diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch new file mode 100644 index 0000000000..49c6c5e3e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch @@ -0,0 +1,53 @@ +From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 11 Aug 2020 17:11:29 +0530 +Subject: [PATCH] nvram: add nrf51_soc flash read method + +Add nrf51_soc mmio read method to avoid NULL pointer dereference +issue. + +Reported-by: Lei Sun <slei.casper@gmail.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-Id: <20200811114133.672647-6-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2020-15469 +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/nvram/nrf51_nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c +index f2283c1..7b3460d 100644 +--- a/hw/nvram/nrf51_nvm.c ++++ b/hw/nvram/nrf51_nvm.c +@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + }; + ++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) ++{ ++ /* ++ * This is a rom_device MemoryRegion which is always in ++ * romd_mode (we never put it in MMIO mode), so reads always ++ * go directly to RAM and never come here. ++ */ ++ g_assert_not_reached(); ++} + + static void flash_write(void *opaque, hwaddr offset, uint64_t value, + unsigned int size) +@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, + + + static const MemoryRegionOps flash_ops = { ++ .read = flash_read, + .write = flash_write, + .valid.min_access_size = 4, + .valid.max_access_size = 4, +-- +1.8.3.1 + |