7 files changed, 493 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index f118772208..0ac33f87fc 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,12 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-20181.patch \
           file://CVE-2020-29443.patch \
           file://CVE-2021-20221.patch \
+           file://CVE-2021-3409_1.patch \
+           file://CVE-2021-3409_2.patch \
+           file://CVE-2021-3409_3.patch \
+           file://CVE-2021-3409_4.patch \
+           file://CVE-2021-3409_5.patch \
+           file://CVE-2021-3409_6.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
new file mode 100644
index 0000000000..f9395add43
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
@@ -0,0 +1,56 @@
+From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Tue, 16 Feb 2021 11:46:52 +0800
+Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in
+ sdhci_sdma_transfer_multi_blocks()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+s->prnsts is updated in both branches of the if () else () statement.
+Move the common bits outside so that it is cleaner.
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056]
+CVE: CVE-2021-3409
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 2f8b74a84..f83c5e295 100644
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+         page_aligned = true;
+     }
+ 
+    s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+     if (s->trnmod & SDHC_TRNS_READ) {
+-        s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
+-                SDHC_DAT_LINE_ACTIVE;
+        s->prnsts |= SDHC_DOING_READ;
+         while (s->blkcnt) {
+             if (s->data_count == 0) {
+                 sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+             }
+         }
+     } else {
+-        s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
+-                SDHC_DAT_LINE_ACTIVE;
+        s->prnsts |= SDHC_DOING_WRITE;
+         while (s->blkcnt) {
+             begin = s->data_count;
+             if (((boundary_count + begin) < block_size) && page_aligned) {
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
new file mode 100644
index 0000000000..f3d2bb1375
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
@@ -0,0 +1,92 @@
+From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:35 +0800
+Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
+ out
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+At the end of sdhci_send_command(), it starts a data transfer if the
+command register indicates data is associated. But the data transfer
+should only be initiated when the command execution has succeeded.
+With this fix, the following reproducer:
+outl 0xcf8 0x80001810
+outl 0xcfc 0xe1068000
+outl 0xcf8 0x80001804
+outw 0xcfc 0x7
+write 0xe106802c 0x1 0x0f
+write 0xe1068004 0xc 0x2801d10101fffffbff28a384
+write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
+write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
+write 0xe1068003 0x1 0xfe
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
+      -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive \
+      -monitor none -serial none -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
+CVE: CVE-2021-3409
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index f83c5e295..44f8a82ea 100644
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
+     SDRequest request;
+     uint8_t response[16];
+     int rlen;
+    bool timeout = false;
+ 
+     s->errintsts = 0;
+     s->acmd12errsts = 0;
+@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
+             trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
+                                    s->rspreg[1], s->rspreg[0]);
+         } else {
+            timeout = true;
+             trace_sdhci_error("timeout waiting for command response");
+             if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+                 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
+ 
+     sdhci_update_irq(s);
+ 
+-    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+    if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+         s->data_count = 0;
+         sdhci_data_transfer(s);
+     }
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
new file mode 100644
index 0000000000..c3b37ed616
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
@@ -0,0 +1,109 @@
+From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:36 +0800
+Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
+ transfer is in progress
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Per "SD Host Controller Standard Specification Version 7.00"
+chapter 2.2.1 SDMA System Address Register:
+This register can be accessed only if no transaction is executing
+(i.e., after a transaction has stopped).
+With this fix, the following reproducer:
+outl 0xcf8 0x80001010
+outl 0xcfc 0xfbefff00
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xfbefff2c 0x1 0x05
+write 0xfbefff0f 0x1 0x37
+write 0xfbefff0a 0x1 0x01
+write 0xfbefff0f 0x1 0x29
+write 0xfbefff0f 0x1 0x02
+write 0xfbefff0f 0x1 0x03
+write 0xfbefff04 0x1 0x01
+write 0xfbefff05 0x1 0x01
+write 0xfbefff07 0x1 0x02
+write 0xfbefff0c 0x1 0x33
+write 0xfbefff0e 0x1 0x20
+write 0xfbefff0f 0x1 0x00
+write 0xfbefff2a 0x1 0x01
+write 0xfbefff0c 0x1 0x00
+write 0xfbefff03 0x1 0x00
+write 0xfbefff05 0x1 0x00
+write 0xfbefff2a 0x1 0x02
+write 0xfbefff0c 0x1 0x32
+write 0xfbefff01 0x1 0x01
+write 0xfbefff02 0x1 0x01
+write 0xfbefff03 0x1 0x01
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+       -nodefaults -device sdhci-pci,sd-spec-version=3 \
+       -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+       -device sd-card,drive=mydrive -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe]
+CVE: CVE-2021-3409
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 44f8a82ea..d8a46f307 100644
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ 
+     switch (offset & ~0x3) {
+     case SDHC_SYSAD:
+-        s->sdmasysad = (s->sdmasysad & mask) | value;
+-        MASKED_WRITE(s->sdmasysad, mask, value);
+-        /* Writing to last byte of sdmasysad might trigger transfer */
+-        if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+-                s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+-            if (s->trnmod & SDHC_TRNS_MULTI) {
+-                sdhci_sdma_transfer_multi_blocks(s);
+-            } else {
+-                sdhci_sdma_transfer_single_block(s);
+        if (!TRANSFERRING_DATA(s->prnsts)) {
+            s->sdmasysad = (s->sdmasysad & mask) | value;
+            MASKED_WRITE(s->sdmasysad, mask, value);
+            /* Writing to last byte of sdmasysad might trigger transfer */
+            if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
+                SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+                if (s->trnmod & SDHC_TRNS_MULTI) {
+                    sdhci_sdma_transfer_multi_blocks(s);
+                } else {
+                    sdhci_sdma_transfer_single_block(s);
+                }
+             }
+         }
+         break;
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
new file mode 100644
index 0000000000..d5be99759d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
@@ -0,0 +1,75 @@
+From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:37 +0800
+Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for
+ ADMA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+When an ADMA transfer is started, the codes forget to set the
+controller status to indicate a transfer is in progress.
+With this fix, the following 2 reproducers:
+https://paste.debian.net/plain/1185136
+https://paste.debian.net/plain/1185141
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+      -nodefaults -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa]
+CVE: CVE-2021-3409
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index d8a46f307..7de03c6dd 100644
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
+ 
+         switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
+         case SDHC_ADMA_ATTR_ACT_TRAN:  /* data transfer */
+            s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+             if (s->trnmod & SDHC_TRNS_READ) {
+                s->prnsts |= SDHC_DOING_READ;
+                 while (length) {
+                     if (s->data_count == 0) {
+                         sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
+                     }
+                 }
+             } else {
+                s->prnsts |= SDHC_DOING_WRITE;
+                 while (length) {
+                     begin = s->data_count;
+                     if ((length + begin) < block_size) {
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
new file mode 100644
index 0000000000..7199056838
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
@@ -0,0 +1,56 @@
+From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:38 +0800
+Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
+ register is writable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The codes to limit the maximum block size is only necessary when
+SDHC_BLKSIZE register is writable.
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
+CVE: CVE-2021-3409
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 7de03c6dd..6c780126e 100644
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+-        }
+ 
+-        /* Limit block size to the maximum buffer size */
+-        if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+-            qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+-                          "the maximum buffer 0x%x\n", __func__, s->blksize,
+-                          s->buf_maxsz);
+            /* Limit block size to the maximum buffer size */
+            if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+                qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+                              "the maximum buffer 0x%x\n", __func__, s->blksize,
+                              s->buf_maxsz);
+ 
+-            s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+                s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+            }
+         }
+ 
+         break;
+-- 
+2.29.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
new file mode 100644
index 0000000000..624c1f6496
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
@@ -0,0 +1,99 @@
+From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:39 +0800
+Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[]
+ when a different block size is programmed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If the block size is programmed to a different value from the
+previous one, reset the data pointer of s->fifo_buffer[] so that
+s->fifo_buffer[] can be filled in using the new block size in
+the next transfer.
+With this fix, the following reproducer:
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xe000002c 0x1 0x05
+write 0xe0000005 0x1 0x02
+write 0xe0000007 0x1 0x01
+write 0xe0000028 0x1 0x10
+write 0x0 0x1 0x23
+write 0x2 0x1 0x08
+write 0xe000000c 0x1 0x01
+write 0xe000000e 0x1 0x20
+write 0xe000000f 0x1 0x00
+write 0xe000000c 0x1 0x32
+write 0xe0000004 0x2 0x0200
+write 0xe0000028 0x1 0x00
+write 0xe0000003 0x1 0x40
+cannot be reproduced with the following QEMU command line:
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+      -nodefaults -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive -qtest stdio
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9]
+CVE: CVE-2021-3409
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/sd/sdhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 6c780126e..216842420 100644
+--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
+@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+         break;
+     case SDHC_BLKSIZE:
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+            uint16_t blksize = s->blksize;
+
+             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ 
+@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ 
+                 s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+             }
+
+            /*
+             * If the block size is programmed to a different value from
+             * the previous one, reset the data pointer of s->fifo_buffer[]
+             * so that s->fifo_buffer[] can be filled in using the new block
+             * size in the next transfer.
+             */
+            if (blksize != s->blksize) {
+                s->data_count = 0;
+            }
+         }
+ 
+         break;
+-- 
+2.29.2

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index f118772208..0ac33f87fc 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,12 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
37	file://CVE-2021-20181.patch \	37	file://CVE-2021-20181.patch \
38	file://CVE-2020-29443.patch \	38	file://CVE-2020-29443.patch \
39	file://CVE-2021-20221.patch \	39	file://CVE-2021-20221.patch \
		40	file://CVE-2021-3409_1.patch \
		41	file://CVE-2021-3409_2.patch \
		42	file://CVE-2021-3409_3.patch \
		43	file://CVE-2021-3409_4.patch \
		44	file://CVE-2021-3409_5.patch \
		45	file://CVE-2021-3409_6.patch \
40	"	46	"
41	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	47	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42		48


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch new file mode 100644 index 0000000000..f9395add43 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
@@ -0,0 +1,56 @@
		1	From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001
		2	From: Bin Meng <bmeng.cn@gmail.com>
		3	Date: Tue, 16 Feb 2021 11:46:52 +0800
		4	Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in
		5	sdhci_sdma_transfer_multi_blocks()
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	s->prnsts is updated in both branches of the if () else () statement.
		11	Move the common bits outside so that it is cleaner.
		12
		13	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
		14	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		15	Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
		16	Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		17	Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com>
		18	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		19
		20	Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056]
		21	CVE: CVE-2021-3409
		22
		23	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		24	---
		25	hw/sd/sdhci.c \| 7 +++----
		26	1 file changed, 3 insertions(+), 4 deletions(-)
		27
		28	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
		29	index 2f8b74a84..f83c5e295 100644
		30	--- a/hw/sd/sdhci.c
		31	+++ b/hw/sd/sdhci.c
		32	@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
		33	page_aligned = true;
		34	}
		35
		36	+ s->prnsts \|= SDHC_DATA_INHIBIT \| SDHC_DAT_LINE_ACTIVE;
		37	if (s->trnmod & SDHC_TRNS_READ) {
		38	- s->prnsts \|= SDHC_DOING_READ \| SDHC_DATA_INHIBIT \|
		39	- SDHC_DAT_LINE_ACTIVE;
		40	+ s->prnsts \|= SDHC_DOING_READ;
		41	while (s->blkcnt) {
		42	if (s->data_count == 0) {
		43	sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
		44	@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
		45	}
		46	}
		47	} else {
		48	- s->prnsts \|= SDHC_DOING_WRITE \| SDHC_DATA_INHIBIT \|
		49	- SDHC_DAT_LINE_ACTIVE;
		50	+ s->prnsts \|= SDHC_DOING_WRITE;
		51	while (s->blkcnt) {
		52	begin = s->data_count;
		53	if (((boundary_count + begin) < block_size) && page_aligned) {
		54	--
		55	2.29.2
		56


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch new file mode 100644 index 0000000000..f3d2bb1375 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
@@ -0,0 +1,92 @@
		1	From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
		2	From: Bin Meng <bmeng.cn@gmail.com>
		3	Date: Wed, 3 Mar 2021 20:26:35 +0800
		4	Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
		5	out
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	At the end of sdhci_send_command(), it starts a data transfer if the
		11	command register indicates data is associated. But the data transfer
		12	should only be initiated when the command execution has succeeded.
		13
		14	With this fix, the following reproducer:
		15
		16	outl 0xcf8 0x80001810
		17	outl 0xcfc 0xe1068000
		18	outl 0xcf8 0x80001804
		19	outw 0xcfc 0x7
		20	write 0xe106802c 0x1 0x0f
		21	write 0xe1068004 0xc 0x2801d10101fffffbff28a384
		22	write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
		23	write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
		24	write 0xe1068003 0x1 0xfe
		25
		26	cannot be reproduced with the following QEMU command line:
		27
		28	$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
		29	-device sdhci-pci,sd-spec-version=3 \
		30	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
		31	-device sd-card,drive=mydrive \
		32	-monitor none -serial none -qtest stdio
		33
		34	Cc: qemu-stable@nongnu.org
		35	Fixes: CVE-2020-17380
		36	Fixes: CVE-2020-25085
		37	Fixes: CVE-2021-3409
		38	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
		39	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		40	Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
		41	Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
		42	Reported-by: Simon Wörner (Ruhr-Universität Bochum)
		43	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
		44	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
		45	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
		46	Acked-by: Alistair Francis <alistair.francis@wdc.com>
		47	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		48	Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		49	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
		50	Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
		51	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		52
		53	Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
		54	CVE: CVE-2021-3409
		55
		56	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		57	---
		58	hw/sd/sdhci.c \| 4 +++-
		59	1 file changed, 3 insertions(+), 1 deletion(-)
		60
		61	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
		62	index f83c5e295..44f8a82ea 100644
		63	--- a/hw/sd/sdhci.c
		64	+++ b/hw/sd/sdhci.c
		65	@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
		66	SDRequest request;
		67	uint8_t response[16];
		68	int rlen;
		69	+ bool timeout = false;
		70
		71	s->errintsts = 0;
		72	s->acmd12errsts = 0;
		73	@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
		74	trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
		75	s->rspreg[1], s->rspreg[0]);
		76	} else {
		77	+ timeout = true;
		78	trace_sdhci_error("timeout waiting for command response");
		79	if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
		80	s->errintsts \|= SDHC_EIS_CMDTIMEOUT;
		81	@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
		82
		83	sdhci_update_irq(s);
		84
		85	- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
		86	+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
		87	s->data_count = 0;
		88	sdhci_data_transfer(s);
		89	}
		90	--
		91	2.29.2
		92


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch new file mode 100644 index 0000000000..c3b37ed616 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
@@ -0,0 +1,109 @@
		1	From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001
		2	From: Bin Meng <bmeng.cn@gmail.com>
		3	Date: Wed, 3 Mar 2021 20:26:36 +0800
		4	Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
		5	transfer is in progress
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	Per "SD Host Controller Standard Specification Version 7.00"
		11	chapter 2.2.1 SDMA System Address Register:
		12
		13	This register can be accessed only if no transaction is executing
		14	(i.e., after a transaction has stopped).
		15
		16	With this fix, the following reproducer:
		17
		18	outl 0xcf8 0x80001010
		19	outl 0xcfc 0xfbefff00
		20	outl 0xcf8 0x80001001
		21	outl 0xcfc 0x06000000
		22	write 0xfbefff2c 0x1 0x05
		23	write 0xfbefff0f 0x1 0x37
		24	write 0xfbefff0a 0x1 0x01
		25	write 0xfbefff0f 0x1 0x29
		26	write 0xfbefff0f 0x1 0x02
		27	write 0xfbefff0f 0x1 0x03
		28	write 0xfbefff04 0x1 0x01
		29	write 0xfbefff05 0x1 0x01
		30	write 0xfbefff07 0x1 0x02
		31	write 0xfbefff0c 0x1 0x33
		32	write 0xfbefff0e 0x1 0x20
		33	write 0xfbefff0f 0x1 0x00
		34	write 0xfbefff2a 0x1 0x01
		35	write 0xfbefff0c 0x1 0x00
		36	write 0xfbefff03 0x1 0x00
		37	write 0xfbefff05 0x1 0x00
		38	write 0xfbefff2a 0x1 0x02
		39	write 0xfbefff0c 0x1 0x32
		40	write 0xfbefff01 0x1 0x01
		41	write 0xfbefff02 0x1 0x01
		42	write 0xfbefff03 0x1 0x01
		43
		44	cannot be reproduced with the following QEMU command line:
		45
		46	$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
		47	-nodefaults -device sdhci-pci,sd-spec-version=3 \
		48	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
		49	-device sd-card,drive=mydrive -qtest stdio
		50
		51	Cc: qemu-stable@nongnu.org
		52	Fixes: CVE-2020-17380
		53	Fixes: CVE-2020-25085
		54	Fixes: CVE-2021-3409
		55	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
		56	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		57	Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
		58	Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
		59	Reported-by: Simon Wörner (Ruhr-Universität Bochum)
		60	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
		61	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
		62	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
		63	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		64	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
		65	Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
		66	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		67
		68	Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe]
		69	CVE: CVE-2021-3409
		70
		71	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		72	---
		73	hw/sd/sdhci.c \| 20 +++++++++++---------
		74	1 file changed, 11 insertions(+), 9 deletions(-)
		75
		76	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
		77	index 44f8a82ea..d8a46f307 100644
		78	--- a/hw/sd/sdhci.c
		79	+++ b/hw/sd/sdhci.c
		80	@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
		81
		82	switch (offset & ~0x3) {
		83	case SDHC_SYSAD:
		84	- s->sdmasysad = (s->sdmasysad & mask) \| value;
		85	- MASKED_WRITE(s->sdmasysad, mask, value);
		86	- /* Writing to last byte of sdmasysad might trigger transfer */
		87	- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
		88	- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
		89	- if (s->trnmod & SDHC_TRNS_MULTI) {
		90	- sdhci_sdma_transfer_multi_blocks(s);
		91	- } else {
		92	- sdhci_sdma_transfer_single_block(s);
		93	+ if (!TRANSFERRING_DATA(s->prnsts)) {
		94	+ s->sdmasysad = (s->sdmasysad & mask) \| value;
		95	+ MASKED_WRITE(s->sdmasysad, mask, value);
		96	+ /* Writing to last byte of sdmasysad might trigger transfer */
		97	+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
		98	+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
		99	+ if (s->trnmod & SDHC_TRNS_MULTI) {
		100	+ sdhci_sdma_transfer_multi_blocks(s);
		101	+ } else {
		102	+ sdhci_sdma_transfer_single_block(s);
		103	+ }
		104	}
		105	}
		106	break;
		107	--
		108	2.29.2
		109


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch new file mode 100644 index 0000000000..d5be99759d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
@@ -0,0 +1,75 @@
		1	From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001
		2	From: Bin Meng <bmeng.cn@gmail.com>
		3	Date: Wed, 3 Mar 2021 20:26:37 +0800
		4	Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for
		5	ADMA
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	When an ADMA transfer is started, the codes forget to set the
		11	controller status to indicate a transfer is in progress.
		12
		13	With this fix, the following 2 reproducers:
		14
		15	https://paste.debian.net/plain/1185136
		16	https://paste.debian.net/plain/1185141
		17
		18	cannot be reproduced with the following QEMU command line:
		19
		20	$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
		21	-nodefaults -device sdhci-pci,sd-spec-version=3 \
		22	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
		23	-device sd-card,drive=mydrive -qtest stdio
		24
		25	Cc: qemu-stable@nongnu.org
		26	Fixes: CVE-2020-17380
		27	Fixes: CVE-2020-25085
		28	Fixes: CVE-2021-3409
		29	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
		30	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		31	Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
		32	Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
		33	Reported-by: Simon Wörner (Ruhr-Universität Bochum)
		34	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
		35	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
		36	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
		37	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		38	Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		39	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
		40	Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
		41	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		42
		43	Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa]
		44	CVE: CVE-2021-3409
		45
		46	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		47	---
		48	hw/sd/sdhci.c \| 3 +++
		49	1 file changed, 3 insertions(+)
		50
		51	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
		52	index d8a46f307..7de03c6dd 100644
		53	--- a/hw/sd/sdhci.c
		54	+++ b/hw/sd/sdhci.c
		55	@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
		56
		57	switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
		58	case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
		59	+ s->prnsts \|= SDHC_DATA_INHIBIT \| SDHC_DAT_LINE_ACTIVE;
		60	if (s->trnmod & SDHC_TRNS_READ) {
		61	+ s->prnsts \|= SDHC_DOING_READ;
		62	while (length) {
		63	if (s->data_count == 0) {
		64	sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
		65	@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
		66	}
		67	}
		68	} else {
		69	+ s->prnsts \|= SDHC_DOING_WRITE;
		70	while (length) {
		71	begin = s->data_count;
		72	if ((length + begin) < block_size) {
		73	--
		74	2.29.2
		75


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch new file mode 100644 index 0000000000..7199056838 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
@@ -0,0 +1,56 @@
		1	From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
		2	From: Bin Meng <bmeng.cn@gmail.com>
		3	Date: Wed, 3 Mar 2021 20:26:38 +0800
		4	Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
		5	register is writable
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	The codes to limit the maximum block size is only necessary when
		11	SDHC_BLKSIZE register is writable.
		12
		13	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		14	Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		15	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
		16	Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
		17	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		18
		19	Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
		20	CVE: CVE-2021-3409
		21
		22	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		23	---
		24	hw/sd/sdhci.c \| 14 +++++++-------
		25	1 file changed, 7 insertions(+), 7 deletions(-)
		26
		27	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
		28	index 7de03c6dd..6c780126e 100644
		29	--- a/hw/sd/sdhci.c
		30	+++ b/hw/sd/sdhci.c
		31	@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
		32	if (!TRANSFERRING_DATA(s->prnsts)) {
		33	MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
		34	MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
		35	- }
		36
		37	- /* Limit block size to the maximum buffer size */
		38	- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
		39	- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
		40	- "the maximum buffer 0x%x\n", __func__, s->blksize,
		41	- s->buf_maxsz);
		42	+ /* Limit block size to the maximum buffer size */
		43	+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
		44	+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
		45	+ "the maximum buffer 0x%x\n", __func__, s->blksize,
		46	+ s->buf_maxsz);
		47
		48	- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
		49	+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
		50	+ }
		51	}
		52
		53	break;
		54	--
		55	2.29.2
		56


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch new file mode 100644 index 0000000000..624c1f6496 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
@@ -0,0 +1,99 @@
		1	From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001
		2	From: Bin Meng <bmeng.cn@gmail.com>
		3	Date: Wed, 3 Mar 2021 20:26:39 +0800
		4	Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[]
		5	when a different block size is programmed
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	If the block size is programmed to a different value from the
		11	previous one, reset the data pointer of s->fifo_buffer[] so that
		12	s->fifo_buffer[] can be filled in using the new block size in
		13	the next transfer.
		14
		15	With this fix, the following reproducer:
		16
		17	outl 0xcf8 0x80001010
		18	outl 0xcfc 0xe0000000
		19	outl 0xcf8 0x80001001
		20	outl 0xcfc 0x06000000
		21	write 0xe000002c 0x1 0x05
		22	write 0xe0000005 0x1 0x02
		23	write 0xe0000007 0x1 0x01
		24	write 0xe0000028 0x1 0x10
		25	write 0x0 0x1 0x23
		26	write 0x2 0x1 0x08
		27	write 0xe000000c 0x1 0x01
		28	write 0xe000000e 0x1 0x20
		29	write 0xe000000f 0x1 0x00
		30	write 0xe000000c 0x1 0x32
		31	write 0xe0000004 0x2 0x0200
		32	write 0xe0000028 0x1 0x00
		33	write 0xe0000003 0x1 0x40
		34
		35	cannot be reproduced with the following QEMU command line:
		36
		37	$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
		38	-nodefaults -device sdhci-pci,sd-spec-version=3 \
		39	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
		40	-device sd-card,drive=mydrive -qtest stdio
		41
		42	Cc: qemu-stable@nongnu.org
		43	Fixes: CVE-2020-17380
		44	Fixes: CVE-2020-25085
		45	Fixes: CVE-2021-3409
		46	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
		47	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		48	Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
		49	Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
		50	Reported-by: Simon Wörner (Ruhr-Universität Bochum)
		51	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
		52	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
		53	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
		54	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		55	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
		56	Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
		57	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
		58
		59	Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9]
		60	CVE: CVE-2021-3409
		61
		62	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		63	---
		64	hw/sd/sdhci.c \| 12 ++++++++++++
		65	1 file changed, 12 insertions(+)
		66
		67	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
		68	index 6c780126e..216842420 100644
		69	--- a/hw/sd/sdhci.c
		70	+++ b/hw/sd/sdhci.c
		71	@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
		72	break;
		73	case SDHC_BLKSIZE:
		74	if (!TRANSFERRING_DATA(s->prnsts)) {
		75	+ uint16_t blksize = s->blksize;
		76	+
		77	MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
		78	MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
		79
		80	@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
		81
		82	s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
		83	}
		84	+
		85	+ /*
		86	+ * If the block size is programmed to a different value from
		87	+ * the previous one, reset the data pointer of s->fifo_buffer[]
		88	+ * so that s->fifo_buffer[] can be filled in using the new block
		89	+ * size in the next transfer.
		90	+ */
		91	+ if (blksize != s->blksize) {
		92	+ s->data_count = 0;
		93	+ }
		94	}
		95
		96	break;
		97	--
		98	2.29.2
		99