diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch deleted file mode 100644 index 52bfafbbae..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 4 Jun 2020 14:38:30 +0530 -Subject: [PATCH] ati-vga: check mm_index before recursive call - (CVE-2020-13800) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While accessing VGA registers via ati_mm_read/write routines, -a guest may set 's->regs.mm_index' such that it leads to infinite -recursion. Check mm_index value to avoid such recursion. Log an -error message for wrong values. - -Reported-by: Ren Ding <rding@gatech.edu> -Reported-by: Hanqing Zhao <hanqing@gatech.edu> -Reported-by: Yi Ren <c4tren@gmail.com> -Message-id: 20200604090830.33885-1-ppandit@redhat.com -Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> -Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> - -Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] -CVE: CVE-2020-13800 -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/display/ati.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/hw/display/ati.c b/hw/display/ati.c -index 065f197678..67604e68de 100644 ---- a/hw/display/ati.c -+++ b/hw/display/ati.c -@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) - if (idx <= s->vga.vram_size - size) { - val = ldn_le_p(s->vga.vram_ptr + idx, size); - } -- } else { -+ } else if (s->regs.mm_index > MM_DATA + 3) { - val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); -+ } else { -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); - } - break; - case BIOS_0_SCRATCH ... BUS_CNTL - 1: -@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, - if (idx <= s->vga.vram_size - size) { - stn_le_p(s->vga.vram_ptr + idx, size, data); - } -- } else { -+ } else if (s->regs.mm_index > MM_DATA + 3) { - ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); -+ } else { -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); - } - break; - case BIOS_0_SCRATCH ... BUS_CNTL - 1: --- -2.20.1 - |