diff --git a/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch b/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch new file mode 100644 index 0000000000000000000000000000000000000000..42df9650a9e378fbb0d96afbd5b8a844c8ed64c7 --- /dev/null +++ b/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch @@ -0,0 +1,25 @@ +From 8b8d3992db22a583b69b6e2ae1d9cd87e2179e21 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 18 Sep 2020 10:55:22 +0800 +Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field The 'Transfer + Block Size' field is 12-bit wide. See section '2.2.2 Block Size Register + (Offset 004h)' in datasheet. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 7b80b1d9..acf482b8 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1127,7 +1127,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { +- MASKED_WRITE(s->blksize, mask, value); ++ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); + } + +-- +2.23.0 + diff --git a/hw-xhci-check-return-value-of-usb_packet_map.patch b/hw-xhci-check-return-value-of-usb_packet_map.patch new file mode 100644 index 0000000000000000000000000000000000000000..fd81478de3a588852232349f483bbf16dd403034 --- /dev/null +++ b/hw-xhci-check-return-value-of-usb_packet_map.patch @@ -0,0 +1,31 @@ +From e43f0019b0aff881c562c8d2428bce6b3d55845c Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Fri, 18 Sep 2020 11:08:28 +0800 +Subject: [PATCH] hw: xhci: check return value of 'usb_packet_map' + +Currently we don't check the return value of 'usb_packet_map', +this will cause an NAF issue. This is LP#1891341. +Following is the reproducer provided in: +-->https://bugs.launchpad.net/qemu/+bug/1891341 + +This patch fixes this. + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index a21485fe..3b25abca 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -1614,7 +1614,10 @@ static int xhci_setup_packet(XHCITransfer *xfer) + xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */ + usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid, + xfer->trbs[0].addr, false, xfer->int_req); +- usb_packet_map(&xfer->packet, &xfer->sgl); ++ if (usb_packet_map(&xfer->packet, &xfer->sgl)) { ++ qemu_sglist_destroy(&xfer->sgl); ++ return -1; ++ } + DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n", + xfer->packet.pid, ep->dev->addr, ep->nr); + return 0; +-- +2.23.0 + diff --git a/qemu.spec b/qemu.spec index a26648c4cb3c564f11e767643749a56f30108147..014acf483c98eb85de1c8dc3ff58ae3180c1a8af 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 24 +Release: 25 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -229,6 +229,8 @@ Patch0216: target-arm-Add-more-CPU-features.patch Patch0217: hw-usb-core-fix-buffer-overflow.patch Patch0218: target-arm-ignore-evtstrm-and-cpuid-CPU-features.patch Patch0219: Drop-bogus-IPv6-messages.patch +Patch0220: hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch +Patch0221: hw-xhci-check-return-value-of-usb_packet_map.patch BuildRequires: flex BuildRequires: bison @@ -575,6 +577,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 18 2020 Huawei Technologies Co., Ltd +- hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch +- hw-xhci-check-return-value-of-usb_packet_map.patch + * Fri Sep 11 2020 Huawei Technologies Co., Ltd - slirp/src/ip6_input.c: fix out-of-bounds read information vulnerability