fix CVE-2020-25085 & CVE-2020-25084

Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
2020-09-18 11:25:12 +08:00 · 2020-09-18 11:25:12 +08:00 · 372c6f4847
commit 372c6f4847
parent cd7a9e26d3
3 changed files with 63 additions and 1 deletions
--- a/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
+++ b/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
@ -0,0 +1,25 @@
 From 8b8d3992db22a583b69b6e2ae1d9cd87e2179e21 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Fri, 18 Sep 2020 10:55:22 +0800
 Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field The 'Transfer
 Block Size' field is 12-bit wide. See section '2.2.2 Block Size Register
 (Offset 004h)' in datasheet.
 Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
 diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
 index 7b80b1d9..acf482b8 100644
 --- a/hw/sd/sdhci.c
 +++ b/hw/sd/sdhci.c
@@ -1127,7 +1127,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         break;
     case SDHC_BLKSIZE:
         if (!TRANSFERRING_DATA(s->prnsts)) {
 -            MASKED_WRITE(s->blksize, mask, value);
 +            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
         }
 -- 
 2.23.0
--- a/hw-xhci-check-return-value-of-usb_packet_map.patch
+++ b/hw-xhci-check-return-value-of-usb_packet_map.patch
@ -0,0 +1,31 @@
 From e43f0019b0aff881c562c8d2428bce6b3d55845c Mon Sep 17 00:00:00 2001
 From: Li Qiang <liq3ea@163.com>
 Date: Fri, 18 Sep 2020 11:08:28 +0800
 Subject: [PATCH] hw: xhci: check return value of 'usb_packet_map'
 Currently we don't check the return value of 'usb_packet_map',
 this will cause an NAF issue. This is LP#1891341.
 Following is the reproducer provided in:
 -->https://bugs.launchpad.net/qemu/+bug/1891341
 This patch fixes this.
 diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
 index a21485fe..3b25abca 100644
 --- a/hw/usb/hcd-xhci.c
 +++ b/hw/usb/hcd-xhci.c
@@ -1614,7 +1614,10 @@ static int xhci_setup_packet(XHCITransfer *xfer)
     xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */
     usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
                      xfer->trbs[0].addr, false, xfer->int_req);
 -    usb_packet_map(&xfer->packet, &xfer->sgl);
 +    if (usb_packet_map(&xfer->packet, &xfer->sgl)) {
 +		qemu_sglist_destroy(&xfer->sgl);
 +		return -1;
 +	}
     DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
             xfer->packet.pid, ep->dev->addr, ep->nr);
     return 0;
 -- 
 2.23.0
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 24
+Release: 25
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY
@ -229,6 +229,8 @@ Patch0216: target-arm-Add-more-CPU-features.patch
 Patch0217: hw-usb-core-fix-buffer-overflow.patch
 Patch0218: target-arm-ignore-evtstrm-and-cpuid-CPU-features.patch
 Patch0219: Drop-bogus-IPv6-messages.patch
 Patch0220: hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
 Patch0221: hw-xhci-check-return-value-of-usb_packet_map.patch
 BuildRequires: flex
 BuildRequires: bison
@ -575,6 +577,10 @@ getent passwd qemu >/dev/null || \
 %endif
 %changelog
 * Fri Sep 18 2020 Huawei Technologies Co., Ltd <lijiajie11@huawei.com>
 - hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
 - hw-xhci-check-return-value-of-usb_packet_map.patch
 * Fri Sep 11 2020 Huawei Technologies Co., Ltd <lijiajie11@huawei.com>
 - slirp/src/ip6_input.c: fix out-of-bounds read information vulnerability