1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..33fca66d3d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
+From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH 08/12] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields.  Add the missing checks.
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
+CVE: CVE-2021-3713
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index cec071d96..157734eb0 100644
+--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
+@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         p->status = USB_RET_STALL;
+         break;
+     }
+
+err_stream:
+    error_report("%s: invalid stream %d", __func__, p->stream);
+    p->status = USB_RET_STALL;
+    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev)
+-- 
+2.31.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..33fca66d3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
	1	From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
	2	From: Gerd Hoffmann <kraxel@redhat.com>
	3	Date: Wed, 18 Aug 2021 14:05:05 +0200
	4	Subject: [PATCH 08/12] uas: add stream number sanity checks.
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	The device uses the guest-supplied stream number unchecked, which can
	10	lead to guest-triggered out-of-band access to the UASDevice->data3 and
	11	UASDevice->status3 fields. Add the missing checks.
	12
	13	Fixes: CVE-2021-3713
	14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	15	Reported-by: Chen Zhe <chenzhe@huawei.com>
	16	Reported-by: Tan Jingguo <tanjingguo@huawei.com>
	17	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	18	Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
	19	(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
	20	Signed-off-by: Michael Roth <michael.roth@amd.com>
	21
	22	Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
	23	CVE: CVE-2021-3713
	24
	25	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	26	---
	27	hw/usb/dev-uas.c \| 11 +++++++++++
	28	1 file changed, 11 insertions(+)
	29
	30	diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
	31	index cec071d96..157734eb0 100644
	32	--- a/hw/usb/dev-uas.c
	33	+++ b/hw/usb/dev-uas.c
	34	@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	35	}
	36	break;
	37	case UAS_PIPE_ID_STATUS:
	38	+ if (p->stream > UAS_MAX_STREAMS) {
	39	+ goto err_stream;
	40	+ }
	41	if (p->stream) {
	42	QTAILQ_FOREACH(st, &uas->results, next) {
	43	if (st->stream == p->stream) {
	44	@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	45	break;
	46	case UAS_PIPE_ID_DATA_IN:
	47	case UAS_PIPE_ID_DATA_OUT:
	48	+ if (p->stream > UAS_MAX_STREAMS) {
	49	+ goto err_stream;
	50	+ }
	51	if (p->stream) {
	52	req = usb_uas_find_request(uas, p->stream);
	53	} else {
	54	@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
	55	p->status = USB_RET_STALL;
	56	break;
	57	}
	58	+
	59	+err_stream:
	60	+ error_report("%s: invalid stream %d", __func__, p->stream);
	61	+ p->status = USB_RET_STALL;
	62	+ return;
	63	}
	64
	65	static void usb_uas_unrealize(USBDevice *dev)
	66	--
	67	2.31.1
	68