From: Rahul Taya <[email protected]> Added below patch to fix CVE-2020-13791.
CVE-2020-13791.patch Signed-off-by: Rahul Taya <[email protected]> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2020-13791.patch | 52 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5e8d3e09ff..01c78f6577 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-24352.patch \ file://CVE-2020-25723.patch \ file://CVE-2021-20203.patch \ + file://CVE-2020-13791.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch new file mode 100644 index 0000000000..6582abce59 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch @@ -0,0 +1,52 @@ +From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <[email protected]> +Date: Thu, 4 Jun 2020 17:05:25 +0530 +Subject: [PATCH] pci: assert configuration access is within bounds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While accessing PCI configuration bytes, assert that +'address + len' is within PCI configuration space. + +Generally it is within bounds. This is more of a defensive +assert, in case a buggy device was to send 'address' which +may go out of bounds. + +Suggested-by: Philippe Mathieu-Daudé <[email protected]> +Signed-off-by: Prasad J Pandit <[email protected]> +Message-Id: <[email protected]> +Reviewed-by: Michael S. Tsirkin <[email protected]> +Signed-off-by: Michael S. Tsirkin <[email protected]> + +CVE: CVE-2020-13791 +Upstream-Status: Backport[https://github.com/qemu/qemu/commit/f7d6a635fa3b7797f9d072e280f065bf3cfcd24d.patch] +Comment: No hunks refreshed and no warnings were seen while applying patch. +Affected version: >=4.2.0 but patch already present in Master and Gatesgarth branches. +Signed-off-by: Rahul Taya <[email protected]> +--- + hw/pci/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index 70c66965f56..7bf2ae6d92a 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, + { + uint32_t val = 0; + ++ assert(address + len <= pci_config_size(d)); ++ + if (pci_is_express_downstream_port(d) && + ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { + pcie_sync_bridge_lnk(d); +@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int + int i, was_irq_disabled = pci_irq_disabled(d); + uint32_t val = val_in; + ++ assert(addr + l <= pci_config_size(d)); ++ + for (i = 0; i < l; val >>= 8, ++i) { + uint8_t wmask = d->wmask[addr + i]; + uint8_t w1cmask = d->w1cmask[addr + i]; -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#90474): https://lists.openembedded.org/g/openembedded-devel/message/90474 Mute This Topic: https://lists.openembedded.org/mt/81745765/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
