From 6d1257155bd4dc2dd1c398ce70050a9471edea47 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 17:15:39 +0800 Subject: [PATCH 1/4] fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks Signed-off-by: Mark Cave-Ayland Signed-off-by: imxcc --- fix-cve-2020-35504.patch | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 fix-cve-2020-35504.patch diff --git a/fix-cve-2020-35504.patch b/fix-cve-2020-35504.patch new file mode 100644 index 00000000..b7850b14 --- /dev/null +++ b/fix-cve-2020-35504.patch @@ -0,0 +1,29 @@ +From 1059ebc6f8699f052f14303972c55234d405afa0 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:15:39 +0800 +Subject: [PATCH] fix cve-2020-35504 esp: always check current_req is not NULL + before use in DMA callbacks + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 7508d035ca..d1f13b350e 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s) + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; +-- +2.27.0 + -- Gitee From ed66ffbc97583b963c2e5827a3f9292e733b295a Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 17:20:55 +0800 Subject: [PATCH 2/4] fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL Signed-off-by: Mark Cave-Ayland Signed-off-by: imxcc --- ...05-esp-ensure-cmdfifo-is-not-empty-a.patch | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch diff --git a/fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch b/fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch new file mode 100644 index 00000000..4015f687 --- /dev/null +++ b/fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch @@ -0,0 +1,45 @@ +From 9b1b0ddbc1b50de21db3ae13cb1274f319ce0d2c Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:20:55 +0800 +Subject: [PATCH] fix cve-2020-35505 esp: ensure cmdfifo is not empty and + current_dev is non-NULL + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index d1f13b350e..db6bed4f00 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req) + scsi_req_unref(s->current_req); + s->current_req = NULL; + s->current_dev = NULL; ++ s->async_len = 0; + } + } + +@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. */ + scsi_req_cancel(s->current_req); +- s->async_len = 0; + } + + s->current_dev = scsi_device_find(&s->bus, 0, target, 0); +@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); +-- +2.27.0 + -- Gitee From 330e81d4610dc053deee61526175ac1539dba2f9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 21:27:32 +0800 Subject: [PATCH 3/4] spec: Update patch and changelog with !151 fix CVE-2020-35504 and CVE-2020-35505 !151 fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL Signed-off-by: Chen Qun --- qemu.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qemu.spec b/qemu.spec index a272c4ba..337b7517 100644 --- a/qemu.spec +++ b/qemu.spec @@ -287,6 +287,8 @@ Patch0274: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch Patch0275: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch Patch0276: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch Patch0277: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch +Patch0278: fix-cve-2020-35504.patch +Patch0279: fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch BuildRequires: flex BuildRequires: bison @@ -675,6 +677,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Jun 21 2021 Chen Qun +- fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks +- fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL + * Mon Jun 21 2021 Chen Qun - ide: ahci: add check to avoid null dereference (CVE-2019-12067) - hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register -- Gitee From 81bb1d387ecf04873e88a21322b6805e84bd1e00 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 21:27:40 +0800 Subject: [PATCH 4/4] spec: Update release version with !151 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 337b7517..78a5b7c1 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 49 +Release: 50 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee