qemu: fix CVE-2021-3713

(From OE-Core rev: 7879ba4406eb9633079275c57abeee9e738b1c99) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2022-02-02 10:47:17 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-02-10 13:25:48 +0000
commit: 1bcca21e332418802fffa6d88fb108c24d2ef2b1 (patch)
tree: ff70d16ccc9d84b9937a1dee43937d82c13920b2
parent: 7695d11dd09b1e9e87d6741135d0b28e82672f0a (diff)
download: poky-1bcca21e332418802fffa6d88fb108c24d2ef2b1.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 463339e42b..3aad41088a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3607.patch \
           file://CVE-2021-3608.patch \
           file://CVE-2021-3682.patch \
+           file://CVE-2021-3713.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..33fca66d3d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
+From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH 08/12] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields.  Add the missing checks.
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
+CVE: CVE-2021-3713
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index cec071d96..157734eb0 100644
+--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
+@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
+        if (p->stream > UAS_MAX_STREAMS) {
+            goto err_stream;
+        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         p->status = USB_RET_STALL;
+         break;
+     }
+
+err_stream:
+    error_report("%s: invalid stream %d", __func__, p->stream);
+    p->status = USB_RET_STALL;
+    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev)
+-- 
+2.31.1
author	Sakib Sajal <sakib.sajal@windriver.com>	2022-02-02 10:47:17 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-02-10 13:25:48 +0000
commit	1bcca21e332418802fffa6d88fb108c24d2ef2b1 (patch)
tree	ff70d16ccc9d84b9937a1dee43937d82c13920b2
parent	7695d11dd09b1e9e87d6741135d0b28e82672f0a (diff)
download	poky-1bcca21e332418802fffa6d88fb108c24d2ef2b1.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 463339e42b..3aad41088a 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -70,6 +70,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
70	file://CVE-2021-3607.patch \	70	file://CVE-2021-3607.patch \
71	file://CVE-2021-3608.patch \	71	file://CVE-2021-3608.patch \
72	file://CVE-2021-3682.patch \	72	file://CVE-2021-3682.patch \
		73	file://CVE-2021-3713.patch \
73	"	74	"
74	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	75	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
75		76


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..33fca66d3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,68 @@
		1	From 9a8f71ec660e67c51cc5905dd9d2a12ff78ce743 Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Wed, 18 Aug 2021 14:05:05 +0200
		4	Subject: [PATCH 08/12] uas: add stream number sanity checks.
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	The device uses the guest-supplied stream number unchecked, which can
		10	lead to guest-triggered out-of-band access to the UASDevice->data3 and
		11	UASDevice->status3 fields. Add the missing checks.
		12
		13	Fixes: CVE-2021-3713
		14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		15	Reported-by: Chen Zhe <chenzhe@huawei.com>
		16	Reported-by: Tan Jingguo <tanjingguo@huawei.com>
		17	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		18	Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
		19	(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
		20	Signed-off-by: Michael Roth <michael.roth@amd.com>
		21
		22	Upstream-Status: Backport [36403e8788a264dc96174f52584681ebcb4f54b1]
		23	CVE: CVE-2021-3713
		24
		25	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		26	---
		27	hw/usb/dev-uas.c \| 11 +++++++++++
		28	1 file changed, 11 insertions(+)
		29
		30	diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
		31	index cec071d96..157734eb0 100644
		32	--- a/hw/usb/dev-uas.c
		33	+++ b/hw/usb/dev-uas.c
		34	@@ -831,6 +831,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
		35	}
		36	break;
		37	case UAS_PIPE_ID_STATUS:
		38	+ if (p->stream > UAS_MAX_STREAMS) {
		39	+ goto err_stream;
		40	+ }
		41	if (p->stream) {
		42	QTAILQ_FOREACH(st, &uas->results, next) {
		43	if (st->stream == p->stream) {
		44	@@ -858,6 +861,9 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
		45	break;
		46	case UAS_PIPE_ID_DATA_IN:
		47	case UAS_PIPE_ID_DATA_OUT:
		48	+ if (p->stream > UAS_MAX_STREAMS) {
		49	+ goto err_stream;
		50	+ }
		51	if (p->stream) {
		52	req = usb_uas_find_request(uas, p->stream);
		53	} else {
		54	@@ -893,6 +899,11 @@ static void usb_uas_handle_data(USBDevice dev, USBPacket p)
		55	p->status = USB_RET_STALL;
		56	break;
		57	}
		58	+
		59	+err_stream:
		60	+ error_report("%s: invalid stream %d", __func__, p->stream);
		61	+ p->status = USB_RET_STALL;
		62	+ return;
		63	}
		64
		65	static void usb_uas_unrealize(USBDevice *dev)
		66	--
		67	2.31.1
		68