All of lore.kernel.org
 help / color / mirror / Atom feed
* [OE-core][zeus][PATCH] qemu: CVE-2020-25084 CVE-2020-25625
@ 2020-10-26  8:29 Li Wang
  0 siblings, 0 replies; only message in thread
From: Li Wang @ 2020-10-26  8:29 UTC (permalink / raw)
  To: openembedded-core

backport patch from:
https://git.qemu.org/?p=qemu.git;a=commit;h=21bc31524e8ca487e976f713b878d7338ee00df2
https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6
https://git.qemu.org/?p=qemu.git;a=commit;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f

Signed-off-by: Li Wang <li.wang@windriver.com>
---
  meta/recipes-devtools/qemu/qemu.inc           |  3 +
  .../qemu/qemu/CVE-2020-25084-1.patch          | 79 +++++++++++++++++++
  .../qemu/qemu/CVE-2020-25084-2.patch          | 51 ++++++++++++
  .../qemu/qemu/CVE-2020-25625.patch            | 42 ++++++++++
  4 files changed, 175 insertions(+)
  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25084-1.patch
  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25084-2.patch
  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index cbade92ac9..8f2d9e824b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -44,6 +44,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
             file://CVE-2020-15863.patch \
             file://CVE-2020-14364.patch \
             file://CVE-2020-12829.patch \
+           file://CVE-2020-25084-1.patch \
+           file://CVE-2020-25084-2.patch \
+           file://CVE-2020-25625.patch \
  	   "
  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25084-1.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2020-25084-1.patch
new file mode 100644
index 0000000000..180f061d69
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25084-1.patch
@@ -0,0 +1,79 @@
+From 21bc31524e8ca487e976f713b878d7338ee00df2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 08:31:39 -0700
+Subject: [PATCH] hw: xhci: check return value of 'usb_packet_map'
+
+Currently we don't check the return value of 'usb_packet_map',
+this will cause an UAF issue. This is LP#1891341.
+Following is the reproducer provided in:
+-->https://bugs.launchpad.net/qemu/+bug/1891341
+
+cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
+-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
+-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
+-nodefaults -nographic -qtest stdio
+outl 0xcf8 0x80001016
+outl 0xcfc 0x3c009f0d
+outl 0xcf8 0x80001004
+outl 0xcfc 0xc77695e
+writel 0x9f0d000000000040 0xffff3655
+writeq 0x9f0d000000002000 0xff2f9e0000000000
+write 0x1d 0x1 0x27
+write 0x2d 0x1 0x2e
+write 0x17232 0x1 0x03
+write 0x17254 0x1 0x06
+write 0x17278 0x1 0x34
+write 0x3d 0x1 0x27
+write 0x40 0x1 0x2e
+write 0x41 0x1 0x72
+write 0x42 0x1 0x01
+write 0x4d 0x1 0x2e
+write 0x4f 0x1 0x01
+writeq 0x9f0d000000002000 0x5c051a0100000000
+write 0x34001d 0x1 0x13
+write 0x340026 0x1 0x30
+write 0x340028 0x1 0x08
+write 0x34002c 0x1 0xfe
+write 0x34002d 0x1 0x08
+write 0x340037 0x1 0x5e
+write 0x34003a 0x1 0x05
+write 0x34003d 0x1 0x05
+write 0x34004d 0x1 0x13
+writeq 0x9f0d000000002000 0xff00010100400009
+EOF
+
+This patch fixes this.
+
+Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-id: 20200812153139.15146-1-liq3ea@163.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25084
+[https://git.qemu.org/?p=qemu.git;a=commit;h=21bc31524e8ca487e976f713b878d7338ee00df2]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-xhci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 5894a18..6314141 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -1614,7 +1614,10 @@ static int xhci_setup_packet(XHCITransfer *xfer)
+     xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets 
int_req */
+     usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
+                      xfer->trbs[0].addr, false, xfer->int_req);
+-    usb_packet_map(&xfer->packet, &xfer->sgl);
++    if (usb_packet_map(&xfer->packet, &xfer->sgl)) {
++        qemu_sglist_destroy(&xfer->sgl);
++        return -1;
++    }
+     DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
+             xfer->packet.pid, ep->dev->addr, ep->nr);
+     return 0;
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25084-2.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2020-25084-2.patch
new file mode 100644
index 0000000000..64dc343237
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25084-2.patch
@@ -0,0 +1,51 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25084
+[https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 62dab05..418d102 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1370,7 +1370,10 @@ static int ehci_execute(EHCIPacket *p, const 
char *action)
+         spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+         usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+                          (p->qtd.token & QTD_TOKEN_IOC) != 0);
+-        usb_packet_map(&p->packet, &p->sgl);
++        if (usb_packet_map(&p->packet, &p->sgl)) {
++            qemu_sglist_destroy(&p->sgl);
++            return -1;
++        }
+         p->async = EHCI_ASYNC_INITIALIZED;
+     }
+
+@@ -1449,7 +1452,10 @@ static int ehci_process_itd(EHCIState *ehci,
+             if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+                 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+                                  (itd->transact[i] & ITD_XACT_IOC) != 0);
+-                usb_packet_map(&ehci->ipacket, &ehci->isgl);
++                if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++                    qemu_sglist_destroy(&ehci->isgl);
++                    return -1;
++                }
+                 usb_handle_packet(dev, &ehci->ipacket);
+                 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+             } else {
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
new file mode 100644
index 0000000000..884633867e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
@@ -0,0 +1,42 @@
+From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:59 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire
+
+While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
+retires a TD if it has passed its time frame. It does not check if
+the TD was already processed once and holds an error code in TD_CC.
+It may happen if the TD list has a loop. Add check to avoid an
+infinite loop condition.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200915182259.68522-3-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25625
+[https://git.qemu.org/?p=qemu.git;a=commit;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/hcd-ohci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 4f6fdbc..ffe52a0 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -689,6 +689,10 @@ static int ohci_service_iso_td(OHCIState *ohci, 
struct ohci_ed *ed,
+            the next ISO TD of the same ED */
+ 
trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
+                                                         frame_count);
++        if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
++            /* avoid infinite loop */
++            return 1;
++        }
+         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
+         ed->head &= ~OHCI_DPTR_MASK;
+         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
+--
+2.17.1
+
-- 
2.17.1


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2020-10-26  8:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-26  8:29 [OE-core][zeus][PATCH] qemu: CVE-2020-25084 CVE-2020-25625 Li Wang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.