4 files changed, 246 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
new file mode 100644
index 0000000000..306aef061b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
@@ -0,0 +1,40 @@
+From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
+From: Ralf Haferkamp <rhafer@suse.com>
+Date: Fri, 3 Jul 2020 14:51:16 +0200
+Subject: [PATCH] Drop bogus IPv6 messages
+Drop IPv6 message shorter than what's mentioned in the payload
+length header (+ the size of the IPv6 header). They're invalid an could
+lead to data leakage in icmp6_send_echoreply().
+CVE: CVE-2020-10756
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
+[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ slirp/src/ip6_input.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
+index d9d2b7e9..0f2b1785 100644
+--- a/slirp/src/ip6_input.c
+++ b/slirp/src/ip6_input.c
+@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
+         goto bad;
+     }
+ 
+    // Check if the message size is big enough to hold what's
+    // set in the payload length header. If not this is an invalid
+    // packet
+    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
+        goto bad;
+    }
+
+     /* check ip_ttl for a correct ICMP reply */
+     if (ip6->ip_hl == 0) {
+         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
new file mode 100644
index 0000000000..a109ac08d6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+Upstream-Status: Backport
+CVE: CVE-2020-14364
+[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128..5234dcc 100644
+--- a/hw/usb/core.c
+++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
+    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
+                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
+    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
+    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
+                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
+    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..9927584d11
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
+From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Fri, 10 Jul 2020 11:19:41 +0200
+Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
+A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
+occurs while sending an Ethernet frame due to missing break statements
+and improper checking of the buffer size.
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+CVE: CVE-2020-15863
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/xgmac.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
+index f49df95..f496f7e 100644
+--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
+@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
+         }
+         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
+ 
+        /*
+         * FIXME: these cases of malformed tx descriptors (bad sizes)
+         * should probably be reported back to the guest somehow
+         * rather than simply silently stopping processing, but we
+         * don't know what the hardware does in this situation.
+         * This will only happen for buggy guests anyway.
+         */
+         if ((bd.buffer1_size & 0xfff) > 2048) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
+                          __func__, bd.buffer1_size & 0xfff);
+            break;
+         }
+         if ((bd.buffer2_size & 0xfff) != 0) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
+                         __func__, bd.buffer2_size & 0xfff);
+            break;
+         }
+-        if (len >= sizeof(frame)) {
+        if (frame_size + len >= sizeof(frame)) {
+             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
+-                        "buffer\n" , __func__, len, sizeof(frame));
+                        "buffer\n" , __func__, frame_size + len, sizeof(frame));
+             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
+                         __func__, bd.buffer1_size, bd.buffer2_size);
+            break;
+         }
+ 
+         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
new file mode 100644
index 0000000000..8ce01e26ad
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
@@ -0,0 +1,49 @@
+From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Sat, 1 Aug 2020 18:42:38 +0200
+Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
+ net_tx_pkt_add_raw_fragment()
+An assertion failure issue was found in the code that processes network
+packets
+while adding data fragments into the packet context. It could be abused
+by a
+malicious guest to abort the QEMU process on the host. This patch
+replaces the
+affected assert() with a conditional statement, returning false if the
+current
+data fragment exceeds max_raw_frags.
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2020-16092
+[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/net_tx_pkt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index 162f802..54d4c3b 100644
+--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
+@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
+     hwaddr mapped_len = 0;
+     struct iovec *ventry;
+     assert(pkt);
+-    assert(pkt->max_raw_frags > pkt->raw_frags);
+
+    if (pkt->raw_frags >= pkt->max_raw_frags) {
+        return false;
+    }
+ 
+     if (!len) {
+         return true;
+-- 
+2.17.1

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch new file mode 100644 index 0000000000..306aef061b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
@@ -0,0 +1,40 @@
	1	From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
	2	From: Ralf Haferkamp <rhafer@suse.com>
	3	Date: Fri, 3 Jul 2020 14:51:16 +0200
	4	Subject: [PATCH] Drop bogus IPv6 messages
	5
	6	Drop IPv6 message shorter than what's mentioned in the payload
	7	length header (+ the size of the IPv6 header). They're invalid an could
	8	lead to data leakage in icmp6_send_echoreply().
	9
	10	CVE: CVE-2020-10756
	11	Upstream-Status: Backport
	12	https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
	13
	14	[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context]
	15	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
	16	---
	17	slirp/src/ip6_input.c \| 7 +++++++
	18	1 file changed, 7 insertions(+)
	19
	20	diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
	21	index d9d2b7e9..0f2b1785 100644
	22	--- a/slirp/src/ip6_input.c
	23	+++ b/slirp/src/ip6_input.c
	24	@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
	25	goto bad;
	26	}
	27
	28	+ // Check if the message size is big enough to hold what's
	29	+ // set in the payload length header. If not this is an invalid
	30	+ // packet
	31	+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
	32	+ goto bad;
	33	+ }
	34	+
	35	/* check ip_ttl for a correct ICMP reply */
	36	if (ip6->ip_hl == 0) {
	37	icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
	38	--
	39	2.17.1
	40


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch new file mode 100644 index 0000000000..a109ac08d6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
	1	From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
	2	From: Gerd Hoffmann <kraxel@redhat.com>
	3	Date: Tue, 25 Aug 2020 07:36:36 +0200
	4	Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
	5
	6	Store calculated setup_len in a local variable, verify it, and only
	7	write it to the struct (USBDevice->setup_len) in case it passed the
	8	sanity checks.
	9
	10	This prevents other code (do_token_{in,out} functions specifically)
	11	from working with invalid USBDevice->setup_len values and overrunning
	12	the USBDevice->setup_buf[] buffer.
	13
	14	Fixes: CVE-2020-14364
	15	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	16	Tested-by: Gonglei <arei.gonglei@huawei.com>
	17	Reviewed-by: Li Qiang <liq3ea@gmail.com>
	18	Message-id: 20200825053636.29648-1-kraxel@redhat.com
	19
	20	Upstream-Status: Backport
	21	CVE: CVE-2020-14364
	22	[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
	23	Signed-off-by: Li Wang <li.wang@windriver.com>
	24	---
	25	hw/usb/core.c \| 16 ++++++++++------
	26	1 file changed, 10 insertions(+), 6 deletions(-)
	27
	28	diff --git a/hw/usb/core.c b/hw/usb/core.c
	29	index 5abd128..5234dcc 100644
	30	--- a/hw/usb/core.c
	31	+++ b/hw/usb/core.c
	32	@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
	33	static void do_token_setup(USBDevice s, USBPacket p)
	34	{
	35	int request, value, index;
	36	+ unsigned int setup_len;
	37
	38	if (p->iov.size != 8) {
	39	p->status = USB_RET_STALL;
	40	@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice s, USBPacket p)
	41	usb_packet_copy(p, s->setup_buf, p->iov.size);
	42	s->setup_index = 0;
	43	p->actual_length = 0;
	44	- s->setup_len = (s->setup_buf[7] << 8) \| s->setup_buf[6];
	45	- if (s->setup_len > sizeof(s->data_buf)) {
	46	+ setup_len = (s->setup_buf[7] << 8) \| s->setup_buf[6];
	47	+ if (setup_len > sizeof(s->data_buf)) {
	48	fprintf(stderr,
	49	"usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
	50	- s->setup_len, sizeof(s->data_buf));
	51	+ setup_len, sizeof(s->data_buf));
	52	p->status = USB_RET_STALL;
	53	return;
	54	}
	55	+ s->setup_len = setup_len;
	56
	57	request = (s->setup_buf[0] << 8) \| s->setup_buf[1];
	58	value = (s->setup_buf[3] << 8) \| s->setup_buf[2];
	59	@@ -259,26 +261,28 @@ static void do_token_out(USBDevice s, USBPacket p)
	60	static void do_parameter(USBDevice s, USBPacket p)
	61	{
	62	int i, request, value, index;
	63	+ unsigned int setup_len;
	64
	65	for (i = 0; i < 8; i++) {
	66	s->setup_buf[i] = p->parameter >> (i*8);
	67	}
	68
	69	s->setup_state = SETUP_STATE_PARAM;
	70	- s->setup_len = (s->setup_buf[7] << 8) \| s->setup_buf[6];
	71	s->setup_index = 0;
	72
	73	request = (s->setup_buf[0] << 8) \| s->setup_buf[1];
	74	value = (s->setup_buf[3] << 8) \| s->setup_buf[2];
	75	index = (s->setup_buf[5] << 8) \| s->setup_buf[4];
	76
	77	- if (s->setup_len > sizeof(s->data_buf)) {
	78	+ setup_len = (s->setup_buf[7] << 8) \| s->setup_buf[6];
	79	+ if (setup_len > sizeof(s->data_buf)) {
	80	fprintf(stderr,
	81	"usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
	82	- s->setup_len, sizeof(s->data_buf));
	83	+ setup_len, sizeof(s->data_buf));
	84	p->status = USB_RET_STALL;
	85	return;
	86	}
	87	+ s->setup_len = setup_len;
	88
	89	if (p->pid == USB_TOKEN_OUT) {
	90	usb_packet_copy(p, s->data_buf, s->setup_len);
	91	--
	92	2.17.1
	93


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
	1	From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
	2	From: Mauro Matteo Cascella <mcascell@redhat.com>
	3	Date: Fri, 10 Jul 2020 11:19:41 +0200
	4	Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
	5
	6	A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
	7	occurs while sending an Ethernet frame due to missing break statements
	8	and improper checking of the buffer size.
	9
	10	Reported-by: Ziming Zhang <ezrakiez@gmail.com>
	11	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
	12	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	13	Signed-off-by: Jason Wang <jasowang@redhat.com>
	14
	15	CVE: CVE-2020-15863
	16	Upstream-Status: Backport
	17	[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
	18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	19	Signed-off-by: Li Wang <li.wang@windriver.com>
	20	---
	21	hw/net/xgmac.c \| 14 ++++++++++++--
	22	1 file changed, 12 insertions(+), 2 deletions(-)
	23
	24	diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
	25	index f49df95..f496f7e 100644
	26	--- a/hw/net/xgmac.c
	27	+++ b/hw/net/xgmac.c
	28	@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
	29	}
	30	len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
	31
	32	+ /*
	33	+ * FIXME: these cases of malformed tx descriptors (bad sizes)
	34	+ * should probably be reported back to the guest somehow
	35	+ * rather than simply silently stopping processing, but we
	36	+ * don't know what the hardware does in this situation.
	37	+ * This will only happen for buggy guests anyway.
	38	+ */
	39	if ((bd.buffer1_size & 0xfff) > 2048) {
	40	DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
	41	"xgmac buffer 1 len on send > 2048 (0x%x)\n",
	42	__func__, bd.buffer1_size & 0xfff);
	43	+ break;
	44	}
	45	if ((bd.buffer2_size & 0xfff) != 0) {
	46	DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
	47	"xgmac buffer 2 len on send != 0 (0x%x)\n",
	48	__func__, bd.buffer2_size & 0xfff);
	49	+ break;
	50	}
	51	- if (len >= sizeof(frame)) {
	52	+ if (frame_size + len >= sizeof(frame)) {
	53	DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
	54	- "buffer\n" , __func__, len, sizeof(frame));
	55	+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
	56	DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
	57	__func__, bd.buffer1_size, bd.buffer2_size);
	58	+ break;
	59	}
	60
	61	cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
	62	--
	63	1.9.1
	64


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch new file mode 100644 index 0000000000..8ce01e26ad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
@@ -0,0 +1,49 @@
	1	From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
	2	From: Mauro Matteo Cascella <mcascell@redhat.com>
	3	Date: Sat, 1 Aug 2020 18:42:38 +0200
	4	Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
	5	net_tx_pkt_add_raw_fragment()
	6
	7	An assertion failure issue was found in the code that processes network
	8	packets
	9	while adding data fragments into the packet context. It could be abused
	10	by a
	11	malicious guest to abort the QEMU process on the host. This patch
	12	replaces the
	13	affected assert() with a conditional statement, returning false if the
	14	current
	15	data fragment exceeds max_raw_frags.
	16
	17	Reported-by: Alexander Bulekov <alxndr@bu.edu>
	18	Reported-by: Ziming Zhang <ezrakiez@gmail.com>
	19	Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
	20	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
	21	Signed-off-by: Jason Wang <jasowang@redhat.com>
	22
	23	Upstream-Status: Backport
	24	CVE: CVE-2020-16092
	25	[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8]
	26	Signed-off-by: Li Wang <li.wang@windriver.com>
	27	---
	28	hw/net/net_tx_pkt.c \| 5 ++++-
	29	1 file changed, 4 insertions(+), 1 deletion(-)
	30
	31	diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
	32	index 162f802..54d4c3b 100644
	33	--- a/hw/net/net_tx_pkt.c
	34	+++ b/hw/net/net_tx_pkt.c
	35	@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
	36	hwaddr mapped_len = 0;
	37	struct iovec *ventry;
	38	assert(pkt);
	39	- assert(pkt->max_raw_frags > pkt->raw_frags);
	40	+
	41	+ if (pkt->raw_frags >= pkt->max_raw_frags) {
	42	+ return false;
	43	+ }
	44
	45	if (!len) {
	46	return true;
	47	--
	48	2.17.1
	49