | command is terminated unsuccessfully: | ||
12 | |||
13 | * 5.2.5 DATA TRANSFER TERMINATION | ||
14 | |||
15 | The 82078 supports terminal count explicitly through | ||
16 | the TC pin and implicitly through the underrun/over- | ||
17 | run and end-of-track (EOT) functions. For full sector | ||
18 | transfers, the EOT parameter can define the last | ||
19 | sector to be transferred in a single or multisector | ||
20 | transfer. If the last sector to be transferred is a par- | ||
21 | tial sector, the host can stop transferring the data in | ||
22 | mid-sector, and the 82078 will continue to complete | ||
23 | the sector as if a hardware TC was received. The | ||
24 | only difference between these implicit functions and | ||
25 | TC is that they return "abnormal termination" result | ||
26 | status. Such status indications can be ignored if they | ||
27 | were expected. | ||
28 | |||
29 | * 6.1.3 READ TRACK | ||
30 | |||
31 | This command terminates when the EOT specified | ||
32 | number of sectors have been read. If the 82078 | ||
33 | does not find an I D Address Mark on the diskette | ||
34 | after the second· occurrence of a pulse on the | ||
35 | INDX# pin, then it sets the IC code in Status Regis- | ||
36 | ter 0 to "01" (Abnormal termination), sets the MA bit | ||
37 | in Status Register 1 to "1", and terminates the com- | ||
38 | mand. | ||
39 | |||
40 | * 6.1.6 VERIFY | ||
41 | |||
42 | Refer to Table 6-6 and Table 6-7 for information | ||
43 | concerning the values of MT and EC versus SC and | ||
44 | EOT value. | ||
45 | |||
46 | * Table 6·6. Result Phase Table | ||
47 | |||
48 | * Table 6-7. Verify Command Result Phase Table | ||
49 | |||
50 | Fix by aborting the transfer when EOT > # Sectors Per Side. | ||
51 | |||
52 | Cc: qemu-stable@nongnu.org | ||
53 | Cc: Hervé Poussineau <hpoussin@reactos.org> | ||
54 | Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") | ||
55 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
56 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 | ||
57 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
58 | Message-Id: <20211118115733.4038610-2-philmd@redhat.com> | ||
59 | Reviewed-by: Hanna Reitz <hreitz@redhat.com> | ||
60 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
61 | |||
62 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367] | ||
63 | CVE: CVE-2021-3507 | ||
64 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
65 | --- | ||
66 | hw/block/fdc.c | 8 ++++++++ | ||
67 | 1 file changed, 8 insertions(+) | ||
68 | |||
69 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
70 | index 347875a0cdae..57bb355794a9 100644 | ||
71 | --- a/hw/block/fdc.c | ||
72 | +++ b/hw/block/fdc.c | ||
73 | @@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) | ||
74 | int tmp; | ||
75 | fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); | ||
76 | tmp = (fdctrl->fifo[6] - ks + 1); | ||
77 | + if (tmp < 0) { | ||
78 | + FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); | ||
79 | + fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); | ||
80 | + fdctrl->fifo[3] = kt; | ||
81 | + fdctrl->fifo[4] = kh; | ||
82 | + fdctrl->fifo[5] = ks; | ||
83 | + return; | ||
84 | + } | ||
85 | if (fdctrl->fifo[0] & 0x80) | ||
86 | tmp += fdctrl->fifo[6]; | ||
87 | fdctrl->data_len *= tmp; | ||