summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc9
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch177
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch40
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch41
10 files changed, 521 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a61f69ba49..e64a6b2cb2 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -62,6 +62,15 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
62 file://CVE-2020-29443.patch \ 62 file://CVE-2020-29443.patch \
63 file://CVE-2021-20221.patch \ 63 file://CVE-2021-20221.patch \
64 file://CVE-2021-20181.patch \ 64 file://CVE-2021-20181.patch \
65 file://CVE-2021-3416_1.patch \
66 file://CVE-2021-3416_2.patch \
67 file://CVE-2021-3416_3.patch \
68 file://CVE-2021-3416_5.patch \
69 file://CVE-2021-3416_6.patch \
70 file://CVE-2021-3416_7.patch \
71 file://CVE-2021-3416_8.patch \
72 file://CVE-2021-3416_9.patch \
73 file://CVE-2021-3416_10.patch \
65 " 74 "
66UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 75UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
67 76
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000000..5bacd67481
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
1From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 11:44:36 +0800
4Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Some NIC supports loopback mode and this is done by calling
10nc->info->receive() directly which in fact suppresses the effort of
11reentrancy check that is done in qemu_net_queue_send().
12
13Unfortunately we can't use qemu_net_queue_send() here since for
14loopback there's no sender as peer, so this patch introduce a
15qemu_receive_packet() which is used for implementing loopback mode
16for a NIC with this check.
17
18NIC that supports loopback mode will be converted to this helper.
19
20This is intended to address CVE-2021-3416.
21
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
24Cc: qemu-stable@nongnu.org
25Signed-off-by: Jason Wang <jasowang@redhat.com>
26
27Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
28CVE: CVE-2021-3416
29
30Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
31---
32 include/net/net.h | 5 +++++
33 include/net/queue.h | 8 ++++++++
34 net/net.c | 38 +++++++++++++++++++++++++++++++-------
35 net/queue.c | 22 ++++++++++++++++++++++
36 4 files changed, 66 insertions(+), 7 deletions(-)
37
38diff --git a/include/net/net.h b/include/net/net.h
39index 778fc787c..03f058ecb 100644
40--- a/include/net/net.h
41+++ b/include/net/net.h
42@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
43 void qemu_del_net_client(NetClientState *nc);
44 typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
45 void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
46+int qemu_can_receive_packet(NetClientState *nc);
47 int qemu_can_send_packet(NetClientState *nc);
48 ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
49 int iovcnt);
50 ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
51 int iovcnt, NetPacketSent *sent_cb);
52 ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
53+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
54+ssize_t qemu_receive_packet_iov(NetClientState *nc,
55+ const struct iovec *iov,
56+ int iovcnt);
57 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
58 ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
59 int size, NetPacketSent *sent_cb);
60diff --git a/include/net/queue.h b/include/net/queue.h
61index c0269bb1d..9f2f289d7 100644
62--- a/include/net/queue.h
63+++ b/include/net/queue.h
64@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
65
66 void qemu_del_net_queue(NetQueue *queue);
67
68+ssize_t qemu_net_queue_receive(NetQueue *queue,
69+ const uint8_t *data,
70+ size_t size);
71+
72+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
73+ const struct iovec *iov,
74+ int iovcnt);
75+
76 ssize_t qemu_net_queue_send(NetQueue *queue,
77 NetClientState *sender,
78 unsigned flags,
79diff --git a/net/net.c b/net/net.c
80index 6a2c3d956..5e15e5d27 100644
81--- a/net/net.c
82+++ b/net/net.c
83@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
84 #endif
85 }
86
87+int qemu_can_receive_packet(NetClientState *nc)
88+{
89+ if (nc->receive_disabled) {
90+ return 0;
91+ } else if (nc->info->can_receive &&
92+ !nc->info->can_receive(nc)) {
93+ return 0;
94+ }
95+ return 1;
96+}
97+
98 int qemu_can_send_packet(NetClientState *sender)
99 {
100 int vm_running = runstate_is_running();
101@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
102 return 1;
103 }
104
105- if (sender->peer->receive_disabled) {
106- return 0;
107- } else if (sender->peer->info->can_receive &&
108- !sender->peer->info->can_receive(sender->peer)) {
109- return 0;
110- }
111- return 1;
112+ return qemu_can_receive_packet(sender->peer);
113 }
114
115 static ssize_t filter_receive_iov(NetClientState *nc,
116@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
117 return qemu_send_packet_async(nc, buf, size, NULL);
118 }
119
120+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
121+{
122+ if (!qemu_can_receive_packet(nc)) {
123+ return 0;
124+ }
125+
126+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
127+}
128+
129+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
130+ int iovcnt)
131+{
132+ if (!qemu_can_receive_packet(nc)) {
133+ return 0;
134+ }
135+
136+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
137+}
138+
139 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
140 {
141 return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
142diff --git a/net/queue.c b/net/queue.c
143index 19e32c80f..c872d51df 100644
144--- a/net/queue.c
145+++ b/net/queue.c
146@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
147 return ret;
148 }
149
150+ssize_t qemu_net_queue_receive(NetQueue *queue,
151+ const uint8_t *data,
152+ size_t size)
153+{
154+ if (queue->delivering) {
155+ return 0;
156+ }
157+
158+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
159+}
160+
161+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
162+ const struct iovec *iov,
163+ int iovcnt)
164+{
165+ if (queue->delivering) {
166+ return 0;
167+ }
168+
169+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
170+}
171+
172 ssize_t qemu_net_queue_send(NetQueue *queue,
173 NetClientState *sender,
174 unsigned flags,
175--
1762.29.2
177
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000000..fdb4894e44
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,41 @@
1From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:35:30 -0500
4Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/lan9118.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29Index: qemu-4.2.0/hw/net/lan9118.c
30===================================================================
31--- qemu-4.2.0.orig/hw/net/lan9118.c
32+++ qemu-4.2.0/hw/net/lan9118.c
33@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *
34 /* FIXME: Honor TX disable, and allow queueing of packets. */
35 if (s->phy_control & 0x4000) {
36 /* This assumes the receive routine doesn't touch the VLANClient. */
37- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
39 } else {
40 qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
41 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000000..5e53e20bac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
1From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:13:22 +0800
4Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18
19Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
20CVE: CVE-2021-3416
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/net/e1000.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/hw/net/e1000.c b/hw/net/e1000.c
28index d7d05ae30..cf22c4f07 100644
29--- a/hw/net/e1000.c
30+++ b/hw/net/e1000.c
31@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
32
33 NetClientState *nc = qemu_get_queue(s->nic);
34 if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
35- nc->info->receive(nc, buf, size);
36+ qemu_receive_packet(nc, buf, size);
37 } else {
38 qemu_send_packet(nc, buf, size);
39 }
40--
412.29.2
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000000..3fc469e3e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
1From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:57:40 +0800
4Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
5 loopback packet
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/dp8393x.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 205c0decc..533a8304d 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
33 s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
34 if (nc->info->can_receive(nc)) {
35 s->loopback_packet = 1;
36- nc->info->receive(nc, s->tx_buffer, tx_len);
37+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
38 }
39 } else {
40 /* Transmit packet */
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000000..93202ebcef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,42 @@
1From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:14:35 +0800
4Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/sungem.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30Index: qemu-4.2.0/hw/net/sungem.c
31===================================================================
32--- qemu-4.2.0.orig/hw/net/sungem.c
33+++ qemu-4.2.0/hw/net/sungem.c
34@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMSta
35 NetClientState *nc = qemu_get_queue(s->nic);
36
37 if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
38- nc->info->receive(nc, buf, size);
39+ qemu_receive_packet(nc, buf, size);
40 } else {
41 qemu_send_packet(nc, buf, size);
42 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000000..40b4bd96e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,40 @@
1From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:27:52 +0800
4Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_receive_iov() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/net_tx_pkt.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28Index: qemu-4.2.0/hw/net/net_tx_pkt.c
29===================================================================
30--- qemu-4.2.0.orig/hw/net/net_tx_pkt.c
31+++ qemu-4.2.0/hw/net/net_tx_pkt.c
32@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(stru
33 NetClientState *nc, const struct iovec *iov, int iov_cnt)
34 {
35 if (pkt->is_loopback) {
36- nc->info->receive_iov(nc, iov, iov_cnt);
37+ qemu_receive_packet_iov(nc, iov, iov_cnt);
38 } else {
39 qemu_sendv_packet(nc, iov, iov_cnt);
40 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000000..b3b702cca4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,42 @@
1From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Fri, 26 Feb 2021 13:47:53 -0500
4Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
19Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/rtl8139.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30Index: qemu-4.2.0/hw/net/rtl8139.c
31===================================================================
32--- qemu-4.2.0.orig/hw/net/rtl8139.c
33+++ qemu-4.2.0/hw/net/rtl8139.c
34@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81
35 }
36
37 DPRINTF("+++ transmit loopback mode\n");
38- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
39+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
40
41 if (iov) {
42 g_free(buf2);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000000..ed716468dc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
1From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 10:33:34 -0500
4Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/pcnet.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
30index f3f18d859..dcd3fc494 100644
31--- a/hw/net/pcnet.c
32+++ b/hw/net/pcnet.c
33@@ -1250,7 +1250,7 @@ txagain:
34 if (BCR_SWSTYLE(s) == 1)
35 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
36 s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
37- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
39 s->looptest = 0;
40 } else {
41 if (s->nic) {
42--
432.29.2
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000000..f4a985604e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,41 @@
1From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:33:43 -0500
4Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/cadence_gem.c | 4 ++--
27 1 file changed, 2 insertions(+), 2 deletions(-)
28
29Index: qemu-4.2.0/hw/net/cadence_gem.c
30===================================================================
31--- qemu-4.2.0.orig/hw/net/cadence_gem.c
32+++ qemu-4.2.0/hw/net/cadence_gem.c
33@@ -1225,7 +1225,7 @@ static void gem_transmit(CadenceGEMState
34 /* Send the packet somewhere */
35 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
36 GEM_NWCTRL_LOCALLOOP)) {
37- gem_receive(qemu_get_queue(s->nic), tx_packet,
38+ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
39 total_bytes);
40 } else {
41 qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-12-07 13:44:27 +0000