mirror of
https://git.yoctoproject.org/poky
synced 2026-06-02 13:29:49 +00:00
qemu: Security fix CVE-2020-25085
Source: qemu.org MR: 105773 Type: Security Fix Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00733.html ChangeID: 77c8a9e75b94da3c03c64c95d9e6ab9d45037572 Description: (From OE-Core rev: 6b4c58a31ec11e557d40c31f2532985dd53e61eb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
committed by
Richard Purdie
Richard Purdie
parent
02108b6dbc
commit
e142f4ebfb
@@ -35,27 +35,28 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
|
|||||||
file://CVE-2020-7039-2.patch \
|
file://CVE-2020-7039-2.patch \
|
||||||
file://CVE-2020-7039-3.patch \
|
file://CVE-2020-7039-3.patch \
|
||||||
file://0001-Add-enable-disable-udev.patch \
|
file://0001-Add-enable-disable-udev.patch \
|
||||||
file://CVE-2020-7211.patch \
|
file://CVE-2020-7211.patch \
|
||||||
file://0001-qemu-Do-not-include-file-if-not-exists.patch \
|
file://0001-qemu-Do-not-include-file-if-not-exists.patch \
|
||||||
file://CVE-2020-11102.patch \
|
file://CVE-2020-11102.patch \
|
||||||
file://CVE-2020-11869.patch \
|
file://CVE-2020-11869.patch \
|
||||||
file://CVE-2020-13361.patch \
|
file://CVE-2020-13361.patch \
|
||||||
file://CVE-2020-10761.patch \
|
file://CVE-2020-10761.patch \
|
||||||
file://CVE-2020-10702.patch \
|
file://CVE-2020-10702.patch \
|
||||||
file://CVE-2020-13659.patch \
|
file://CVE-2020-13659.patch \
|
||||||
file://CVE-2020-13800.patch \
|
file://CVE-2020-13800.patch \
|
||||||
file://CVE-2020-13362.patch \
|
file://CVE-2020-13362.patch \
|
||||||
file://CVE-2020-15863.patch \
|
file://CVE-2020-15863.patch \
|
||||||
file://CVE-2020-14364.patch \
|
file://CVE-2020-14364.patch \
|
||||||
file://CVE-2020-14415.patch \
|
file://CVE-2020-14415.patch \
|
||||||
file://CVE-2020-16092.patch \
|
file://CVE-2020-16092.patch \
|
||||||
file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
|
file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
|
||||||
file://CVE-2019-20175.patch \
|
file://CVE-2019-20175.patch \
|
||||||
file://CVE-2020-24352.patch \
|
file://CVE-2020-24352.patch \
|
||||||
file://CVE-2020-25723.patch \
|
file://CVE-2020-25723.patch \
|
||||||
file://CVE-2021-20203.patch \
|
file://CVE-2021-20203.patch \
|
||||||
file://CVE-2021-3392.patch \
|
file://CVE-2021-3392.patch \
|
||||||
"
|
file://CVE-2020-25085.patch \
|
||||||
|
"
|
||||||
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
|
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
|
||||||
|
|
||||||
SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"
|
SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"
|
||||||
|
|||||||
@@ -0,0 +1,46 @@
|
|||||||
|
From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
|
||||||
|
Date: Tue, 1 Sep 2020 15:22:06 +0200
|
||||||
|
Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The 'Transfer Block Size' field is 12-bit wide.
|
||||||
|
|
||||||
|
See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
|
||||||
|
|
||||||
|
Two different bug reproducer available:
|
||||||
|
- https://bugs.launchpad.net/qemu/+bug/1892960
|
||||||
|
- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
|
||||||
|
Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
|
||||||
|
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||||
|
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
||||||
|
Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2020-25085
|
||||||
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
hw/sd/sdhci.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: qemu-4.2.0/hw/sd/sdhci.c
|
||||||
|
===================================================================
|
||||||
|
--- qemu-4.2.0.orig/hw/sd/sdhci.c
|
||||||
|
+++ qemu-4.2.0/hw/sd/sdhci.c
|
||||||
|
@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset,
|
||||||
|
break;
|
||||||
|
case SDHC_BLKSIZE:
|
||||||
|
if (!TRANSFERRING_DATA(s->prnsts)) {
|
||||||
|
- MASKED_WRITE(s->blksize, mask, value);
|
||||||
|
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
|
||||||
|
MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
|
||||||
|
}
|
||||||
|
|
||||||
Reference in New Issue
Block a user