2 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 76f97eef35..b6941403ea 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -49,6 +49,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-14415.patch \
           file://CVE-2020-16092.patch \
           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+           file://CVE-2019-20175.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-20175.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-20175.patch
new file mode 100644
index 0000000000..cbbb6d094c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-20175.patch
@@ -0,0 +1,94 @@
+From ed78352a59ea7acf7520d4d47a96b9911bae7fc3 Mon Sep 17 00:00:00 2001
+From: Alexander Popov <alex.popov@linux.com>
+Date: Mon, 23 Dec 2019 20:51:16 +0300
+Subject: [PATCH] ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
+The commit a718978ed58a from July 2015 introduced the assertion which
+implies that the size of successful DMA transfers handled in ide_dma_cb()
+should be multiple of 512 (the size of a sector). But guest systems can
+initiate DMA transfers that don't fit this requirement.
+For fixing that let's check the number of bytes prepared for the transfer
+by the prepare_buf() handler. The code in ide_dma_cb() must behave
+according to the Programming Interface for Bus Master IDE Controller
+(Revision 1.0 5/16/94):
+1. If PRDs specified a smaller size than the IDE transfer
+   size, then the Interrupt and Active bits in the Controller
+   status register are not set (Error Condition).
+2. If the size of the physical memory regions was equal to
+   the IDE device transfer size, the Interrupt bit in the
+   Controller status register is set to 1, Active bit is set to 0.
+3. If PRDs specified a larger size than the IDE transfer size,
+   the Interrupt and Active bits in the Controller status register
+   are both set to 1.
+Signed-off-by: Alexander Popov <alex.popov@linux.com>
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Message-id: 20191223175117.508990-2-alex.popov@linux.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2019-20175
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ hw/ide/core.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 754ff4dc343..80000eb7661 100644
+--- a/hw/ide/core.c
+++ b/hw/ide/core.c
+@@ -849,6 +849,7 @@ static void ide_dma_cb(void *opaque, int ret)
+     int64_t sector_num;
+     uint64_t offset;
+     bool stay_active = false;
+    int32_t prep_size = 0;
+ 
+     if (ret == -EINVAL) {
+         ide_dma_error(s);
+@@ -863,13 +864,15 @@ static void ide_dma_cb(void *opaque, int ret)
+         }
+     }
+ 
+-    n = s->io_buffer_size >> 9;
+-    if (n > s->nsector) {
+-        /* The PRDs were longer than needed for this request. Shorten them so
+-         * we don't get a negative remainder. The Active bit must remain set
+-         * after the request completes. */
+    if (s->io_buffer_size > s->nsector * 512) {
+        /*
+         * The PRDs were longer than needed for this request.
+         * The Active bit must remain set after the request completes.
+         */
+         n = s->nsector;
+         stay_active = true;
+    } else {
+        n = s->io_buffer_size >> 9;
+     }
+ 
+     sector_num = ide_get_sector(s);
+@@ -892,9 +895,20 @@ static void ide_dma_cb(void *opaque, int ret)
+     n = s->nsector;
+     s->io_buffer_index = 0;
+     s->io_buffer_size = n * 512;
+-    if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size) < 512) {
+-        /* The PRDs were too short. Reset the Active bit, but don't raise an
+-         * interrupt. */
+    prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
+    /* prepare_buf() must succeed and respect the limit */
+    assert(prep_size >= 0 && prep_size <= n * 512);
+
+    /*
+     * Now prep_size stores the number of bytes in the sglist, and
+     * s->io_buffer_size stores the number of bytes described by the PRDs.
+     */
+
+    if (prep_size < n * 512) {
+        /*
+         * The PRDs are too short for this request. Error condition!
+         * Reset the Active bit and don't raise the interrupt.
+         */
+         s->status = READY_STAT | SEEK_STAT;
+         dma_buf_commit(s, 0);
+         goto eot;

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 76f97eef35..b6941403ea 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -49,6 +49,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
49	file://CVE-2020-14415.patch \	49	file://CVE-2020-14415.patch \
50	file://CVE-2020-16092.patch \	50	file://CVE-2020-16092.patch \
51	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \	51	file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
		52	file://CVE-2019-20175.patch \
52	"	53	"
53	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	54	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
54		55


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-20175.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-20175.patch new file mode 100644 index 0000000000..cbbb6d094c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-20175.patch
@@ -0,0 +1,94 @@
		1	From ed78352a59ea7acf7520d4d47a96b9911bae7fc3 Mon Sep 17 00:00:00 2001
		2	From: Alexander Popov <alex.popov@linux.com>
		3	Date: Mon, 23 Dec 2019 20:51:16 +0300
		4	Subject: [PATCH] ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
		5
		6	The commit a718978ed58a from July 2015 introduced the assertion which
		7	implies that the size of successful DMA transfers handled in ide_dma_cb()
		8	should be multiple of 512 (the size of a sector). But guest systems can
		9	initiate DMA transfers that don't fit this requirement.
		10
		11	For fixing that let's check the number of bytes prepared for the transfer
		12	by the prepare_buf() handler. The code in ide_dma_cb() must behave
		13	according to the Programming Interface for Bus Master IDE Controller
		14	(Revision 1.0 5/16/94):
		15	1. If PRDs specified a smaller size than the IDE transfer
		16	size, then the Interrupt and Active bits in the Controller
		17	status register are not set (Error Condition).
		18	2. If the size of the physical memory regions was equal to
		19	the IDE device transfer size, the Interrupt bit in the
		20	Controller status register is set to 1, Active bit is set to 0.
		21	3. If PRDs specified a larger size than the IDE transfer size,
		22	the Interrupt and Active bits in the Controller status register
		23	are both set to 1.
		24
		25	Signed-off-by: Alexander Popov <alex.popov@linux.com>
		26	Reviewed-by: Kevin Wolf <kwolf@redhat.com>
		27	Message-id: 20191223175117.508990-2-alex.popov@linux.com
		28	Signed-off-by: John Snow <jsnow@redhat.com>
		29
		30	Upstream-Status: Backport
		31	CVE: CVE-2019-20175
		32	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		33
		34	---
		35	hw/ide/core.c \| 30 ++++++++++++++++++++++--------
		36	1 file changed, 22 insertions(+), 8 deletions(-)
		37
		38	diff --git a/hw/ide/core.c b/hw/ide/core.c
		39	index 754ff4dc343..80000eb7661 100644
		40	--- a/hw/ide/core.c
		41	+++ b/hw/ide/core.c
		42	@@ -849,6 +849,7 @@ static void ide_dma_cb(void *opaque, int ret)
		43	int64_t sector_num;
		44	uint64_t offset;
		45	bool stay_active = false;
		46	+ int32_t prep_size = 0;
		47
		48	if (ret == -EINVAL) {
		49	ide_dma_error(s);
		50	@@ -863,13 +864,15 @@ static void ide_dma_cb(void *opaque, int ret)
		51	}
		52	}
		53
		54	- n = s->io_buffer_size >> 9;
		55	- if (n > s->nsector) {
		56	- /* The PRDs were longer than needed for this request. Shorten them so
		57	- * we don't get a negative remainder. The Active bit must remain set
		58	- * after the request completes. */
		59	+ if (s->io_buffer_size > s->nsector * 512) {
		60	+ /*
		61	+ * The PRDs were longer than needed for this request.
		62	+ * The Active bit must remain set after the request completes.
		63	+ */
		64	n = s->nsector;
		65	stay_active = true;
		66	+ } else {
		67	+ n = s->io_buffer_size >> 9;
		68	}
		69
		70	sector_num = ide_get_sector(s);
		71	@@ -892,9 +895,20 @@ static void ide_dma_cb(void *opaque, int ret)
		72	n = s->nsector;
		73	s->io_buffer_index = 0;
		74	s->io_buffer_size = n * 512;
		75	- if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size) < 512) {
		76	- /* The PRDs were too short. Reset the Active bit, but don't raise an
		77	- * interrupt. */
		78	+ prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
		79	+ /* prepare_buf() must succeed and respect the limit */
		80	+ assert(prep_size >= 0 && prep_size <= n * 512);
		81	+
		82	+ /*
		83	+ * Now prep_size stores the number of bytes in the sglist, and
		84	+ * s->io_buffer_size stores the number of bytes described by the PRDs.
		85	+ */
		86	+
		87	+ if (prep_size < n * 512) {
		88	+ /*
		89	+ * The PRDs are too short for this request. Error condition!
		90	+ * Reset the Active bit and don't raise the interrupt.
		91	+ */
		92	s->status = READY_STAT \| SEEK_STAT;
		93	dma_buf_commit(s, 0);
		94	goto eot;