diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch | 87 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch | 101 |
3 files changed, 190 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a33008670b..6978be951e 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -56,6 +56,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
56 | file://CVE-2021-20203.patch \ | 56 | file://CVE-2021-20203.patch \ |
57 | file://CVE-2021-3392.patch \ | 57 | file://CVE-2021-3392.patch \ |
58 | file://CVE-2020-25085.patch \ | 58 | file://CVE-2020-25085.patch \ |
59 | file://CVE-2020-25624_1.patch \ | ||
60 | file://CVE-2020-25624_2.patch \ | ||
59 | " | 61 | " |
60 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 62 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
61 | 63 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch new file mode 100644 index 0000000000..a46b5be193 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From fbec359e9279ce78908b9f2af2c264e7448336af Mon Sep 17 00:00:00 2001 | ||
2 | From: Guenter Roeck <linux@roeck-us.net> | ||
3 | Date: Mon, 17 Feb 2020 12:48:10 -0800 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI | ||
5 | to include file | ||
6 | |||
7 | We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it | ||
8 | to its include file. | ||
9 | |||
10 | Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> | ||
11 | Signed-off-by: Guenter Roeck <linux@roeck-us.net> | ||
12 | Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> | ||
13 | Message-id: 20200217204812.9857-2-linux@roeck-us.net | ||
14 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2020-25624 patch #1 | ||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | hw/usb/hcd-ohci.c | 15 --------------- | ||
22 | hw/usb/hcd-ohci.h | 16 ++++++++++++++++ | ||
23 | 2 files changed, 16 insertions(+), 15 deletions(-) | ||
24 | |||
25 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
26 | index 8a94bd004a..1e6e85e86a 100644 | ||
27 | --- a/hw/usb/hcd-ohci.c | ||
28 | +++ b/hw/usb/hcd-ohci.c | ||
29 | @@ -1870,21 +1870,6 @@ void ohci_sysbus_die(struct OHCIState *ohci) | ||
30 | ohci_bus_stop(ohci); | ||
31 | } | ||
32 | |||
33 | -#define TYPE_SYSBUS_OHCI "sysbus-ohci" | ||
34 | -#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI) | ||
35 | - | ||
36 | -typedef struct { | ||
37 | - /*< private >*/ | ||
38 | - SysBusDevice parent_obj; | ||
39 | - /*< public >*/ | ||
40 | - | ||
41 | - OHCIState ohci; | ||
42 | - char *masterbus; | ||
43 | - uint32_t num_ports; | ||
44 | - uint32_t firstport; | ||
45 | - dma_addr_t dma_offset; | ||
46 | -} OHCISysBusState; | ||
47 | - | ||
48 | static void ohci_realize_pxa(DeviceState *dev, Error **errp) | ||
49 | { | ||
50 | OHCISysBusState *s = SYSBUS_OHCI(dev); | ||
51 | diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h | ||
52 | index 16e3f1e13a..5c8819aedf 100644 | ||
53 | --- a/hw/usb/hcd-ohci.h | ||
54 | +++ b/hw/usb/hcd-ohci.h | ||
55 | @@ -22,6 +22,7 @@ | ||
56 | #define HCD_OHCI_H | ||
57 | |||
58 | #include "sysemu/dma.h" | ||
59 | +#include "hw/usb.h" | ||
60 | |||
61 | /* Number of Downstream Ports on the root hub: */ | ||
62 | #define OHCI_MAX_PORTS 15 | ||
63 | @@ -90,6 +91,21 @@ typedef struct OHCIState { | ||
64 | void (*ohci_die)(struct OHCIState *ohci); | ||
65 | } OHCIState; | ||
66 | |||
67 | +#define TYPE_SYSBUS_OHCI "sysbus-ohci" | ||
68 | +#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI) | ||
69 | + | ||
70 | +typedef struct { | ||
71 | + /*< private >*/ | ||
72 | + SysBusDevice parent_obj; | ||
73 | + /*< public >*/ | ||
74 | + | ||
75 | + OHCIState ohci; | ||
76 | + char *masterbus; | ||
77 | + uint32_t num_ports; | ||
78 | + uint32_t firstport; | ||
79 | + dma_addr_t dma_offset; | ||
80 | +} OHCISysBusState; | ||
81 | + | ||
82 | extern const VMStateDescription vmstate_ohci_state; | ||
83 | |||
84 | void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports, | ||
85 | -- | ||
86 | 2.25.1 | ||
87 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch new file mode 100644 index 0000000000..8c1275b2f4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 15 Sep 2020 23:52:58 +0530 | ||
4 | Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables | ||
5 | |||
6 | While servicing the OHCI transfer descriptors(TD), OHCI host | ||
7 | controller derives variables 'start_addr', 'end_addr', 'len' | ||
8 | etc. from values supplied by the host controller driver. | ||
9 | Host controller driver may supply values such that using | ||
10 | above variables leads to out-of-bounds access issues. | ||
11 | Add checks to avoid them. | ||
12 | |||
13 | AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 | ||
14 | READ of size 2 at 0x7ffd53af76a0 thread T0 | ||
15 | #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 | ||
16 | #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 | ||
17 | #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 | ||
18 | #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 | ||
19 | #4 timerlist_run_timers ../util/qemu-timer.c:572 | ||
20 | #5 qemu_clock_run_timers ../util/qemu-timer.c:586 | ||
21 | #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 | ||
22 | #7 main_loop_wait ../util/main-loop.c:527 | ||
23 | #8 qemu_main_loop ../softmmu/vl.c:1676 | ||
24 | #9 main ../softmmu/main.c:50 | ||
25 | |||
26 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
27 | Reported-by: Yongkang Jia <j_kangel@163.com> | ||
28 | Reported-by: Yi Ren <yunye.ry@alibaba-inc.com> | ||
29 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
30 | Message-id: 20200915182259.68522-2-ppandit@redhat.com | ||
31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
32 | |||
33 | Upstream-Status: Backport | ||
34 | CVE: CVE-2020-25624 patch #2 | ||
35 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
36 | |||
37 | --- | ||
38 | hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- | ||
39 | 1 file changed, 22 insertions(+), 2 deletions(-) | ||
40 | |||
41 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
42 | index 1e6e85e86a..9dc59101f9 100644 | ||
43 | --- a/hw/usb/hcd-ohci.c | ||
44 | +++ b/hw/usb/hcd-ohci.c | ||
45 | @@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
46 | } | ||
47 | |||
48 | start_offset = iso_td.offset[relative_frame_number]; | ||
49 | - next_offset = iso_td.offset[relative_frame_number + 1]; | ||
50 | + if (relative_frame_number < frame_count) { | ||
51 | + next_offset = iso_td.offset[relative_frame_number + 1]; | ||
52 | + } else { | ||
53 | + next_offset = iso_td.be; | ||
54 | + } | ||
55 | |||
56 | if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || | ||
57 | ((relative_frame_number < frame_count) && | ||
58 | @@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
59 | } | ||
60 | } else { | ||
61 | /* Last packet in the ISO TD */ | ||
62 | - end_addr = iso_td.be; | ||
63 | + end_addr = next_offset; | ||
64 | + } | ||
65 | + | ||
66 | + if (start_addr > end_addr) { | ||
67 | + trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); | ||
68 | + return 1; | ||
69 | } | ||
70 | |||
71 | if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { | ||
72 | @@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
73 | } else { | ||
74 | len = end_addr - start_addr + 1; | ||
75 | } | ||
76 | + if (len > sizeof(ohci->usb_buf)) { | ||
77 | + len = sizeof(ohci->usb_buf); | ||
78 | + } | ||
79 | |||
80 | if (len && dir != OHCI_TD_DIR_IN) { | ||
81 | if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, | ||
82 | @@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) | ||
83 | if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { | ||
84 | len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); | ||
85 | } else { | ||
86 | + if (td.cbp > td.be) { | ||
87 | + trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); | ||
88 | + ohci_die(ohci); | ||
89 | + return 1; | ||
90 | + } | ||
91 | len = (td.be - td.cbp) + 1; | ||
92 | } | ||
93 | + if (len > sizeof(ohci->usb_buf)) { | ||
94 | + len = sizeof(ohci->usb_buf); | ||
95 | + } | ||
96 | |||
97 | pktlen = len; | ||
98 | if (len && dir != OHCI_TD_DIR_IN) { | ||
99 | -- | ||
100 | 2.25.1 | ||
101 | |||