diff options
author | Armin Kuster <akuster@mvista.com> | 2021-08-20 16:55:13 -0700 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2021-08-22 12:03:57 -1000 |
commit | 6b4c58a31ec11e557d40c31f2532985dd53e61eb (patch) | |
tree | 41bff9c6050eb8be4dbe33390fdf340dbf1a64cf | |
parent | 97348726aea3ee088f48715df0e64a172665855d (diff) | |
download | openembedded-core-6b4c58a31ec11e557d40c31f2532985dd53e61eb.tar.gz |
qemu: Security fix CVE-2020-25085
Source: qemu.org
MR: 105773
Type: Security Fix
Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html
ChangeID: 77c8a9e75b94da3c03c64c95d9e6ab9d45037572
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 41 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch | 46 |
2 files changed, 67 insertions, 20 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index e25c2524aa..a33008670b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -35,27 +35,28 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-7039-2.patch \ file://CVE-2020-7039-3.patch \ file://0001-Add-enable-disable-udev.patch \ - file://CVE-2020-7211.patch \ - file://0001-qemu-Do-not-include-file-if-not-exists.patch \ + file://CVE-2020-7211.patch \ + file://0001-qemu-Do-not-include-file-if-not-exists.patch \ file://CVE-2020-11102.patch \ - file://CVE-2020-11869.patch \ - file://CVE-2020-13361.patch \ - file://CVE-2020-10761.patch \ - file://CVE-2020-10702.patch \ - file://CVE-2020-13659.patch \ - file://CVE-2020-13800.patch \ - file://CVE-2020-13362.patch \ - file://CVE-2020-15863.patch \ - file://CVE-2020-14364.patch \ - file://CVE-2020-14415.patch \ - file://CVE-2020-16092.patch \ - file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ - file://CVE-2019-20175.patch \ - file://CVE-2020-24352.patch \ - file://CVE-2020-25723.patch \ - file://CVE-2021-20203.patch \ - file://CVE-2021-3392.patch \ - " + file://CVE-2020-11869.patch \ + file://CVE-2020-13361.patch \ + file://CVE-2020-10761.patch \ + file://CVE-2020-10702.patch \ + file://CVE-2020-13659.patch \ + file://CVE-2020-13800.patch \ + file://CVE-2020-13362.patch \ + file://CVE-2020-15863.patch \ + file://CVE-2020-14364.patch \ + file://CVE-2020-14415.patch \ + file://CVE-2020-16092.patch \ + file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ + file://CVE-2019-20175.patch \ + file://CVE-2020-24352.patch \ + file://CVE-2020-25723.patch \ + file://CVE-2021-20203.patch \ + file://CVE-2021-3392.patch \ + file://CVE-2020-25085.patch \ + " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch new file mode 100644 index 0000000000..be19256cef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch @@ -0,0 +1,46 @@ +From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Tue, 1 Sep 2020 15:22:06 +0200 +Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'Transfer Block Size' field is 12-bit wide. + +See section '2.2.2. Block Size Register (Offset 004h)' in datasheet. + +Two different bug reproducer available: +- https://bugs.launchpad.net/qemu/+bug/1892960 +- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 + +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20200901140411.112150-3-f4bug@amsat.org> + +Upstream-Status: Backport +CVE: CVE-2020-25085 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/sd/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-4.2.0/hw/sd/sdhci.c +=================================================================== +--- qemu-4.2.0.orig/hw/sd/sdhci.c ++++ qemu-4.2.0/hw/sd/sdhci.c +@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset, + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { +- MASKED_WRITE(s->blksize, mask, value); ++ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); + } + |