From 6f6073e7c3ed4d0cb024e3ec2753fa8128dc8fea Mon Sep 17 00:00:00 2001 From: zhanghailiang Date: Sat, 25 Jul 2020 13:25:59 +0800 Subject: [PATCH] qemu: pick serveral patches from upstream that fix CVE Fix CVE-2020-13361, CVE-2020-13659, CVE-2020-13800, CVE-2020-13362 Signed-off-by: zhanghailiang --- ..._index-before-recursive-call-CVE-202.patch | 59 ++++++++ ...al-frame-count-against-current-frame.patch | 60 ++++++++ ...p-length-to-zero-when-returning-NULL.patch | 54 +++++++ ...Fix-possible-out-of-bounds-array-acc.patch | 132 ++++++++++++++++++ megasas-avoid-NULL-pointer-dereference.patch | 36 +++++ ...gned-type-for-positive-numeric-field.patch | 97 +++++++++++++ ...gned-type-for-reply_queue_head-and-c.patch | 51 +++++++ qemu.spec | 18 ++- 8 files changed, 506 insertions(+), 1 deletion(-) create mode 100644 ati-vga-check-mm_index-before-recursive-call-CVE-202.patch create mode 100644 es1370-check-total-frame-count-against-current-frame.patch create mode 100644 exec-set-map-length-to-zero-when-returning-NULL.patch create mode 100644 hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch create mode 100644 megasas-avoid-NULL-pointer-dereference.patch create mode 100644 megasas-use-unsigned-type-for-positive-numeric-field.patch create mode 100644 megasas-use-unsigned-type-for-reply_queue_head-and-c.patch diff --git a/ati-vga-check-mm_index-before-recursive-call-CVE-202.patch b/ati-vga-check-mm_index-before-recursive-call-CVE-202.patch new file mode 100644 index 00000000..b80c9dc9 --- /dev/null +++ b/ati-vga-check-mm_index-before-recursive-call-CVE-202.patch @@ -0,0 +1,59 @@ +From 89554d2f71d4c79c5d8e804d90d74f3985d7ded5 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 4 Jun 2020 14:38:30 +0530 +Subject: [PATCH 3/9] ati-vga: check mm_index before recursive call + (CVE-2020-13800) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While accessing VGA registers via ati_mm_read/write routines, +a guest may set 's->regs.mm_index' such that it leads to infinite +recursion. Check mm_index value to avoid such recursion. Log an +error message for wrong values. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Reported-by: Yi Ren +Message-id: 20200604090830.33885-1-ppandit@redhat.com +Suggested-by: BALATON Zoltan +Suggested-by: Philippe Mathieu-Daudé +Signed-off-by: Prasad J Pandit +Signed-off-by: Gerd Hoffmann +--- + hw/display/ati.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/display/ati.c b/hw/display/ati.c +index a747c4cc98..5943040416 100644 +--- a/hw/display/ati.c ++++ b/hw/display/ati.c +@@ -261,8 +261,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) + if (idx <= s->vga.vram_size - size) { + val = ldn_le_p(s->vga.vram_ptr + idx, size); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: +@@ -472,8 +475,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, + if (idx <= s->vga.vram_size - size) { + stn_le_p(s->vga.vram_ptr + idx, size, data); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: +-- +2.25.1 + diff --git a/es1370-check-total-frame-count-against-current-frame.patch b/es1370-check-total-frame-count-against-current-frame.patch new file mode 100644 index 00000000..fb1e7a7c --- /dev/null +++ b/es1370-check-total-frame-count-against-current-frame.patch @@ -0,0 +1,60 @@ +From 22bbf1a90ac11fe30e1665c09f9ad904683b6ddc Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 15 May 2020 01:36:08 +0530 +Subject: [PATCH 1/9] es1370: check total frame count against current frame + +A guest user may set channel frame count via es1370_write() +such that, in es1370_transfer_audio(), total frame count +'size' is lesser than the number of frames that are processed +'cnt'. + + int cnt = d->frame_cnt >> 16; + int size = d->frame_cnt & 0xffff; + +if (size < cnt), it results in incorrect calculations leading +to OOB access issue(s). Add check to avoid it. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Signed-off-by: Prasad J Pandit +Message-id: 20200514200608.1744203-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/es1370.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 260c142b70..eff7d03ae1 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + int csc_bytes = (csc + 1) << d->shift; + int cnt = d->frame_cnt >> 16; + int size = d->frame_cnt & 0xffff; ++ if (size < cnt) { ++ return; ++ } + int left = ((size - cnt + 1) << 2) + d->leftover; + int transferred = 0; + int temp = audio_MIN (max, audio_MIN (left, csc_bytes)); +@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + addr += (cnt << 2) + d->leftover; + + if (index == ADC_CHANNEL) { +- while (temp) { ++ while (temp > 0) { + int acquired, to_copy; + + to_copy = audio_MIN ((size_t) temp, sizeof (tmpbuf)); +@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + else { + SWVoiceOut *voice = s->dac_voice[index]; + +- while (temp) { ++ while (temp > 0) { + int copied, to_copy; + + to_copy = audio_MIN ((size_t) temp, sizeof (tmpbuf)); +-- +2.25.1 + diff --git a/exec-set-map-length-to-zero-when-returning-NULL.patch b/exec-set-map-length-to-zero-when-returning-NULL.patch new file mode 100644 index 00000000..64c918e8 --- /dev/null +++ b/exec-set-map-length-to-zero-when-returning-NULL.patch @@ -0,0 +1,54 @@ +From a1a9d6f908b21878daa7868313243c30b7a90fcf Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 26 May 2020 16:47:43 +0530 +Subject: [PATCH 2/9] exec: set map length to zero when returning NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When mapping physical memory into host's virtual address space, +'address_space_map' may return NULL if BounceBuffer is in_use. +Set and return '*plen = 0' to avoid later NULL pointer dereference. + +Reported-by: Alexander Bulekov +Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 +Suggested-by: Paolo Bonzini +Suggested-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Message-Id: <20200526111743.428367-1-ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Paolo Bonzini +--- + exec.c | 1 + + include/exec/memory.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 3e78de3b8f..85c6d80353 100644 +--- a/exec.c ++++ b/exec.c +@@ -3739,6 +3739,7 @@ void *address_space_map(AddressSpace *as, + if (!memory_access_is_direct(mr, is_write)) { + if (atomic_xchg(&bounce.in_use, true)) { + rcu_read_unlock(); ++ *plen = 0; + return NULL; + } + /* Avoid unbounded allocations */ +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 611a89122d..dca8184277 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -2064,7 +2064,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, + /* address_space_map: map a physical memory region into a host virtual address + * + * May map a subset of the requested range, given by and returned in @plen. +- * May return %NULL if resources needed to perform the mapping are exhausted. ++ * May return %NULL and set *@plen to zero(0), if resources needed to perform ++ * the mapping are exhausted. + * Use only for reads OR writes - not for read-modify-write operations. + * Use cpu_register_map_client() to know when retrying the map operation is + * likely to succeed. +-- +2.25.1 + diff --git a/hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch b/hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch new file mode 100644 index 00000000..12c90745 --- /dev/null +++ b/hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch @@ -0,0 +1,132 @@ +From 5ec15fabe78e385a81e44c7944cd05309de7f36e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Mon, 15 Jun 2020 09:26:29 +0200 +Subject: [PATCH 7/9] hw/scsi/megasas: Fix possible out-of-bounds array access + in tracepoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some tracepoints in megasas.c use a guest-controlled value as an index +into the mfi_frame_desc[] array. Thus a malicious guest could cause an +out-of-bounds error here. Fortunately, the impact is very low since this +can only happen when the corresponding tracepoints have been enabled +before, but the problem should be fixed anyway with a proper check. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1882065 +Signed-off-by: Thomas Huth +Message-Id: <20200615072629.32321-1-thuth@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 94469e8169..9421f4d14e 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -53,10 +53,6 @@ + #define MEGASAS_FLAG_USE_QUEUE64 1 + #define MEGASAS_MASK_USE_QUEUE64 (1 << MEGASAS_FLAG_USE_QUEUE64) + +-static const char *mfi_frame_desc[] = { +- "MFI init", "LD Read", "LD Write", "LD SCSI", "PD SCSI", +- "MFI Doorbell", "MFI Abort", "MFI SMP", "MFI Stop"}; +- + typedef struct MegasasCmd { + uint32_t index; + uint16_t flags; +@@ -182,6 +178,20 @@ static void megasas_frame_set_scsi_status(MegasasState *s, + stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v); + } + ++static inline const char *mfi_frame_desc(unsigned int cmd) ++{ ++ static const char *mfi_frame_descs[] = { ++ "MFI init", "LD Read", "LD Write", "LD SCSI", "PD SCSI", ++ "MFI Doorbell", "MFI Abort", "MFI SMP", "MFI Stop" ++ }; ++ ++ if (cmd < ARRAY_SIZE(mfi_frame_descs)) { ++ return mfi_frame_descs[cmd]; ++ } ++ ++ return "Unknown"; ++} ++ + /* + * Context is considered opaque, but the HBA firmware is running + * in little endian mode. So convert it to little endian, too. +@@ -1669,25 +1679,25 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, + if (is_logical) { + if (target_id >= MFI_MAX_LD || lun_id != 0) { + trace_megasas_scsi_target_not_present( +- mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id); ++ mfi_frame_desc(frame_cmd), is_logical, target_id, lun_id); + return MFI_STAT_DEVICE_NOT_FOUND; + } + } + sdev = scsi_device_find(&s->bus, 0, target_id, lun_id); + + cmd->iov_size = le32_to_cpu(cmd->frame->header.data_len); +- trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical, ++ trace_megasas_handle_scsi(mfi_frame_desc(frame_cmd), is_logical, + target_id, lun_id, sdev, cmd->iov_size); + + if (!sdev || (megasas_is_jbod(s) && is_logical)) { + trace_megasas_scsi_target_not_present( +- mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id); ++ mfi_frame_desc(frame_cmd), is_logical, target_id, lun_id); + return MFI_STAT_DEVICE_NOT_FOUND; + } + + if (cdb_len > 16) { + trace_megasas_scsi_invalid_cdb_len( +- mfi_frame_desc[frame_cmd], is_logical, ++ mfi_frame_desc(frame_cmd), is_logical, + target_id, lun_id, cdb_len); + megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); + cmd->frame->header.scsi_status = CHECK_CONDITION; +@@ -1705,7 +1715,7 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, + cmd->req = scsi_req_new(sdev, cmd->index, lun_id, cdb, cmd); + if (!cmd->req) { + trace_megasas_scsi_req_alloc_failed( +- mfi_frame_desc[frame_cmd], target_id, lun_id); ++ mfi_frame_desc(frame_cmd), target_id, lun_id); + megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); + cmd->frame->header.scsi_status = BUSY; + s->event_count++; +@@ -1750,17 +1760,17 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd) + } + + trace_megasas_handle_io(cmd->index, +- mfi_frame_desc[frame_cmd], target_id, lun_id, ++ mfi_frame_desc(frame_cmd), target_id, lun_id, + (unsigned long)lba_start, (unsigned long)lba_count); + if (!sdev) { + trace_megasas_io_target_not_present(cmd->index, +- mfi_frame_desc[frame_cmd], target_id, lun_id); ++ mfi_frame_desc(frame_cmd), target_id, lun_id); + return MFI_STAT_DEVICE_NOT_FOUND; + } + + if (cdb_len > 16) { + trace_megasas_scsi_invalid_cdb_len( +- mfi_frame_desc[frame_cmd], 1, target_id, lun_id, cdb_len); ++ mfi_frame_desc(frame_cmd), 1, target_id, lun_id, cdb_len); + megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); + cmd->frame->header.scsi_status = CHECK_CONDITION; + s->event_count++; +@@ -1780,7 +1790,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd) + lun_id, cdb, cmd); + if (!cmd->req) { + trace_megasas_scsi_req_alloc_failed( +- mfi_frame_desc[frame_cmd], target_id, lun_id); ++ mfi_frame_desc(frame_cmd), target_id, lun_id); + megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); + cmd->frame->header.scsi_status = BUSY; + s->event_count++; +-- +2.25.1 + diff --git a/megasas-avoid-NULL-pointer-dereference.patch b/megasas-avoid-NULL-pointer-dereference.patch new file mode 100644 index 00000000..c7bc9590 --- /dev/null +++ b/megasas-avoid-NULL-pointer-dereference.patch @@ -0,0 +1,36 @@ +From cf7f42b21aaa7694c6232a9a5027de9df341f299 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 14 May 2020 00:55:39 +0530 +Subject: [PATCH 5/9] megasas: avoid NULL pointer dereference + +While in megasas_handle_frame(), megasas_enqueue_frame() may +set a NULL frame into MegasasCmd object for a given 'frame_addr' +address. Add check to avoid a NULL pointer dereference issue. + +Reported-by: Alexander Bulekov +Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 +Signed-off-by: Prasad J Pandit +Acked-by: Alexander Bulekov +Reviewed-by: Darren Kenny +Message-Id: <20200513192540.1583887-3-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 7ee331d9da..5923ffbd22 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -503,7 +503,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + cmd->pa = frame; + /* Map all possible frames */ + cmd->frame = pci_dma_map(pcid, frame, &frame_size_p, 0); +- if (frame_size_p != frame_size) { ++ if (!cmd->frame || frame_size_p != frame_size) { + trace_megasas_qf_map_failed(cmd->index, (unsigned long)frame); + if (cmd->frame) { + megasas_unmap_frame(s, cmd); +-- +2.25.1 + diff --git a/megasas-use-unsigned-type-for-positive-numeric-field.patch b/megasas-use-unsigned-type-for-positive-numeric-field.patch new file mode 100644 index 00000000..7e194395 --- /dev/null +++ b/megasas-use-unsigned-type-for-positive-numeric-field.patch @@ -0,0 +1,97 @@ +From 7bad515189482d289d3efe4133c8af9f184662e4 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 14 May 2020 00:55:40 +0530 +Subject: [PATCH 6/9] megasas: use unsigned type for positive numeric fields + +Use unsigned type for the MegasasState fields which hold positive +numeric values. + +Signed-off-by: Prasad J Pandit +Reviewed-by: Darren Kenny +Message-Id: <20200513192540.1583887-4-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 5923ffbd22..94469e8169 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -85,34 +85,34 @@ typedef struct MegasasState { + MemoryRegion queue_io; + uint32_t frame_hi; + +- int fw_state; ++ uint32_t fw_state; + uint32_t fw_sge; + uint32_t fw_cmds; + uint32_t flags; +- int fw_luns; +- int intr_mask; +- int doorbell; +- int busy; +- int diag; +- int adp_reset; ++ uint32_t fw_luns; ++ uint32_t intr_mask; ++ uint32_t doorbell; ++ uint32_t busy; ++ uint32_t diag; ++ uint32_t adp_reset; + OnOffAuto msi; + OnOffAuto msix; + + MegasasCmd *event_cmd; +- int event_locale; ++ uint16_t event_locale; + int event_class; +- int event_count; +- int shutdown_event; +- int boot_event; ++ uint32_t event_count; ++ uint32_t shutdown_event; ++ uint32_t boot_event; + + uint64_t sas_addr; + char *hba_serial; + + uint64_t reply_queue_pa; + void *reply_queue; +- int reply_queue_len; ++ uint16_t reply_queue_len; + uint16_t reply_queue_head; +- int reply_queue_tail; ++ uint16_t reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; + +@@ -2258,9 +2258,9 @@ static const VMStateDescription vmstate_megasas_gen1 = { + VMSTATE_PCI_DEVICE(parent_obj, MegasasState), + VMSTATE_MSIX(parent_obj, MegasasState), + +- VMSTATE_INT32(fw_state, MegasasState), +- VMSTATE_INT32(intr_mask, MegasasState), +- VMSTATE_INT32(doorbell, MegasasState), ++ VMSTATE_UINT32(fw_state, MegasasState), ++ VMSTATE_UINT32(intr_mask, MegasasState), ++ VMSTATE_UINT32(doorbell, MegasasState), + VMSTATE_UINT64(reply_queue_pa, MegasasState), + VMSTATE_UINT64(consumer_pa, MegasasState), + VMSTATE_UINT64(producer_pa, MegasasState), +@@ -2277,9 +2277,9 @@ static const VMStateDescription vmstate_megasas_gen2 = { + VMSTATE_PCI_DEVICE(parent_obj, MegasasState), + VMSTATE_MSIX(parent_obj, MegasasState), + +- VMSTATE_INT32(fw_state, MegasasState), +- VMSTATE_INT32(intr_mask, MegasasState), +- VMSTATE_INT32(doorbell, MegasasState), ++ VMSTATE_UINT32(fw_state, MegasasState), ++ VMSTATE_UINT32(intr_mask, MegasasState), ++ VMSTATE_UINT32(doorbell, MegasasState), + VMSTATE_UINT64(reply_queue_pa, MegasasState), + VMSTATE_UINT64(consumer_pa, MegasasState), + VMSTATE_UINT64(producer_pa, MegasasState), +-- +2.25.1 + diff --git a/megasas-use-unsigned-type-for-reply_queue_head-and-c.patch b/megasas-use-unsigned-type-for-reply_queue_head-and-c.patch new file mode 100644 index 00000000..507aeafb --- /dev/null +++ b/megasas-use-unsigned-type-for-reply_queue_head-and-c.patch @@ -0,0 +1,51 @@ +From e081fb1058e357d4d7adc30201013a46123fe2ae Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 14 May 2020 00:55:38 +0530 +Subject: [PATCH 4/9] megasas: use unsigned type for reply_queue_head and check + index + +A guest user may set 'reply_queue_head' field of MegasasState to +a negative value. Later in 'megasas_lookup_frame' it is used to +index into s->frames[] array. Use unsigned type to avoid OOB +access issue. + +Also check that 'index' value stays within s->frames[] bounds +through the while() loop in 'megasas_lookup_frame' to avoid OOB +access. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Reported-by: Alexander Bulekov +Signed-off-by: Prasad J Pandit +Acked-by: Alexander Bulekov +Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 0c4399930a..7ee331d9da 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -111,7 +111,7 @@ typedef struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + int reply_queue_len; +- int reply_queue_head; ++ uint16_t reply_queue_head; + int reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; +@@ -444,7 +444,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, + + index = s->reply_queue_head; + +- while (num < s->fw_cmds) { ++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { + if (s->frames[index].pa && s->frames[index].pa == frame) { + cmd = &s->frames[index]; + break; +-- +2.25.1 + diff --git a/qemu.spec b/qemu.spec index 97165d8c..0926b9ad 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 14 +Release: 15 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -175,6 +175,13 @@ Patch0162: migration-Compat-virtual-timer-adjust-for-v4.0.1-and.patch Patch0163: vtimer-Drop-vtimer-virtual-timer-adjust.patch Patch0164: target-arm-Add-the-kvm_adjvtime-vcpu-property-for-Co.patch Patch0165: target-arm-Fix-PAuth-sbox-functions.patch +Patch0166: es1370-check-total-frame-count-against-current-frame.patch +Patch0167: exec-set-map-length-to-zero-when-returning-NULL.patch +Patch0168: ati-vga-check-mm_index-before-recursive-call-CVE-202.patch +Patch0169: megasas-use-unsigned-type-for-reply_queue_head-and-c.patch +Patch0170: megasas-avoid-NULL-pointer-dereference.patch +Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch +Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch BuildRequires: flex BuildRequires: bison @@ -520,6 +527,15 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jul 24 2020 Huawei Technologies Co., Ltd +- es1370: check total frame count against current frame +- exec: set map length to zero when returning NULL +- ati-vga: check mm_index before recursive call (CVE-2020-13800) +- megasas: use unsigned type for reply_queue_head and check index +- megasas: avoid NULL pointer dereference +- megasas: use unsigned type for positive numeric fields +- hw/scsi/megasas: Fix possible out-of-bounds array access in tracepoints + * Sat Jun 20 2020 Huawei Technologies Co., Ltd - target/arm: Fix PAuth sbox functions - fix two patches' format which can cause git am failed -- Gitee