All of lore.kernel.org
 help / color / mirror / Atom feed
* [poky][dunfell][PATCH] qemu: Add fix for CVE-2020-13791
@ 2021-04-05  5:40 Rahul Taya
  2021-04-05 22:24 ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 2+ messages in thread
From: Rahul Taya @ 2021-04-05  5:40 UTC (permalink / raw)
  To: Openembedded-core, raj.khem; +Cc: nisha.parrakat, Harpritkaur.Bhandari

Added below patch to fix CVE-2020-13791

CVE-2020-13791.patch

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-13791.patch            | 52 +++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5e8d3e09ff..7f8053cdd5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-24352.patch \
           file://CVE-2020-25723.patch \
           file://CVE-2021-20203.patch \
+          file://CVE-2020-13791.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
new file mode 100644
index 0000000000..6582abce59
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
@@ -0,0 +1,52 @@
+From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 4 Jun 2020 17:05:25 +0530
+Subject: [PATCH] pci: assert configuration access is within bounds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While accessing PCI configuration bytes, assert that
+'address + len' is within PCI configuration space.
+
+Generally it is within bounds. This is more of a defensive
+assert, in case a buggy device was to send 'address' which
+may go out of bounds.
+
+Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200604113525.58898-1-ppandit@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+CVE: CVE-2020-13791
+Upstream-Status: Backport[https://github.com/qemu/qemu/commit/f7d6a635fa3b7797f9d072e280f065bf3cfcd24d.patch]
+Comment: No hunks refreshed and no warnings were seen while applying patch.
+Affected version: >=4.2.0 but patch already present in Master and Gatesgarth branches.
+Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
+---
+ hw/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/pci/pci.c b/hw/pci/pci.c
+index 70c66965f56..7bf2ae6d92a 100644
+--- a/hw/pci/pci.c
++++ b/hw/pci/pci.c
+@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
+ {
+     uint32_t val = 0;
+
++    assert(address + len <= pci_config_size(d));
++
+     if (pci_is_express_downstream_port(d) &&
+         ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
+         pcie_sync_bridge_lnk(d);
+@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int
+     int i, was_irq_disabled = pci_irq_disabled(d);
+     uint32_t val = val_in;
+
++    assert(addr + l <= pci_config_size(d));
++
+     for (i = 0; i < l; val >>= 8, ++i) {
+         uint8_t wmask = d->wmask[addr + i];
+         uint8_t w1cmask = d->w1cmask[addr + i];
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [OE-core] [poky][dunfell][PATCH] qemu: Add fix for CVE-2020-13791
  2021-04-05  5:40 [poky][dunfell][PATCH] qemu: Add fix for CVE-2020-13791 Rahul Taya
@ 2021-04-05 22:24 ` Steve Sakoman
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Sakoman @ 2021-04-05 22:24 UTC (permalink / raw)
  To: Rahul Taya
  Cc: Patches and discussions about the oe-core layer, Khem Raj,
	Nisha Parrakat, Harpritkaur.Bhandari

Sorry, this patch does not apply:

Applying: qemu: Add fix for CVE-2020-13791
Using index info to reconstruct a base tree...
error: patch failed: meta/recipes-devtools/qemu/qemu.inc:54
error: meta/recipes-devtools/qemu/qemu.inc: patch does not apply
error: Did you hand edit your patch?
It does not apply to blobs recorded in its index.
Patch failed at 0001 qemu: Add fix for CVE-2020-13791

It appears that something in your patch submission process is
expanding tabs into spaces.

Perhaps you could try using git-send-email for patch submission.

Steve

On Sun, Apr 4, 2021 at 7:41 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Added below patch to fix CVE-2020-13791
>
> CVE-2020-13791.patch
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  meta/recipes-devtools/qemu/qemu.inc           |  1 +
>  .../qemu/qemu/CVE-2020-13791.patch            | 52 +++++++++++++++++++
>  2 files changed, 53 insertions(+)
>  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 5e8d3e09ff..7f8053cdd5 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>            file://CVE-2020-24352.patch \
>            file://CVE-2020-25723.patch \
>            file://CVE-2021-20203.patch \
> +          file://CVE-2020-13791.patch \
>            "
>  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
> new file mode 100644
> index 0000000000..6582abce59
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
> @@ -0,0 +1,52 @@
> +From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <pjp@fedoraproject.org>
> +Date: Thu, 4 Jun 2020 17:05:25 +0530
> +Subject: [PATCH] pci: assert configuration access is within bounds
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +While accessing PCI configuration bytes, assert that
> +'address + len' is within PCI configuration space.
> +
> +Generally it is within bounds. This is more of a defensive
> +assert, in case a buggy device was to send 'address' which
> +may go out of bounds.
> +
> +Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> +Message-Id: <20200604113525.58898-1-ppandit@redhat.com>
> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> +
> +CVE: CVE-2020-13791
> +Upstream-Status: Backport[https://github.com/qemu/qemu/commit/f7d6a635fa3b7797f9d072e280f065bf3cfcd24d.patch]
> +Comment: No hunks refreshed and no warnings were seen while applying patch.
> +Affected version: >=4.2.0 but patch already present in Master and Gatesgarth branches.
> +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> +---
> + hw/pci/pci.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> +index 70c66965f56..7bf2ae6d92a 100644
> +--- a/hw/pci/pci.c
> ++++ b/hw/pci/pci.c
> +@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
> + {
> +     uint32_t val = 0;
> +
> ++    assert(address + len <= pci_config_size(d));
> ++
> +     if (pci_is_express_downstream_port(d) &&
> +         ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
> +         pcie_sync_bridge_lnk(d);
> +@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int
> +     int i, was_irq_disabled = pci_irq_disabled(d);
> +     uint32_t val = val_in;
> +
> ++    assert(addr + l <= pci_config_size(d));
> ++
> +     for (i = 0; i < l; val >>= 8, ++i) {
> +         uint8_t wmask = d->wmask[addr + i];
> +         uint8_t w1cmask = d->w1cmask[addr + i];
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-05 22:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-05  5:40 [poky][dunfell][PATCH] qemu: Add fix for CVE-2020-13791 Rahul Taya
2021-04-05 22:24 ` [OE-core] " Steve Sakoman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.