2 files changed, 80 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 96a1cc93a5..8182342f92 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -97,6 +97,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2023-3301.patch \
           file://CVE-2023-3255.patch \
           file://CVE-2023-2861.patch \
+           file://CVE-2020-14394.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch
new file mode 100644
index 0000000000..aff91a7355
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch
@@ -0,0 +1,79 @@
+From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 8 Aug 2023 10:44:51 +0000
+Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
+ xhci_ring_chain_length() (CVE-2020-14394)
+The loop condition in xhci_ring_chain_length() is under control of
+the guest, and additionally the code does not check for failed DMA
+transfers (e.g. if reaching the end of the RAM), so the loop there
+could run for a very long time or even forever. Fix it by checking
+the return value of dma_memory_read() and by introducing a maximum
+loop length.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
+Message-Id: <20220804131300.96368-1-thuth@redhat.com>
+Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+CVE: CVE-2020-14394
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ hw/usb/hcd-xhci.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 14bdb8967..c63a36dcc 100644
+--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
+@@ -21,6 +21,7 @@
+ #include "qemu/osdep.h"
+ #include "qemu/timer.h"
+#include "qemu/log.h"
+ #include "qemu/module.h"
+ #include "qemu/queue.h"
+ #include "migration/vmstate.h"
+@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+     bool control_td_set = 0;
+     uint32_t link_cnt = 0;
+-    while (1) {
+    do {
+         TRBType type;
+-        dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
+-                        MEMTXATTRS_UNSPECIFIED);
+       if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
+                        MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+            qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+                          __func__);
+            return -1;
+       }
+         le64_to_cpus(&trb.parameter);
+         le32_to_cpus(&trb.status);
+         le32_to_cpus(&trb.control);
+@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+         if (!control_td_set && !(trb.control & TRB_TR_CH)) {
+             return length;
+         }
+-    }
+
+       /*
+        * According to the xHCI spec, Transfer Ring segments should have
+        * a maximum size of 64 kB (see chapter "6 Data Structures")
+        */
+    } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
+
+    qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n",
+                          __func__);
+
+    return -1;
+ }
+ static void xhci_er_reset(XHCIState *xhci, int v)
+--
+2.35.5

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 96a1cc93a5..8182342f92 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -97,6 +97,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
97	file://CVE-2023-3301.patch \	97	file://CVE-2023-3301.patch \
98	file://CVE-2023-3255.patch \	98	file://CVE-2023-3255.patch \
99	file://CVE-2023-2861.patch \	99	file://CVE-2023-2861.patch \
		100	file://CVE-2020-14394.patch \
100	"	101	"
101	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	102	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
102		103


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch new file mode 100644 index 0000000000..aff91a7355 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch
@@ -0,0 +1,79 @@
		1	From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001
		2	From: Thomas Huth <thuth@redhat.com>
		3	Date: Tue, 8 Aug 2023 10:44:51 +0000
		4	Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
		5	xhci_ring_chain_length() (CVE-2020-14394)
		6
		7	The loop condition in xhci_ring_chain_length() is under control of
		8	the guest, and additionally the code does not check for failed DMA
		9	transfers (e.g. if reaching the end of the RAM), so the loop there
		10	could run for a very long time or even forever. Fix it by checking
		11	the return value of dma_memory_read() and by introducing a maximum
		12	loop length.
		13
		14	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
		15	Message-Id: <20220804131300.96368-1-thuth@redhat.com>
		16	Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
		17	Acked-by: Gerd Hoffmann <kraxel@redhat.com>
		18	Signed-off-by: Thomas Huth <thuth@redhat.com>
		19
		20	CVE: CVE-2020-14394
		21
		22	Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc]
		23
		24	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		25	---
		26	hw/usb/hcd-xhci.c \| 23 +++++++++++++++++++----
		27	1 file changed, 19 insertions(+), 4 deletions(-)
		28
		29	diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
		30	index 14bdb8967..c63a36dcc 100644
		31	--- a/hw/usb/hcd-xhci.c
		32	+++ b/hw/usb/hcd-xhci.c
		33	@@ -21,6 +21,7 @@
		34
		35	#include "qemu/osdep.h"
		36	#include "qemu/timer.h"
		37	+#include "qemu/log.h"
		38	#include "qemu/module.h"
		39	#include "qemu/queue.h"
		40	#include "migration/vmstate.h"
		41	@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState xhci, const XHCIRing ring)
		42	bool control_td_set = 0;
		43	uint32_t link_cnt = 0;
		44
		45	- while (1) {
		46	+ do {
		47	TRBType type;
		48	- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
		49	- MEMTXATTRS_UNSPECIFIED);
		50	+ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
		51	+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
		52	+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
		53	+ __func__);
		54	+ return -1;
		55	+ }
		56	le64_to_cpus(&trb.parameter);
		57	le32_to_cpus(&trb.status);
		58	le32_to_cpus(&trb.control);
		59	@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState xhci, const XHCIRing ring)
		60	if (!control_td_set && !(trb.control & TRB_TR_CH)) {
		61	return length;
		62	}
		63	- }
		64	+
		65	+ /*
		66	+ * According to the xHCI spec, Transfer Ring segments should have
		67	+ * a maximum size of 64 kB (see chapter "6 Data Structures")
		68	+ */
		69	+ } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
		70	+
		71	+ qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n",
		72	+ __func__);
		73	+
		74	+ return -1;
		75	}
		76
		77	static void xhci_er_reset(XHCIState *xhci, int v)
		78	--
		79	2.35.5