summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch')
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch91
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
new file mode 100644
index 0000000000..fdfff9d81d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
@@ -0,0 +1,91 @@
+From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 10 Jun 2020 09:47:49 -0400
+Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
+ memory_region_access_valid"
+
+Memory API documentation documents valid .min_access_size and .max_access_size
+fields and explains that any access outside these boundaries is blocked.
+
+This is what devices seem to assume.
+
+However this is not what the implementation does: it simply
+ignores the boundaries unless there's an "accepts" callback.
+
+Naturally, this breaks a bunch of devices.
+
+Revert to the documented behaviour.
+
+Devices that want to allow any access can just drop the valid field,
+or add the impl field to have accesses converted to appropriate
+length.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Fixes: CVE-2020-13754
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
+Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20200610134731.1514409-1-mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ memory.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 2f15a4b..9200b20 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
+ bool is_write,
+ MemTxAttrs attrs)
+ {
+- int access_size_min, access_size_max;
+- int access_size, i;
+-
+- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ if (mr->ops->valid.accepts
++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ return false;
+ }
+
+- if (!mr->ops->valid.accepts) {
+- return true;
+- }
+-
+- access_size_min = mr->ops->valid.min_access_size;
+- if (!mr->ops->valid.min_access_size) {
+- access_size_min = 1;
++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++ return false;
+ }
+
+- access_size_max = mr->ops->valid.max_access_size;
++ /* Treat zero as compatibility all valid */
+ if (!mr->ops->valid.max_access_size) {
+- access_size_max = 4;
++ return true;
+ }
+
+- access_size = MAX(MIN(size, access_size_max), access_size_min);
+- for (i = 0; i < size; i += access_size) {
+- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
+- is_write, attrs)) {
+- return false;
+- }
++ if (size > mr->ops->valid.max_access_size
++ || size < mr->ops->valid.min_access_size) {
++ return false;
+ }
+-
+ return true;
+ }
+
+--
+1.8.3.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-19 12:02:10 +0000