diff --git a/fix-cve-2020-35504.patch b/fix-cve-2020-35504.patch new file mode 100644 index 0000000000000000000000000000000000000000..59ffebca1d2d8377b58d6056e1f985a9abab94f6 --- /dev/null +++ b/fix-cve-2020-35504.patch @@ -0,0 +1,30 @@ +From ad1af4b1ba099a9ab128129edf44f57dccc2e825 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:15:39 +0800 +Subject: [PATCH] fix cve-2020-35504 + +esp: always check current_req is not NULL before use in DMA callbacks + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 7508d035ca..d1f13b350e 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s) + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; +-- +2.27.0 + diff --git a/fix-cve-2020-35505.patch b/fix-cve-2020-35505.patch new file mode 100644 index 0000000000000000000000000000000000000000..adf31a1e81a8e71e82be78d984009ee3fc562e13 --- /dev/null +++ b/fix-cve-2020-35505.patch @@ -0,0 +1,46 @@ +From 3aedcaaaef0653a413174c35f183b1703ce10a4d Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:20:55 +0800 +Subject: [PATCH] fix cve-2020-35505 + +esp: ensure cmdfifo is not empty and current_dev is non-NULL + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index d1f13b350e..db6bed4f00 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req) + scsi_req_unref(s->current_req); + s->current_req = NULL; + s->current_dev = NULL; ++ s->async_len = 0; + } + } + +@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. */ + scsi_req_cancel(s->current_req); +- s->async_len = 0; + } + + s->current_dev = scsi_device_find(&s->bus, 0, target, 0); +@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 5ae26d0b0c02c9775995cacc9e312c487117b0d7..fed8970a48273cf5663075db60ac675c9afbdd3f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 60 +Release: 61 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -340,6 +340,8 @@ Patch0327: bootp-check-bootp_input-buffer-size.patch Patch0328: upd6-check-udp6_input-buffer-size.patch Patch0329: tftp-check-tftp_input-buffer-size.patch Patch0330: tftp-introduce-a-header-structure.patch +Patch0331: fix-cve-2020-35504.patch +Patch0332: fix-cve-2020-35505.patch BuildRequires: flex BuildRequires: bison @@ -736,6 +738,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 27 2021 Chen Qun +- fix cve-2020-35504 +- fix cve-2020-35505 + * Tue Oct 19 2021 imxcc - fix cve-2021-3592 cve-2021-3593 cve-2021-3595