qemu: fix CVE-2020-11869

(From OE-Core rev: 586061c469a3340ec3a60ff59dae2e9ee33c3398) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-05-18 13:50:45 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-05-19 22:57:27 +0100
commit: 6cb7107d862a086eb209b2ac41249ea73e3d9c56 (patch)
tree: 7b5a6b303a7962c0c2d14f329d7b8d5d4d65fde6
parent: 81e481b0177d3280f46c204e107f20dfd3ebc0f6 (diff)
download: poky-6cb7107d862a086eb209b2ac41249ea73e3d9c56.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 7a1ccf2115..126e7d442c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-7211.patch \
           file://0001-qemu-Do-not-include-file-if-not-exists.patch \
           file://CVE-2020-11102.patch \
+           file://CVE-2020-11869.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch
new file mode 100644
index 0000000000..ca7ffed934
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch
@@ -0,0 +1,97 @@
+From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Mon, 6 Apr 2020 22:34:26 +0200
+Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
+In some corner cases (that never happen during normal operation but a
+malicious guest could program wrong values) pixman functions were
+called with parameters that result in a crash. Fix this and add more
+checks to disallow such cases.
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7]
+CVE: CVE-2020-11869
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 42e8231..23a8ae0 100644
+--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
+@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
+             s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
+             surface_bits_per_pixel(ds),
+             (s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
+-    int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+-                 s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
+-    int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+-                 s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
+    unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+                      s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
+    unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+                      s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
+     int bpp = ati_bpp_from_datatype(s);
+    if (!bpp) {
+        qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
+        return;
+    }
+     int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
+    if (!dst_stride) {
+        qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
+        return;
+    }
+     uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
+                         s->regs.dst_offset : s->regs.default_offset);
+ 
+@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
+     switch (s->regs.dp_mix & GMC_ROP3_MASK) {
+     case ROP3_SRCCOPY:
+     {
+-        int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+-                     s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
+-        int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+-                     s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
+        unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+                       s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
+        unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+                       s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
+         int src_stride = DEFAULT_CNTL ?
+                          s->regs.src_pitch : s->regs.default_pitch;
+        if (!src_stride) {
+            qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
+            return;
+        }
+         uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
+                             s->regs.src_offset : s->regs.default_offset);
+ 
+@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
+                                     dst_y * surface_stride(ds),
+                                     s->regs.dst_height * surface_stride(ds));
+         }
+-        s->regs.dst_x += s->regs.dst_width;
+-        s->regs.dst_y += s->regs.dst_height;
+        s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+                         dst_x + s->regs.dst_width : dst_x);
+        s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+                         dst_y + s->regs.dst_height : dst_y);
+         break;
+     }
+     case ROP3_PATCOPY:
+@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
+                                     dst_y * surface_stride(ds),
+                                     s->regs.dst_height * surface_stride(ds));
+         }
+-        s->regs.dst_y += s->regs.dst_height;
+        s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+                         dst_y + s->regs.dst_height : dst_y);
+         break;
+     }
+     default:
+-- 
+1.8.3.1
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-05-18 13:50:45 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-05-19 22:57:27 +0100
commit	6cb7107d862a086eb209b2ac41249ea73e3d9c56 (patch)
tree	7b5a6b303a7962c0c2d14f329d7b8d5d4d65fde6
parent	81e481b0177d3280f46c204e107f20dfd3ebc0f6 (diff)
download	poky-6cb7107d862a086eb209b2ac41249ea73e3d9c56.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7a1ccf2115..126e7d442c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
37	file://CVE-2020-7211.patch \	37	file://CVE-2020-7211.patch \
38	file://0001-qemu-Do-not-include-file-if-not-exists.patch \	38	file://0001-qemu-Do-not-include-file-if-not-exists.patch \
39	file://CVE-2020-11102.patch \	39	file://CVE-2020-11102.patch \
		40	file://CVE-2020-11869.patch \
40	"	41	"
41	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	42	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42		43


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch new file mode 100644 index 0000000000..ca7ffed934 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch
@@ -0,0 +1,97 @@
		1	From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001
		2	From: BALATON Zoltan <balaton@eik.bme.hu>
		3	Date: Mon, 6 Apr 2020 22:34:26 +0200
		4	Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
		5
		6	In some corner cases (that never happen during normal operation but a
		7	malicious guest could program wrong values) pixman functions were
		8	called with parameters that result in a crash. Fix this and add more
		9	checks to disallow such cases.
		10
		11	Reported-by: Ziming Zhang <ezrakiez@gmail.com>
		12	Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
		13	Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
		14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		15
		16	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7]
		17	CVE: CVE-2020-11869
		18	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		19	---
		20	hw/display/ati_2d.c \| 37 ++++++++++++++++++++++++++-----------
		21	1 file changed, 26 insertions(+), 11 deletions(-)
		22
		23	diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
		24	index 42e8231..23a8ae0 100644
		25	--- a/hw/display/ati_2d.c
		26	+++ b/hw/display/ati_2d.c
		27	@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
		28	s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
		29	surface_bits_per_pixel(ds),
		30	(s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
		31	- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
		32	- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
		33	- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
		34	- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
		35	+ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
		36	+ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
		37	+ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
		38	+ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
		39	int bpp = ati_bpp_from_datatype(s);
		40	+ if (!bpp) {
		41	+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
		42	+ return;
		43	+ }
		44	int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
		45	+ if (!dst_stride) {
		46	+ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
		47	+ return;
		48	+ }
		49	uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
		50	s->regs.dst_offset : s->regs.default_offset);
		51
		52	@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
		53	switch (s->regs.dp_mix & GMC_ROP3_MASK) {
		54	case ROP3_SRCCOPY:
		55	{
		56	- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
		57	- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
		58	- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
		59	- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
		60	+ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
		61	+ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
		62	+ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
		63	+ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
		64	int src_stride = DEFAULT_CNTL ?
		65	s->regs.src_pitch : s->regs.default_pitch;
		66	+ if (!src_stride) {
		67	+ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
		68	+ return;
		69	+ }
		70	uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
		71	s->regs.src_offset : s->regs.default_offset);
		72
		73	@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
		74	dst_y * surface_stride(ds),
		75	s->regs.dst_height * surface_stride(ds));
		76	}
		77	- s->regs.dst_x += s->regs.dst_width;
		78	- s->regs.dst_y += s->regs.dst_height;
		79	+ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
		80	+ dst_x + s->regs.dst_width : dst_x);
		81	+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
		82	+ dst_y + s->regs.dst_height : dst_y);
		83	break;
		84	}
		85	case ROP3_PATCOPY:
		86	@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
		87	dst_y * surface_stride(ds),
		88	s->regs.dst_height * surface_stride(ds));
		89	}
		90	- s->regs.dst_y += s->regs.dst_height;
		91	+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
		92	+ dst_y + s->regs.dst_height : dst_y);
		93	break;
		94	}
		95	default:
		96	--
		97	1.8.3.1