On Wed, Mar 31, 2021 at 4:12 AM Khem Raj <[email protected]> wrote: > > this is wrong ml for oe-core patches, they should go to oe-core mailing > list.
Also, it doesn't apply to the current head of the oe-core dunfell branch! Please rebase on current dunfell branch and send a V2 to [email protected] Thanks for helping with CVE's! Steve Steve > On 3/31/21 2:29 AM, Rahul.Taya wrote: > > From: Rahul Taya <[email protected]> > > > > Added below patch to fix CVE-2020-13791. > > > > CVE-2020-13791.patch > > > > Signed-off-by: Rahul Taya <[email protected]> > > --- > > meta/recipes-devtools/qemu/qemu.inc | 1 + > > .../qemu/qemu/CVE-2020-13791.patch | 52 +++++++++++++++++++ > > 2 files changed, 53 insertions(+) > > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > > b/meta/recipes-devtools/qemu/qemu.inc > > index 5e8d3e09ff..01c78f6577 100644 > > --- a/meta/recipes-devtools/qemu/qemu.inc > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > @@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > > file://CVE-2020-24352.patch \ > > file://CVE-2020-25723.patch \ > > file://CVE-2021-20203.patch \ > > + file://CVE-2020-13791.patch \ > > " > > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch > > b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch > > new file mode 100644 > > index 0000000000..6582abce59 > > --- /dev/null > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch > > @@ -0,0 +1,52 @@ > > +From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001 > > +From: Prasad J Pandit <[email protected]> > > +Date: Thu, 4 Jun 2020 17:05:25 +0530 > > +Subject: [PATCH] pci: assert configuration access is within bounds > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +While accessing PCI configuration bytes, assert that > > +'address + len' is within PCI configuration space. > > + > > +Generally it is within bounds. This is more of a defensive > > +assert, in case a buggy device was to send 'address' which > > +may go out of bounds. > > + > > +Suggested-by: Philippe Mathieu-Daudé <[email protected]> > > +Signed-off-by: Prasad J Pandit <[email protected]> > > +Message-Id: <[email protected]> > > +Reviewed-by: Michael S. Tsirkin <[email protected]> > > +Signed-off-by: Michael S. Tsirkin <[email protected]> > > + > > +CVE: CVE-2020-13791 > > +Upstream-Status: > > Backport[https://github.com/qemu/qemu/commit/f7d6a635fa3b7797f9d072e280f065bf3cfcd24d.patch] > > +Comment: No hunks refreshed and no warnings were seen while applying patch. > > +Affected version: >=4.2.0 but patch already present in Master and > > Gatesgarth branches. > > +Signed-off-by: Rahul Taya <[email protected]> > > +--- > > + hw/pci/pci.c | 4 ++++ > > + 1 file changed, 4 insertions(+) > > + > > +diff --git a/hw/pci/pci.c b/hw/pci/pci.c > > +index 70c66965f56..7bf2ae6d92a 100644 > > +--- a/hw/pci/pci.c > > ++++ b/hw/pci/pci.c > > +@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, > > + { > > + uint32_t val = 0; > > + > > ++ assert(address + len <= pci_config_size(d)); > > ++ > > + if (pci_is_express_downstream_port(d) && > > + ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) > > { > > + pcie_sync_bridge_lnk(d); > > +@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t > > addr, uint32_t val_in, int > > + int i, was_irq_disabled = pci_irq_disabled(d); > > + uint32_t val = val_in; > > + > > ++ assert(addr + l <= pci_config_size(d)); > > ++ > > + for (i = 0; i < l; val >>= 8, ++i) { > > + uint8_t wmask = d->wmask[addr + i]; > > + uint8_t w1cmask = d->w1cmask[addr + i]; > > -- > > 2.17.1 > > > > This message contains information that may be privileged or confidential > > and is the property of the KPIT Technologies Ltd. It is intended only for > > the person to whom it is addressed. If you are not the intended recipient, > > you are not authorized to read, print, retain copy, disseminate, > > distribute, or use this message or any part thereof. If you receive this > > message in error, please notify the sender immediately and delete all > > copies of this message. KPIT Technologies Ltd. does not accept any > > liability for virus infected mails. > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#90477): https://lists.openembedded.org/g/openembedded-devel/message/90477 Mute This Topic: https://lists.openembedded.org/mt/81745765/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
