Source:
https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
MR: 111637
Type: Security Fix
Disposition: Backport from
https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
ChangeID: c1e435aa25bb60b362bb68ab253ff55504e0328d
Description:
hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
Guest might select another drive on the bus by setting the
DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
The current controller model doesn't expect a BlockBackend
to be NULL. A simple way to fix CVE-2021-20196 is to create
an empty BlockBackend when it is missing. All further
accesses will be safely handled, and the controller state
machines keep behaving correctly.
Signed-off-by: Vivek Kumbhar <[email protected]>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/0001-CVE-2021-20196.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc
b/meta/recipes-devtools/qemu/qemu.inc
index 7a963ad57c..2cdb718b1f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -52,6 +52,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2019-20175.patch \
file://CVE-2020-24352.patch \
file://CVE-2020-25723.patch \
+ file://0001-CVE-2021-20196.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch
b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch
new file mode 100644
index 0000000000..affc8ead58
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2021-20196.patch
@@ -0,0 +1,40 @@
+From a253e632aea9e0e3f3f2ad3d157f34908e9c2008 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <[email protected]>
+Date: Mon, 10 Oct 2022 10:00:53 +0530
+Subject: [PATCH] CVE-2021-20196
+
+Upstream-Status:
https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233
+CVE: CVE-2021-20196
+Signed-off-by: Vivek Kumbhar <[email protected]>
+---
+ hw/block/fdc.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index ac5d31e8..a887369c 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1356,7 +1356,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+- return get_drv(fdctrl, fdctrl->cur_drv);
++ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++ if (!cur_drv->blk) {
++ /*
++ * Kludge: empty drive line selected. Create an anonymous
++ * BlockBackend to avoid NULL deref with various BlockBackend
++ * API calls within this model (CVE-2021-20196).
++ * Due to the controller QOM model limitations, we don't
++ * attach the created to the controller device.
++ */
++ cur_drv->blk = blk_create_empty_drive();
++ }
++ return cur_drv;
+ }
+
+ /* Status A register : 0x00 (read-only) */
+--
+2.25.1
+
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#99128):
https://lists.openembedded.org/g/openembedded-devel/message/99128
Mute This Topic: https://lists.openembedded.org/mt/94236015/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
