Added below patch to fix CVE-2020-13791 CVE-2020-13791.patch
Signed-off-by: Rahul Taya <rahul.t...@kpit.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2020-13791.patch | 52 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5e8d3e09ff..7f8053cdd5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-24352.patch \ file://CVE-2020-25723.patch \ file://CVE-2021-20203.patch \ + file://CVE-2020-13791.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch new file mode 100644 index 0000000000..6582abce59 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch @@ -0,0 +1,52 @@ +From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <p...@fedoraproject.org> +Date: Thu, 4 Jun 2020 17:05:25 +0530 +Subject: [PATCH] pci: assert configuration access is within bounds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While accessing PCI configuration bytes, assert that +'address + len' is within PCI configuration space. + +Generally it is within bounds. This is more of a defensive +assert, in case a buggy device was to send 'address' which +may go out of bounds. + +Suggested-by: Philippe Mathieu-Daudé <phi...@redhat.com> +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> +Message-Id: <20200604113525.58898-1-ppan...@redhat.com> +Reviewed-by: Michael S. Tsirkin <m...@redhat.com> +Signed-off-by: Michael S. Tsirkin <m...@redhat.com> + +CVE: CVE-2020-13791 +Upstream-Status: Backport[https://github.com/qemu/qemu/commit/f7d6a635fa3b7797f9d072e280f065bf3cfcd24d.patch] +Comment: No hunks refreshed and no warnings were seen while applying patch. +Affected version: >=4.2.0 but patch already present in Master and Gatesgarth branches. +Signed-off-by: Rahul Taya <rahul.t...@kpit.com> +--- + hw/pci/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index 70c66965f56..7bf2ae6d92a 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, + { + uint32_t val = 0; + ++ assert(address + len <= pci_config_size(d)); ++ + if (pci_is_express_downstream_port(d) && + ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { + pcie_sync_bridge_lnk(d); +@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int + int i, was_irq_disabled = pci_irq_disabled(d); + uint32_t val = val_in; + ++ assert(addr + l <= pci_config_size(d)); ++ + for (i = 0; i < l; val >>= 8, ++i) { + uint8_t wmask = d->wmask[addr + i]; + uint8_t w1cmask = d->w1cmask[addr + i]; -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150205): https://lists.openembedded.org/g/openembedded-core/message/150205 Mute This Topic: https://lists.openembedded.org/mt/81857998/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
