diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 41 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch | 46 |
2 files changed, 67 insertions, 20 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e25c2524aa..a33008670b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -35,27 +35,28 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
35 | file://CVE-2020-7039-2.patch \ | 35 | file://CVE-2020-7039-2.patch \ |
36 | file://CVE-2020-7039-3.patch \ | 36 | file://CVE-2020-7039-3.patch \ |
37 | file://0001-Add-enable-disable-udev.patch \ | 37 | file://0001-Add-enable-disable-udev.patch \ |
38 | file://CVE-2020-7211.patch \ | 38 | file://CVE-2020-7211.patch \ |
39 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ | 39 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ |
40 | file://CVE-2020-11102.patch \ | 40 | file://CVE-2020-11102.patch \ |
41 | file://CVE-2020-11869.patch \ | 41 | file://CVE-2020-11869.patch \ |
42 | file://CVE-2020-13361.patch \ | 42 | file://CVE-2020-13361.patch \ |
43 | file://CVE-2020-10761.patch \ | 43 | file://CVE-2020-10761.patch \ |
44 | file://CVE-2020-10702.patch \ | 44 | file://CVE-2020-10702.patch \ |
45 | file://CVE-2020-13659.patch \ | 45 | file://CVE-2020-13659.patch \ |
46 | file://CVE-2020-13800.patch \ | 46 | file://CVE-2020-13800.patch \ |
47 | file://CVE-2020-13362.patch \ | 47 | file://CVE-2020-13362.patch \ |
48 | file://CVE-2020-15863.patch \ | 48 | file://CVE-2020-15863.patch \ |
49 | file://CVE-2020-14364.patch \ | 49 | file://CVE-2020-14364.patch \ |
50 | file://CVE-2020-14415.patch \ | 50 | file://CVE-2020-14415.patch \ |
51 | file://CVE-2020-16092.patch \ | 51 | file://CVE-2020-16092.patch \ |
52 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ | 52 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ |
53 | file://CVE-2019-20175.patch \ | 53 | file://CVE-2019-20175.patch \ |
54 | file://CVE-2020-24352.patch \ | 54 | file://CVE-2020-24352.patch \ |
55 | file://CVE-2020-25723.patch \ | 55 | file://CVE-2020-25723.patch \ |
56 | file://CVE-2021-20203.patch \ | 56 | file://CVE-2021-20203.patch \ |
57 | file://CVE-2021-3392.patch \ | 57 | file://CVE-2021-3392.patch \ |
58 | " | 58 | file://CVE-2020-25085.patch \ |
59 | " | ||
59 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 60 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
60 | 61 | ||
61 | SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" | 62 | SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" |
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch new file mode 100644 index 0000000000..be19256cef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> | ||
3 | Date: Tue, 1 Sep 2020 15:22:06 +0200 | ||
4 | Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The 'Transfer Block Size' field is 12-bit wide. | ||
10 | |||
11 | See section '2.2.2. Block Size Register (Offset 004h)' in datasheet. | ||
12 | |||
13 | Two different bug reproducer available: | ||
14 | - https://bugs.launchpad.net/qemu/+bug/1892960 | ||
15 | - https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 | ||
16 | |||
17 | Cc: qemu-stable@nongnu.org | ||
18 | Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 | ||
19 | Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller") | ||
20 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
22 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
23 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
24 | Message-Id: <20200901140411.112150-3-f4bug@amsat.org> | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2020-25085 | ||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | hw/sd/sdhci.c | 2 +- | ||
32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
33 | |||
34 | Index: qemu-4.2.0/hw/sd/sdhci.c | ||
35 | =================================================================== | ||
36 | --- qemu-4.2.0.orig/hw/sd/sdhci.c | ||
37 | +++ qemu-4.2.0/hw/sd/sdhci.c | ||
38 | @@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset, | ||
39 | break; | ||
40 | case SDHC_BLKSIZE: | ||
41 | if (!TRANSFERRING_DATA(s->prnsts)) { | ||
42 | - MASKED_WRITE(s->blksize, mask, value); | ||
43 | + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); | ||
44 | MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); | ||
45 | } | ||
46 | |||