From 1142c69040d552f3cc221bfa3dc2baacb26fb5e5 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 17:15:39 +0800 Subject: [PATCH 1/6] fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks Signed-off-by: Mark Cave-Ayland Signed-off-by: imxcc --- fix-cve-2020-35504.patch | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 fix-cve-2020-35504.patch diff --git a/fix-cve-2020-35504.patch b/fix-cve-2020-35504.patch new file mode 100644 index 00000000..bf03fb5f --- /dev/null +++ b/fix-cve-2020-35504.patch @@ -0,0 +1,30 @@ +From dc8416b55d69e70912acd2364494a490b02e3198 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:15:39 +0800 +Subject: [PATCH] fix cve-2020-35504 + +esp: always check current_req is not NULL before use in DMA callbacks + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 7508d035ca..d1f13b350e 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s) + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; +-- +2.27.0 + -- Gitee From 7c73d22a2d45199fd0dba08214e2e00d01c1ffd1 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 17:20:55 +0800 Subject: [PATCH 2/6] fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL Signed-off-by: Mark Cave-Ayland Signed-off-by: imxcc --- fix-cve-2020-35505.patch | 46 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 fix-cve-2020-35505.patch diff --git a/fix-cve-2020-35505.patch b/fix-cve-2020-35505.patch new file mode 100644 index 00000000..eb639d92 --- /dev/null +++ b/fix-cve-2020-35505.patch @@ -0,0 +1,46 @@ +From a1c9b6747da5f3d2815a0c186473dc76d9e4f682 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:20:55 +0800 +Subject: [PATCH] fix cve-2020-35505 + +esp: ensure cmdfifo is not empty and current_dev is non-NULL + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index d1f13b350e..db6bed4f00 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req) + scsi_req_unref(s->current_req); + s->current_req = NULL; + s->current_dev = NULL; ++ s->async_len = 0; + } + } + +@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. */ + scsi_req_cancel(s->current_req); +- s->async_len = 0; + } + + s->current_dev = scsi_device_find(&s->bus, 0, target, 0); +@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); +-- +2.27.0 + -- Gitee From f895949d4f66a6c7d0e226107f1a7e0818a0ff67 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 3 Dec 2021 21:28:15 +0800 Subject: [PATCH 3/6] spec: Update patch and changelog with !208 sync from SP1 !208 fix cve-2020-35504 fix cve-2020-35505 Signed-off-by: Chen Qun --- qemu.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qemu.spec b/qemu.spec index 0e3d75dc..686100d9 100644 --- a/qemu.spec +++ b/qemu.spec @@ -566,6 +566,8 @@ Patch0553: bootp-check-bootp_input-buffer-size.patch Patch0554: upd6-check-udp6_input-buffer-size.patch Patch0555: tftp-check-tftp_input-buffer-size.patch Patch0556: tftp-introduce-a-header-structure.patch +Patch0557: fix-cve-2020-35504.patch +Patch0558: fix-cve-2020-35505.patch BuildRequires: flex BuildRequires: gcc @@ -970,6 +972,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Dec 03 2021 Chen Qun +- fix cve-2020-35504 +- fix cve-2020-35505 + * Tue Oct 26 2021 imxcc - fix cve-2021-3592 cve-2021-3593 cve-2021-3595 -- Gitee From 76f6a248c44d96a8cd093f85aa9c5936f1ea6753 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 16 Nov 2021 17:21:09 +0800 Subject: [PATCH 4/6] virtio-balloon: apply upstream patch. Signed-off-by: Ming Yang --- virtio-balloon-apply-upstream-patch.patch | 31 +++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 virtio-balloon-apply-upstream-patch.patch diff --git a/virtio-balloon-apply-upstream-patch.patch b/virtio-balloon-apply-upstream-patch.patch new file mode 100644 index 00000000..a400a496 --- /dev/null +++ b/virtio-balloon-apply-upstream-patch.patch @@ -0,0 +1,31 @@ +From 0d86ceed3cef76334c39d879dd8b532ca258eb65 Mon Sep 17 00:00:00 2001 +From: Ming Yang +Date: Tue, 16 Nov 2021 17:21:09 +0800 +Subject: [PATCH] virtio-balloon: apply upstream patch. + +Signed-off-by: Ming Yang +--- + hw/virtio/virtio-balloon.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c +index 25de154307..17fa767483 100644 +--- a/hw/virtio/virtio-balloon.c ++++ b/hw/virtio/virtio-balloon.c +@@ -830,6 +830,13 @@ static void virtio_balloon_device_unrealize(DeviceState *dev, Error **errp) + } + balloon_stats_destroy_timer(s); + qemu_remove_balloon_handler(s); ++ ++ virtio_del_queue(vdev, 0); ++ virtio_del_queue(vdev, 1); ++ virtio_del_queue(vdev, 2); ++ if (s->free_page_vq) { ++ virtio_del_queue(vdev, 3); ++ } + virtio_cleanup(vdev); + } + +-- +2.27.0 + -- Gitee From 585bd9cef753a3816954dad67111a6b6094414bc Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 3 Dec 2021 21:28:18 +0800 Subject: [PATCH 5/6] spec: Update patch and changelog with !213 virtio-balloon: apply upstream patch. !213 virtio-balloon: apply upstream patch. Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 686100d9..ca79285d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -568,6 +568,7 @@ Patch0555: tftp-check-tftp_input-buffer-size.patch Patch0556: tftp-introduce-a-header-structure.patch Patch0557: fix-cve-2020-35504.patch Patch0558: fix-cve-2020-35505.patch +Patch0559: virtio-balloon-apply-upstream-patch.patch BuildRequires: flex BuildRequires: gcc @@ -972,6 +973,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Dec 03 2021 Chen Qun +- virtio-balloon: apply upstream patch. + * Fri Dec 03 2021 Chen Qun - fix cve-2020-35504 - fix cve-2020-35505 -- Gitee From 3a580793b36a5430557a689b01a8c073e4f48be9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 3 Dec 2021 21:28:19 +0800 Subject: [PATCH 6/6] spec: Update release version with !208 !213 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index ca79285d..5ddcb5d5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 84 +Release: 85 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee