qemu: fix CVE-2020-10702 & CVE-2020-13765

(From OE-Core rev: 684307688eb0c1a98be8885164ecc8f578a36cf8) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-06-16 16:21:42 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-08 10:47:50 +0100
commit: 4e90fb17b129b7a5df584799ec9629474362d50c (patch)
tree: e5d6d71e2c9e9e7d6ae3ebd87dfe039ad67413c1
parent: 09d29eb36a335cadb1249f6849e090d22bbf5a2e (diff)
download: poky-4e90fb17b129b7a5df584799ec9629474362d50c.tar.gz
3 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4e5ea174a9..5cdba1f02c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-7039-3.patch \
           file://CVE-2020-7211.patch \
           file://CVE-2020-11869.patch \
+           file://CVE-2020-13765.patch \
+           file://CVE-2020-10702.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
new file mode 100644
index 0000000000..21a3ceb30d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
@@ -0,0 +1,52 @@
+From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001
+From: Vincent Dehors <vincent.dehors@smile.fr>
+Date: Thu, 23 Jan 2020 15:22:38 +0000
+Subject: [PATCH] target/arm: Fix PAuth sbox functions
+In the PAC computation, sbox was applied over wrong bits.
+As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16.
+Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was
+used to verify one computation of the pauth_computepac() function which
+uses sbox2.
+Launchpad: https://bugs.launchpad.net/bugs/1859713
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr>
+Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr>
+Message-id: 20200116230809.19078-2-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9] 
+CVE: CVE-2020-10702
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ target/arm/pauth_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
+index d3194f2..0a5f41e 100644
+--- a/target/arm/pauth_helper.c
+++ b/target/arm/pauth_helper.c
+@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i)
+     uint64_t o = 0;
+     int b;
+ 
+-    for (b = 0; b < 64; b += 16) {
+    for (b = 0; b < 64; b += 4) {
+         o |= (uint64_t)sub[(i >> b) & 0xf] << b;
+     }
+     return o;
+@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i)
+     uint64_t o = 0;
+     int b;
+ 
+-    for (b = 0; b < 64; b += 16) {
+    for (b = 0; b < 64; b += 4) {
+         o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b;
+     }
+     return o;
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
new file mode 100644
index 0000000000..9014ba0f13
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
@@ -0,0 +1,48 @@
+From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 25 Sep 2019 14:16:43 +0200
+Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
+Both, "rom->addr" and "addr" are derived from the binary image
+that can be loaded with the "-kernel" paramer. The code in
+rom_copy() then calculates:
+    d = dest + (rom->addr - addr);
+and uses "d" as destination in a memcpy() some lines later. Now with
+bad kernel images, it is possible that rom->addr is smaller than addr,
+thus "rom->addr - addr" gets negative and the memcpy() then tries to
+copy contents from the image to a bad memory location. This could
+maybe be used to inject code from a kernel image into the QEMU binary,
+so we better fix it with an additional sanity check here.
+Cc: qemu-stable@nongnu.org
+Reported-by: Guangming Liu
+Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
+Message-Id: <20190925130331.27825-1-thuth@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319] 
+CVE: CVE-2020-13765
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ hw/core/loader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/core/loader.c b/hw/core/loader.c
+index 0d60219..5099f27 100644
+--- a/hw/core/loader.c
+++ b/hw/core/loader.c
+@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
+         if (rom->addr + rom->romsize < addr) {
+             continue;
+         }
+-        if (rom->addr > end) {
+        if (rom->addr > end || rom->addr < addr) {
+             break;
+         }
+ 
+-- 
+1.8.3.1
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-06-16 16:21:42 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-08 10:47:50 +0100
commit	4e90fb17b129b7a5df584799ec9629474362d50c (patch)
tree	e5d6d71e2c9e9e7d6ae3ebd87dfe039ad67413c1
parent	09d29eb36a335cadb1249f6849e090d22bbf5a2e (diff)
download	poky-4e90fb17b129b7a5df584799ec9629474362d50c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4e5ea174a9..5cdba1f02c 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -37,6 +37,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
37	file://CVE-2020-7039-3.patch \	37	file://CVE-2020-7039-3.patch \
38	file://CVE-2020-7211.patch \	38	file://CVE-2020-7211.patch \
39	file://CVE-2020-11869.patch \	39	file://CVE-2020-11869.patch \
		40	file://CVE-2020-13765.patch \
		41	file://CVE-2020-10702.patch \
40	"	42	"
41	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	43	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42		44


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch new file mode 100644 index 0000000000..21a3ceb30d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch
@@ -0,0 +1,52 @@
		1	From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001
		2	From: Vincent Dehors <vincent.dehors@smile.fr>
		3	Date: Thu, 23 Jan 2020 15:22:38 +0000
		4	Subject: [PATCH] target/arm: Fix PAuth sbox functions
		5
		6	In the PAC computation, sbox was applied over wrong bits.
		7	As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16.
		8
		9	Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was
		10	used to verify one computation of the pauth_computepac() function which
		11	uses sbox2.
		12
		13	Launchpad: https://bugs.launchpad.net/bugs/1859713
		14	Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
		15	Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr>
		16	Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr>
		17	Message-id: 20200116230809.19078-2-richard.henderson@linaro.org
		18	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
		19	Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
		20
		21	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9]
		22	CVE: CVE-2020-10702
		23	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		24	---
		25	target/arm/pauth_helper.c \| 4 ++--
		26	1 file changed, 2 insertions(+), 2 deletions(-)
		27
		28	diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
		29	index d3194f2..0a5f41e 100644
		30	--- a/target/arm/pauth_helper.c
		31	+++ b/target/arm/pauth_helper.c
		32	@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i)
		33	uint64_t o = 0;
		34	int b;
		35
		36	- for (b = 0; b < 64; b += 16) {
		37	+ for (b = 0; b < 64; b += 4) {
		38	o \|= (uint64_t)sub[(i >> b) & 0xf] << b;
		39	}
		40	return o;
		41	@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i)
		42	uint64_t o = 0;
		43	int b;
		44
		45	- for (b = 0; b < 64; b += 16) {
		46	+ for (b = 0; b < 64; b += 4) {
		47	o \|= (uint64_t)inv_sub[(i >> b) & 0xf] << b;
		48	}
		49	return o;
		50	--
		51	1.8.3.1
		52


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch new file mode 100644 index 0000000000..9014ba0f13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch
@@ -0,0 +1,48 @@
		1	From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001
		2	From: Thomas Huth <thuth@redhat.com>
		3	Date: Wed, 25 Sep 2019 14:16:43 +0200
		4	Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy()
		5
		6	Both, "rom->addr" and "addr" are derived from the binary image
		7	that can be loaded with the "-kernel" paramer. The code in
		8	rom_copy() then calculates:
		9
		10	d = dest + (rom->addr - addr);
		11
		12	and uses "d" as destination in a memcpy() some lines later. Now with
		13	bad kernel images, it is possible that rom->addr is smaller than addr,
		14	thus "rom->addr - addr" gets negative and the memcpy() then tries to
		15	copy contents from the image to a bad memory location. This could
		16	maybe be used to inject code from a kernel image into the QEMU binary,
		17	so we better fix it with an additional sanity check here.
		18
		19	Cc: qemu-stable@nongnu.org
		20	Reported-by: Guangming Liu
		21	Buglink: https://bugs.launchpad.net/qemu/+bug/1844635
		22	Message-Id: <20190925130331.27825-1-thuth@redhat.com>
		23	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
		24	Signed-off-by: Thomas Huth <thuth@redhat.com>
		25
		26	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319]
		27	CVE: CVE-2020-13765
		28	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		29	---
		30	hw/core/loader.c \| 2 +-
		31	1 file changed, 1 insertion(+), 1 deletion(-)
		32
		33	diff --git a/hw/core/loader.c b/hw/core/loader.c
		34	index 0d60219..5099f27 100644
		35	--- a/hw/core/loader.c
		36	+++ b/hw/core/loader.c
		37	@@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size)
		38	if (rom->addr + rom->romsize < addr) {
		39	continue;
		40	}
		41	- if (rom->addr > end) {
		42	+ if (rom->addr > end \|\| rom->addr < addr) {
		43	break;
		44	}
		45
		46	--
		47	1.8.3.1
		48