diff options
| author |   Sakib Sajal <sakib.sajal@windriver.com> | 2020-07-14 15:51:17 -0400 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-07-18 11:06:27 +0100 |
| commit | 1bf0e91512b2c157259ed529d1fc7ea7cdac1889 (patch) | |
| tree | e9846219272d2d3f98f00ee317b3e6f085933aab | |
| parent | 3a95b5a67ce981b8949d9e5067762b7127d15353 (diff) | |
| download | openembedded-core-contrib-1bf0e91512b2c157259ed529d1fc7ea7cdac1889.tar.gz | |
qemu: fix CVE-2020-13659
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch | 58 |
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 98bdff7ac6..a9ef3b78bf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -33,6 +33,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://find_datadir.patch \ file://CVE-2020-10761.patch \ file://CVE-2020-13362.patch \ + file://CVE-2020-13659.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch new file mode 100644 index 0000000000..4d12ae8f16 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch @@ -0,0 +1,58 @@ +From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 26 May 2020 16:47:43 +0530 +Subject: [PATCH] exec: set map length to zero when returning NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When mapping physical memory into host's virtual address space, +'address_space_map' may return NULL if BounceBuffer is in_use. +Set and return '*plen = 0' to avoid later NULL pointer dereference. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 +Suggested-by: Paolo Bonzini <pbonzini@redhat.com> +Suggested-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200526111743.428367-1-ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82] +CVE: CVE-2020-13659 +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + exec.c | 1 + + include/exec/memory.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 9cbde85d8c..778263f1c6 100644 +--- a/exec.c ++++ b/exec.c +@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, + + if (!memory_access_is_direct(mr, is_write)) { + if (atomic_xchg(&bounce.in_use, true)) { ++ *plen = 0; + return NULL; + } + /* Avoid unbounded allocations */ +diff --git a/include/exec/memory.h b/include/exec/memory.h +index bd7fdd6081..af8ca7824e 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, + /* address_space_map: map a physical memory region into a host virtual address + * + * May map a subset of the requested range, given by and returned in @plen. +- * May return %NULL if resources needed to perform the mapping are exhausted. ++ * May return %NULL and set *@plen to zero(0), if resources needed to perform ++ * the mapping are exhausted. + * Use only for reads OR writes - not for read-modify-write operations. + * Use cpu_register_map_client() to know when retrying the map operation is + * likely to succeed. +-- +2.20.1 + |