1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..cdd9c38db9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,67 @@
+From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields.  Add the missing checks.
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
+CVE: CVE-2021-3713
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index 6d6d1073..0b8cd4dd 100644
+--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
+@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         p->status = USB_RET_STALL;
+         break;
+     }
+
+err_stream:
+    error_report("%s: invalid stream %d", __func__, p->stream);
+    p->status = USB_RET_STALL;
+    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev, Error **errp)

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,67 @@
	1	From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001
	2	From: Gerd Hoffmann <kraxel@redhat.com>
	3	Date: Wed, 18 Aug 2021 14:05:05 +0200
	4	Subject: [PATCH] uas: add stream number sanity checks.
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	MIME-Version: 1.0
	10	Content-Type: text/plain; charset=UTF-8
	11	Content-Transfer-Encoding: 8bit
	12
	13	The device uses the guest-supplied stream number unchecked, which can
	14	lead to guest-triggered out-of-band access to the UASDevice->data3 and
	15	UASDevice->status3 fields. Add the missing checks.
	16
	17	Fixes: CVE-2021-3713
	18	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	19	Reported-by: Chen Zhe <chenzhe@huawei.com>
	20	Reported-by: Tan Jingguo <tanjingguo@huawei.com>
	21	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	22	Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
	23
	24	https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
	25	CVE: CVE-2021-3713
	26	Upstream-Status: Backport
	27	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	28	---
	29	hw/usb/dev-uas.c \| 11 +++++++++++
	30	1 file changed, 11 insertions(+)
	31
	32	diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
	33	index 6d6d1073..0b8cd4dd 100644
	34	--- a/hw/usb/dev-uas.c
	35	+++ b/hw/usb/dev-uas.c
	36	@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	37	}
	38	break;
	39	case UAS_PIPE_ID_STATUS:
	40	+ if (p->stream > UAS_MAX_STREAMS) {
	41	+ goto err_stream;
	42	+ }
	43	if (p->stream) {
	44	QTAILQ_FOREACH(st, &uas->results, next) {
	45	if (st->stream == p->stream) {
	46	@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	47	break;
	48	case UAS_PIPE_ID_DATA_IN:
	49	case UAS_PIPE_ID_DATA_OUT:
	50	+ if (p->stream > UAS_MAX_STREAMS) {
	51	+ goto err_stream;
	52	+ }
	53	if (p->stream) {
	54	req = usb_uas_find_request(uas, p->stream);
	55	} else {
	56	@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	57	p->status = USB_RET_STALL;
	58	break;
	59	}
	60	+
	61	+err_stream:
	62	+ error_report("%s: invalid stream %d", __func__, p->stream);
	63	+ p->status = USB_RET_STALL;
	64	+ return;
	65	}
	66
	67	static void usb_uas_unrealize(USBDevice dev, Error *errp)