poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch - openbmc/openbmc - Gitiles

 From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Thu, 4 Jun 2020 14:38:30 +0530
 Subject: [PATCH] ati-vga: check mm_index before recursive call
  (CVE-2020-13800)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 While accessing VGA registers via ati_mm_read/write routines,
 a guest may set 's->regs.mm_index' such that it leads to infinite
 recursion. Check mm_index value to avoid such recursion. Log an
 error message for wrong values.

 Reported-by: Ren Ding <rding@gatech.edu>
 Reported-by: Hanqing Zhao <hanqing@gatech.edu>
 Reported-by: Yi Ren <c4tren@gmail.com>
 Message-id: 20200604090830.33885-1-ppandit@redhat.com
 Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
 Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

 Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455]
 CVE: CVE-2020-13800
 Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
 ---
  hw/display/ati.c | 10 ++++++++--
  1 file changed, 8 insertions(+), 2 deletions(-)

 diff --git a/hw/display/ati.c b/hw/display/ati.c
 index 065f197678..67604e68de 100644
 --- a/hw/display/ati.c
 +++ b/hw/display/ati.c
 @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
              if (idx <= s->vga.vram_size - size) {
                  val = ldn_le_p(s->vga.vram_ptr + idx, size);
              }
 -        } else {
 +        } else if (s->regs.mm_index > MM_DATA + 3) {
              val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
          }
          break;
      case BIOS_0_SCRATCH ... BUS_CNTL - 1:
 @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
              if (idx <= s->vga.vram_size - size) {
                  stn_le_p(s->vga.vram_ptr + idx, size, data);
              }
 -        } else {
 +        } else if (s->regs.mm_index > MM_DATA + 3) {
              ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
          }
          break;
      case BIOS_0_SCRATCH ... BUS_CNTL - 1:
 --
 2.20.1
	From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001
	From: Prasad J Pandit <pjp@fedoraproject.org>
	Date: Thu, 4 Jun 2020 14:38:30 +0530
	Subject: [PATCH] ati-vga: check mm_index before recursive call
	(CVE-2020-13800)
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	While accessing VGA registers via ati_mm_read/write routines,
	a guest may set 's->regs.mm_index' such that it leads to infinite
	recursion. Check mm_index value to avoid such recursion. Log an
	error message for wrong values.

	Reported-by: Ren Ding <rding@gatech.edu>
	Reported-by: Hanqing Zhao <hanqing@gatech.edu>
	Reported-by: Yi Ren <c4tren@gmail.com>
	Message-id: 20200604090830.33885-1-ppandit@redhat.com
	Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
	Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

	Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455]
	CVE: CVE-2020-13800
	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
	---
	hw/display/ati.c \| 10 ++++++++--
	1 file changed, 8 insertions(+), 2 deletions(-)

	diff --git a/hw/display/ati.c b/hw/display/ati.c
	index 065f197678..67604e68de 100644
	--- a/hw/display/ati.c
	+++ b/hw/display/ati.c
	@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
	if (idx <= s->vga.vram_size - size) {
	val = ldn_le_p(s->vga.vram_ptr + idx, size);
	}
	- } else {
	+ } else if (s->regs.mm_index > MM_DATA + 3) {
	val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
	+ } else {
	+ qemu_log_mask(LOG_GUEST_ERROR,
	+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
	}
	break;
	case BIOS_0_SCRATCH ... BUS_CNTL - 1:
	@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
	if (idx <= s->vga.vram_size - size) {
	stn_le_p(s->vga.vram_ptr + idx, size, data);
	}
	- } else {
	+ } else if (s->regs.mm_index > MM_DATA + 3) {
	ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
	+ } else {
	+ qemu_log_mask(LOG_GUEST_ERROR,
	+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
	}
	break;
	case BIOS_0_SCRATCH ... BUS_CNTL - 1:
	--
	2.20.1