diff options
Diffstat (limited to 'poky/meta/recipes-devtools/qemu')
5 files changed, 234 insertions, 1 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index d41cc8f200..b1c822b1a8 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -32,6 +32,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13361.patch \ file://find_datadir.patch \ file://CVE-2020-10761.patch \ + file://CVE-2020-13362.patch \ + file://CVE-2020-13659.patch \ + file://CVE-2020-13800.patch \ + file://CVE-2020-13791.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" @@ -140,7 +144,7 @@ PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+" PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+" PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2" -PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap-ng attr," +PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr," PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch new file mode 100644 index 0000000000..af8d4ba8f4 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch @@ -0,0 +1,55 @@ +From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 14 May 2020 00:55:38 +0530 +Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check + index + +A guest user may set 'reply_queue_head' field of MegasasState to +a negative value. Later in 'megasas_lookup_frame' it is used to +index into s->frames[] array. Use unsigned type to avoid OOB +access issue. + +Also check that 'index' value stays within s->frames[] bounds +through the while() loop in 'megasas_lookup_frame' to avoid OOB +access. + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Acked-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661] +CVE: CVE-2020-13362 +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/scsi/megasas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index af18c88b65..6ce598cd69 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -112,7 +112,7 @@ typedef struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + int reply_queue_len; +- int reply_queue_head; ++ uint16_t reply_queue_head; + int reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; +@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, + + index = s->reply_queue_head; + +- while (num < s->fw_cmds) { ++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { + if (s->frames[index].pa && s->frames[index].pa == frame) { + cmd = &s->frames[index]; + break; +-- +2.20.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch new file mode 100644 index 0000000000..4d12ae8f16 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch @@ -0,0 +1,58 @@ +From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 26 May 2020 16:47:43 +0530 +Subject: [PATCH] exec: set map length to zero when returning NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When mapping physical memory into host's virtual address space, +'address_space_map' may return NULL if BounceBuffer is in_use. +Set and return '*plen = 0' to avoid later NULL pointer dereference. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 +Suggested-by: Paolo Bonzini <pbonzini@redhat.com> +Suggested-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200526111743.428367-1-ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82] +CVE: CVE-2020-13659 +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + exec.c | 1 + + include/exec/memory.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 9cbde85d8c..778263f1c6 100644 +--- a/exec.c ++++ b/exec.c +@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, + + if (!memory_access_is_direct(mr, is_write)) { + if (atomic_xchg(&bounce.in_use, true)) { ++ *plen = 0; + return NULL; + } + /* Avoid unbounded allocations */ +diff --git a/include/exec/memory.h b/include/exec/memory.h +index bd7fdd6081..af8ca7824e 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, + /* address_space_map: map a physical memory region into a host virtual address + * + * May map a subset of the requested range, given by and returned in @plen. +- * May return %NULL if resources needed to perform the mapping are exhausted. ++ * May return %NULL and set *@plen to zero(0), if resources needed to perform ++ * the mapping are exhausted. + * Use only for reads OR writes - not for read-modify-write operations. + * Use cpu_register_map_client() to know when retrying the map operation is + * likely to succeed. +-- +2.20.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch new file mode 100644 index 0000000000..049dab914d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch @@ -0,0 +1,53 @@ +From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 4 Jun 2020 17:05:25 +0530 +Subject: [PATCH] pci: assert configuration access is within bounds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While accessing PCI configuration bytes, assert that +'address + len' is within PCI configuration space. + +Generally it is within bounds. This is more of a defensive +assert, in case a buggy device was to send 'address' which +may go out of bounds. + +Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200604113525.58898-1-ppandit@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +Upstream-Status: Backport [f7d6a635fa3b7797f9d072e280f065bf3cfcd24d] +CVE: CVE-2020-13791 +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/pci/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index 70c66965f5..7bf2ae6d92 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, + { + uint32_t val = 0; + ++ assert(address + len <= pci_config_size(d)); ++ + if (pci_is_express_downstream_port(d) && + ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { + pcie_sync_bridge_lnk(d); +@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int + int i, was_irq_disabled = pci_irq_disabled(d); + uint32_t val = val_in; + ++ assert(addr + l <= pci_config_size(d)); ++ + for (i = 0; i < l; val >>= 8, ++i) { + uint8_t wmask = d->wmask[addr + i]; + uint8_t w1cmask = d->w1cmask[addr + i]; +-- +2.20.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch new file mode 100644 index 0000000000..52bfafbbae --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch @@ -0,0 +1,63 @@ +From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 4 Jun 2020 14:38:30 +0530 +Subject: [PATCH] ati-vga: check mm_index before recursive call + (CVE-2020-13800) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While accessing VGA registers via ati_mm_read/write routines, +a guest may set 's->regs.mm_index' such that it leads to infinite +recursion. Check mm_index value to avoid such recursion. Log an +error message for wrong values. + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Reported-by: Yi Ren <c4tren@gmail.com> +Message-id: 20200604090830.33885-1-ppandit@redhat.com +Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> +Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] +CVE: CVE-2020-13800 +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/display/ati.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/display/ati.c b/hw/display/ati.c +index 065f197678..67604e68de 100644 +--- a/hw/display/ati.c ++++ b/hw/display/ati.c +@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) + if (idx <= s->vga.vram_size - size) { + val = ldn_le_p(s->vga.vram_ptr + idx, size); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: +@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, + if (idx <= s->vga.vram_size - size) { + stn_le_p(s->vga.vram_ptr + idx, size, data); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: +-- +2.20.1 + |