qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data transfers

(From OE-Core rev: 39a9f2056d4794dc75390b9a4a903c1745545095) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2022-12-26 19:20:40 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-06 17:33:15 +0000
commit: d3a522d857120a2ccefe5b49c174fc98b6ec78fb (patch)
tree: 6d90e94b02130487057fab987902ad00a7706b82
parent: f5b71296f70c30d6367557cd461b32d216240fde (diff)
download: poky-d3a522d857120a2ccefe5b49c174fc98b6ec78fb.tar.gz
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a915b54c1a..fff2c87780 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -114,6 +114,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3750.patch \
           file://CVE-2021-3638.patch \
           file://CVE-2021-20196.patch \
+           file://CVE-2021-3507.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
new file mode 100644
index 0000000000..4ff3413f8e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
@@ -0,0 +1,87 @@
+From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 18 Nov 2021 12:57:32 +0100
+Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Per the 82078 datasheet, if the end-of-track (EOT byte in
+the FIFO) is more than the number of sectors per side, the
+command is terminated unsuccessfully:
+* 5.2.5 DATA TRANSFER TERMINATION
+  The 82078 supports terminal count explicitly through
+  the TC pin and implicitly through the underrun/over-
+  run and end-of-track (EOT) functions. For full sector
+  transfers, the EOT parameter can define the last
+  sector to be transferred in a single or multisector
+  transfer. If the last sector to be transferred is a par-
+  tial sector, the host can stop transferring the data in
+  mid-sector, and the 82078 will continue to complete
+  the sector as if a hardware TC was received. The
+  only difference between these implicit functions and
+  TC is that they return "abnormal termination" result
+  status. Such status indications can be ignored if they
+  were expected.
+* 6.1.3 READ TRACK
+  This command terminates when the EOT specified
+  number of sectors have been read. If the 82078
+  does not find an I D Address Mark on the diskette
+  after the second· occurrence of a pulse on the
+  INDX# pin, then it sets the IC code in Status Regis-
+  ter 0 to "01" (Abnormal termination), sets the MA bit
+  in Status Register 1 to "1", and terminates the com-
+  mand.
+* 6.1.6 VERIFY
+  Refer to Table 6-6 and Table 6-7 for information
+  concerning the values of MT and EC versus SC and
+  EOT value.
+* Table 6·6. Result Phase Table
+* Table 6-7. Verify Command Result Phase Table
+Fix by aborting the transfer when EOT > # Sectors Per Side.
+Cc: qemu-stable@nongnu.org
+Cc: Hervé Poussineau <hpoussin@reactos.org>
+Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367]
+CVE: CVE-2021-3507
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ hw/block/fdc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 347875a0cdae..57bb355794a9 100644
+--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
+@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
+         int tmp;
+         fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
+         tmp = (fdctrl->fifo[6] - ks + 1);
+        if (tmp < 0) {
+            FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
+            fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
+            fdctrl->fifo[3] = kt;
+            fdctrl->fifo[4] = kh;
+            fdctrl->fifo[5] = ks;
+            return;
+        }
+         if (fdctrl->fifo[0] & 0x80)
+             tmp += fdctrl->fifo[6];
+         fdctrl->data_len *= tmp;
author	Vivek Kumbhar <vkumbhar@mvista.com>	2022-12-26 19:20:40 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-06 17:33:15 +0000
commit	d3a522d857120a2ccefe5b49c174fc98b6ec78fb (patch)
tree	6d90e94b02130487057fab987902ad00a7706b82
parent	f5b71296f70c30d6367557cd461b32d216240fde (diff)
download	poky-d3a522d857120a2ccefe5b49c174fc98b6ec78fb.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a915b54c1a..fff2c87780 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -114,6 +114,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
114	file://CVE-2021-3750.patch \	114	file://CVE-2021-3750.patch \
115	file://CVE-2021-3638.patch \	115	file://CVE-2021-3638.patch \
116	file://CVE-2021-20196.patch \	116	file://CVE-2021-20196.patch \
		117	file://CVE-2021-3507.patch \
117	"	118	"
118	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	119	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
119		120


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch new file mode 100644 index 0000000000..4ff3413f8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
@@ -0,0 +1,87 @@
		1	From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
		3	Date: Thu, 18 Nov 2021 12:57:32 +0100
		4	Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Per the 82078 datasheet, if the end-of-track (EOT byte in
		10	the FIFO) is more than the number of sectors per side, the
		11	command is terminated unsuccessfully:
		12
		13	* 5.2.5 DATA TRANSFER TERMINATION
		14
		15	The 82078 supports terminal count explicitly through
		16	the TC pin and implicitly through the underrun/over-
		17	run and end-of-track (EOT) functions. For full sector
		18	transfers, the EOT parameter can define the last
		19	sector to be transferred in a single or multisector
		20	transfer. If the last sector to be transferred is a par-
		21	tial sector, the host can stop transferring the data in
		22	mid-sector, and the 82078 will continue to complete
		23	the sector as if a hardware TC was received. The
		24	only difference between these implicit functions and
		25	TC is that they return "abnormal termination" result
		26	status. Such status indications can be ignored if they
		27	were expected.
		28
		29	* 6.1.3 READ TRACK
		30
		31	This command terminates when the EOT specified
		32	number of sectors have been read. If the 82078
		33	does not find an I D Address Mark on the diskette
		34	after the second· occurrence of a pulse on the
		35	INDX# pin, then it sets the IC code in Status Regis-
		36	ter 0 to "01" (Abnormal termination), sets the MA bit
		37	in Status Register 1 to "1", and terminates the com-
		38	mand.
		39
		40	* 6.1.6 VERIFY
		41
		42	Refer to Table 6-6 and Table 6-7 for information
		43	concerning the values of MT and EC versus SC and
		44	EOT value.
		45
		46	* Table 6·6. Result Phase Table
		47
		48	* Table 6-7. Verify Command Result Phase Table
		49
		50	Fix by aborting the transfer when EOT > # Sectors Per Side.
		51
		52	Cc: qemu-stable@nongnu.org
		53	Cc: Hervé Poussineau <hpoussin@reactos.org>
		54	Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
		55	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		56	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
		57	Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		58	Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
		59	Reviewed-by: Hanna Reitz <hreitz@redhat.com>
		60	Signed-off-by: Kevin Wolf <kwolf@redhat.com>
		61
		62	Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367]
		63	CVE: CVE-2021-3507
		64	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		65	---
		66	hw/block/fdc.c \| 8 ++++++++
		67	1 file changed, 8 insertions(+)
		68
		69	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
		70	index 347875a0cdae..57bb355794a9 100644
		71	--- a/hw/block/fdc.c
		72	+++ b/hw/block/fdc.c
		73	@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
		74	int tmp;
		75	fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
		76	tmp = (fdctrl->fifo[6] - ks + 1);
		77	+ if (tmp < 0) {
		78	+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
		79	+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
		80	+ fdctrl->fifo[3] = kt;
		81	+ fdctrl->fifo[4] = kh;
		82	+ fdctrl->fifo[5] = ks;
		83	+ return;
		84	+ }
		85	if (fdctrl->fifo[0] & 0x80)
		86	tmp += fdctrl->fifo[6];
		87	fdctrl->data_len *= tmp;