this is wrong ml for oe-core patches, they should go to oe-core mailing
list.
On 3/31/21 2:29 AM, Rahul.Taya wrote:
From: Rahul Taya <[email protected]>
Added below patch to fix CVE-2020-13791.
CVE-2020-13791.patch
Signed-off-by: Rahul Taya <[email protected]>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-13791.patch | 52 +++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index 5e8d3e09ff..01c78f6577 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-24352.patch \
file://CVE-2020-25723.patch \
file://CVE-2021-20203.patch \
+ file://CVE-2020-13791.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
new file mode 100644
index 0000000000..6582abce59
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
@@ -0,0 +1,52 @@
+From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <[email protected]>
+Date: Thu, 4 Jun 2020 17:05:25 +0530
+Subject: [PATCH] pci: assert configuration access is within bounds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While accessing PCI configuration bytes, assert that
+'address + len' is within PCI configuration space.
+
+Generally it is within bounds. This is more of a defensive
+assert, in case a buggy device was to send 'address' which
+may go out of bounds.
+
+Suggested-by: Philippe Mathieu-Daudé <[email protected]>
+Signed-off-by: Prasad J Pandit <[email protected]>
+Message-Id: <[email protected]>
+Reviewed-by: Michael S. Tsirkin <[email protected]>
+Signed-off-by: Michael S. Tsirkin <[email protected]>
+
+CVE: CVE-2020-13791
+Upstream-Status:
Backport[https://github.com/qemu/qemu/commit/f7d6a635fa3b7797f9d072e280f065bf3cfcd24d.patch]
+Comment: No hunks refreshed and no warnings were seen while applying patch.
+Affected version: >=4.2.0 but patch already present in Master and Gatesgarth
branches.
+Signed-off-by: Rahul Taya <[email protected]>
+---
+ hw/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/pci/pci.c b/hw/pci/pci.c
+index 70c66965f56..7bf2ae6d92a 100644
+--- a/hw/pci/pci.c
++++ b/hw/pci/pci.c
+@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
+ {
+ uint32_t val = 0;
+
++ assert(address + len <= pci_config_size(d));
++
+ if (pci_is_express_downstream_port(d) &&
+ ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
+ pcie_sync_bridge_lnk(d);
+@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t
addr, uint32_t val_in, int
+ int i, was_irq_disabled = pci_irq_disabled(d);
+ uint32_t val = val_in;
+
++ assert(addr + l <= pci_config_size(d));
++
+ for (i = 0; i < l; val >>= 8, ++i) {
+ uint8_t wmask = d->wmask[addr + i];
+ uint8_t w1cmask = d->w1cmask[addr + i];
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#90476):
https://lists.openembedded.org/g/openembedded-devel/message/90476
Mute This Topic: https://lists.openembedded.org/mt/81745765/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
