From c00a882bd66158f1dbce59bc45340ef81d3af2ed Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 20 Aug 2021 16:55:15 -0700 Subject: Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380 Source: Qemu.org MR: 105781, 109964, 108621 Type: Security Fix Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05905.html ChangeID: 0acf082885e7ab3ac2fb41d6e503449869dd46a8 Description: This address: CVE-2020-25625 and its two fixes address an incomplete fix for CVE-2020-25625 CVE-2021-3409 CVE-2020-17380 (From OE-Core rev: 721a14f13005dc0b5bddaac131c444b97be700a8) Signed-off-by: Armin Kuster Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2020-25625.patch | 42 ++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch (limited to 'meta') diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 6978be951e..76bfb4fcf9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -58,6 +58,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-25085.patch \ file://CVE-2020-25624_1.patch \ file://CVE-2020-25624_2.patch \ + file://CVE-2020-25625.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch new file mode 100644 index 0000000000..374d7c4562 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch @@ -0,0 +1,42 @@ +From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 15 Sep 2020 23:52:59 +0530 +Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire + +While servicing OHCI transfer descriptors(TD), ohci_service_iso_td +retires a TD if it has passed its time frame. It does not check if +the TD was already processed once and holds an error code in TD_CC. +It may happen if the TD list has a loop. Add check to avoid an +infinite loop condition. + +Signed-off-by: Prasad J Pandit +Reviewed-by: Li Qiang +Message-id: 20200915182259.68522-3-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann + +Upstream-Status: Backport +CVE: CVE-2020-25625 +Signed-off-by: Armin Kuster + +--- + hw/usb/hcd-ohci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 9dc59101f9..8b912e95d3 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, + the next ISO TD of the same ED */ + trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number, + frame_count); ++ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) { ++ /* avoid infinite loop */ ++ return 1; ++ } + OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN); + ed->head &= ~OHCI_DPTR_MASK; + ed->head |= (iso_td.next & OHCI_DPTR_MASK); +-- +2.25.1 + -- cgit v1.2.3-54-g00ecf