qemu: fix CVE-2020-13659

(From OE-Core rev: 1bf0e91512b2c157259ed529d1fc7ea7cdac1889) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sakib Sajal <sakib.sajal@windriver.com> 2020-07-14 15:51:17 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-18 11:06:31 +0100
commit: 10e2b84149560cc59cd73dd8b438a00538f1873b (patch)
tree: 9d4b22ce0bb9da542aac193f52394f10ae18d1fd /meta/recipes-devtools/qemu
parent: 55b7c62b76a3f1b3912074725e23b90023980e38 (diff)
download: poky-10e2b84149560cc59cd73dd8b438a00538f1873b.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 98bdff7ac6..a9ef3b78bf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://find_datadir.patch \
           file://CVE-2020-10761.patch \
           file://CVE-2020-13362.patch \
+           file://CVE-2020-13659.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
new file mode 100644
index 0000000000..4d12ae8f16
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
@@ -0,0 +1,58 @@
+From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 26 May 2020 16:47:43 +0530
+Subject: [PATCH] exec: set map length to zero when returning NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+When mapping physical memory into host's virtual address space,
+'address_space_map' may return NULL if BounceBuffer is in_use.
+Set and return '*plen = 0' to avoid later NULL pointer dereference.
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
+CVE: CVE-2020-13659
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ exec.c                | 1 +
+ include/exec/memory.h | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+diff --git a/exec.c b/exec.c
+index 9cbde85d8c..778263f1c6 100644
+--- a/exec.c
+++ b/exec.c
+@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as,
+ 
+     if (!memory_access_is_direct(mr, is_write)) {
+         if (atomic_xchg(&bounce.in_use, true)) {
+            *plen = 0;
+             return NULL;
+         }
+         /* Avoid unbounded allocations */
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index bd7fdd6081..af8ca7824e 100644
+--- a/include/exec/memory.h
+++ b/include/exec/memory.h
+@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
+ /* address_space_map: map a physical memory region into a host virtual address
+  *
+  * May map a subset of the requested range, given by and returned in @plen.
+- * May return %NULL if resources needed to perform the mapping are exhausted.
+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
+ * the mapping are exhausted.
+  * Use only for reads OR writes - not for read-modify-write operations.
+  * Use cpu_register_map_client() to know when retrying the map operation is
+  * likely to succeed.
+-- 
+2.20.1
author	Sakib Sajal <sakib.sajal@windriver.com>	2020-07-14 15:51:17 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-18 11:06:31 +0100
commit	10e2b84149560cc59cd73dd8b438a00538f1873b (patch)
tree	9d4b22ce0bb9da542aac193f52394f10ae18d1fd /meta/recipes-devtools/qemu
parent	55b7c62b76a3f1b3912074725e23b90023980e38 (diff)
download	poky-10e2b84149560cc59cd73dd8b438a00538f1873b.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 98bdff7ac6..a9ef3b78bf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
33	file://find_datadir.patch \	33	file://find_datadir.patch \
34	file://CVE-2020-10761.patch \	34	file://CVE-2020-10761.patch \
35	file://CVE-2020-13362.patch \	35	file://CVE-2020-13362.patch \
		36	file://CVE-2020-13659.patch \
36	"	37	"
37	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	38	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
38		39


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch new file mode 100644 index 0000000000..4d12ae8f16 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
@@ -0,0 +1,58 @@
		1	From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Tue, 26 May 2020 16:47:43 +0530
		4	Subject: [PATCH] exec: set map length to zero when returning NULL
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	When mapping physical memory into host's virtual address space,
		10	'address_space_map' may return NULL if BounceBuffer is in_use.
		11	Set and return '*plen = 0' to avoid later NULL pointer dereference.
		12
		13	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		14	Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
		15	Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
		16	Suggested-by: Peter Maydell <peter.maydell@linaro.org>
		17	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		18	Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
		19	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		20	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		21
		22	Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
		23	CVE: CVE-2020-13659
		24	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		25	---
		26	exec.c \| 1 +
		27	include/exec/memory.h \| 3 ++-
		28	2 files changed, 3 insertions(+), 1 deletion(-)
		29
		30	diff --git a/exec.c b/exec.c
		31	index 9cbde85d8c..778263f1c6 100644
		32	--- a/exec.c
		33	+++ b/exec.c
		34	@@ -3540,6 +3540,7 @@ void address_space_map(AddressSpace as,
		35
		36	if (!memory_access_is_direct(mr, is_write)) {
		37	if (atomic_xchg(&bounce.in_use, true)) {
		38	+ *plen = 0;
		39	return NULL;
		40	}
		41	/* Avoid unbounded allocations */
		42	diff --git a/include/exec/memory.h b/include/exec/memory.h
		43	index bd7fdd6081..af8ca7824e 100644
		44	--- a/include/exec/memory.h
		45	+++ b/include/exec/memory.h
		46	@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
		47	/* address_space_map: map a physical memory region into a host virtual address
		48	*
		49	* May map a subset of the requested range, given by and returned in @plen.
		50	- * May return %NULL if resources needed to perform the mapping are exhausted.
		51	+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
		52	+ * the mapping are exhausted.
		53	* Use only for reads OR writes - not for read-modify-write operations.
		54	* Use cpu_register_map_client() to know when retrying the map operation is
		55	* likely to succeed.
		56	--
		57	2.20.1
		58