diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch | 99 |
1 files changed, 0 insertions, 99 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch deleted file mode 100644 index 624c1f6496..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch +++ /dev/null @@ -1,99 +0,0 @@ -From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001 -From: Bin Meng <bmeng.cn@gmail.com> -Date: Wed, 3 Mar 2021 20:26:39 +0800 -Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] - when a different block size is programmed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the block size is programmed to a different value from the -previous one, reset the data pointer of s->fifo_buffer[] so that -s->fifo_buffer[] can be filled in using the new block size in -the next transfer. - -With this fix, the following reproducer: - -outl 0xcf8 0x80001010 -outl 0xcfc 0xe0000000 -outl 0xcf8 0x80001001 -outl 0xcfc 0x06000000 -write 0xe000002c 0x1 0x05 -write 0xe0000005 0x1 0x02 -write 0xe0000007 0x1 0x01 -write 0xe0000028 0x1 0x10 -write 0x0 0x1 0x23 -write 0x2 0x1 0x08 -write 0xe000000c 0x1 0x01 -write 0xe000000e 0x1 0x20 -write 0xe000000f 0x1 0x00 -write 0xe000000c 0x1 0x32 -write 0xe0000004 0x2 0x0200 -write 0xe0000028 0x1 0x00 -write 0xe0000003 0x1 0x40 - -cannot be reproduced with the following QEMU command line: - -$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ - -nodefaults -device sdhci-pci,sd-spec-version=3 \ - -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ - -device sd-card,drive=mydrive -qtest stdio - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2020-17380 -Fixes: CVE-2020-25085 -Fixes: CVE-2021-3409 -Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") -Reported-by: Alexander Bulekov <alxndr@bu.edu> -Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) -Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) -Reported-by: Simon Wörner (Ruhr-Universität Bochum) -Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 -Tested-by: Alexander Bulekov <alxndr@bu.edu> -Signed-off-by: Bin Meng <bmeng.cn@gmail.com> -Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> - -Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/sd/sdhci.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 6c780126e..216842420 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - break; - case SDHC_BLKSIZE: - if (!TRANSFERRING_DATA(s->prnsts)) { -+ uint16_t blksize = s->blksize; -+ - MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); - MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - -@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); - } -+ -+ /* -+ * If the block size is programmed to a different value from -+ * the previous one, reset the data pointer of s->fifo_buffer[] -+ * so that s->fifo_buffer[] can be filled in using the new block -+ * size in the next transfer. -+ */ -+ if (blksize != s->blksize) { -+ s->data_count = 0; -+ } - } - - break; --- -2.29.2 - |