diff --git a/fix-cve-2020-35504.patch b/fix-cve-2020-35504.patch new file mode 100644 index 0000000000000000000000000000000000000000..9ed150443075dd2949225dd195f51161e237d1fa --- /dev/null +++ b/fix-cve-2020-35504.patch @@ -0,0 +1,30 @@ +From 28ef4af30452c90ba53ee38cfedffbfc0143ef1e Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:15:39 +0800 +Subject: [PATCH] fix cve-2020-35504 + +esp: always check current_req is not NULL before use in DMA callbacks + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 7508d035ca..d1f13b350e 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s) + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; +-- +2.27.0 + diff --git a/fix-cve-2020-35505.patch b/fix-cve-2020-35505.patch new file mode 100644 index 0000000000000000000000000000000000000000..8531ab41a60c5ad668b517ec88f75cd81a358811 --- /dev/null +++ b/fix-cve-2020-35505.patch @@ -0,0 +1,46 @@ +From 55c478501ecd0a380019b8ec475151a76eb48622 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:20:55 +0800 +Subject: [PATCH] fix cve-2020-35505 + +esp: ensure cmdfifo is not empty and current_dev is non-NULL + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index d1f13b350e..db6bed4f00 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req) + scsi_req_unref(s->current_req); + s->current_req = NULL; + s->current_dev = NULL; ++ s->async_len = 0; + } + } + +@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. */ + scsi_req_cancel(s->current_req); +- s->async_len = 0; + } + + s->current_dev = scsi_device_find(&s->bus, 0, target, 0); +@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 77595f3655a908f5fd2f4d43ff9d1ba4b8698c6a..e7cbb5184df55af3a846d4f2f0cec56845957cb1 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 49 +Release: 50 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -258,6 +258,8 @@ Patch0245: bootp-check-bootp_input-buffer-size.patch Patch0246: upd6-check-udp6_input-buffer-size.patch Patch0247: tftp-check-tftp_input-buffer-size.patch Patch0248: tftp-introduce-a-header-structure.patch +Patch0249: fix-cve-2020-35504.patch +Patch0250: fix-cve-2020-35505.patch BuildRequires: flex BuildRequires: bison @@ -603,6 +605,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 27 2021 Chen Qun +- fix cve-2020-35504 +- fix cve-2020-35505 + * Tue Oct 19 2021 imxcc - fix cve-2021-3592 cve-2021-3593 cve-2021-3595