2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 177e453fff..5797bbecf2 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -53,6 +53,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3416_8.patch \
           file://CVE-2021-3416_9.patch \
           file://CVE-2021-3416_10.patch \
+           file://CVE-2021-20257.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
new file mode 100644
index 0000000000..7175b24e99
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
+From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:45:28 +0800
+Subject: [PATCH] e1000: fail early for evil descriptor
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+            if (tp->size + bytes > msh)
+                bytes = msh - tp->size;
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
+CVE: CVE-2021-20257
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index cf22c4f07..c3564c7ce 100644
+--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
+@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+         do {
+             bytes = split_size;
+            if (tp->size >= msh) {
+                goto eop;
+            }
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
+ 
+@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         tp->size += split_size;
+     }
+ 
+eop:
+     if (!(txd_lower & E1000_TXD_CMD_EOP))
+         return;
+     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+-- 
+2.29.2

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 177e453fff..5797bbecf2 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -53,6 +53,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
53	file://CVE-2021-3416_8.patch \	53	file://CVE-2021-3416_8.patch \
54	file://CVE-2021-3416_9.patch \	54	file://CVE-2021-3416_9.patch \
55	file://CVE-2021-3416_10.patch \	55	file://CVE-2021-3416_10.patch \
		56	file://CVE-2021-20257.patch \
56	"	57	"
57	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	58	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
58		59


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch new file mode 100644 index 0000000000..7175b24e99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
		1	From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
		2	From: Jason Wang <jasowang@redhat.com>
		3	Date: Wed, 24 Feb 2021 13:45:28 +0800
		4	Subject: [PATCH] e1000: fail early for evil descriptor
		5
		6	During procss_tx_desc(), driver can try to chain data descriptor with
		7	legacy descriptor, when will lead underflow for the following
		8	calculation in process_tx_desc() for bytes:
		9
		10	if (tp->size + bytes > msh)
		11	bytes = msh - tp->size;
		12
		13	This will lead a infinite loop. So check and fail early if tp->size if
		14	greater or equal to msh.
		15
		16	Reported-by: Alexander Bulekov <alxndr@bu.edu>
		17	Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
		18	Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
		19	Cc: Prasad J Pandit <ppandit@redhat.com>
		20	Cc: qemu-stable@nongnu.org
		21	Signed-off-by: Jason Wang <jasowang@redhat.com>
		22
		23	Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
		24	CVE: CVE-2021-20257
		25
		26	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		27	---
		28	hw/net/e1000.c \| 4 ++++
		29	1 file changed, 4 insertions(+)
		30
		31	diff --git a/hw/net/e1000.c b/hw/net/e1000.c
		32	index cf22c4f07..c3564c7ce 100644
		33	--- a/hw/net/e1000.c
		34	+++ b/hw/net/e1000.c
		35	@@ -670,6 +670,9 @@ process_tx_desc(E1000State s, struct e1000_tx_desc dp)
		36	msh = tp->tso_props.hdr_len + tp->tso_props.mss;
		37	do {
		38	bytes = split_size;
		39	+ if (tp->size >= msh) {
		40	+ goto eop;
		41	+ }
		42	if (tp->size + bytes > msh)
		43	bytes = msh - tp->size;
		44
		45	@@ -695,6 +698,7 @@ process_tx_desc(E1000State s, struct e1000_tx_desc dp)
		46	tp->size += split_size;
		47	}
		48
		49	+eop:
		50	if (!(txd_lower & E1000_TXD_CMD_EOP))
		51	return;
		52	if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
		53	--
		54	2.29.2
		55