summaryrefslogtreecommitdiffstats
path: root/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
diff options
context:
space:
mode:
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch')
-rw-r--r--external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
new file mode 100644
index 00000000..f1e9345e
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
@@ -0,0 +1,55 @@
+From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 26 May 2020 16:47:43 +0530
+Subject: [PATCH] exec: set map length to zero when returning NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When mapping physical memory into host's virtual address space,
+'address_space_map' may return NULL if BounceBuffer is in_use.
+Set and return '*plen = 0' to avoid later NULL pointer dereference.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
+CVE: CVE-2020-13659
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ exec.c | 1 +
+ include/exec/memory.h | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/exec.c b/exec.c
+index 9cbde85d8c1..778263f1c6a 100644
+--- a/exec.c
++++ b/exec.c
+@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as,
+
+ if (!memory_access_is_direct(mr, is_write)) {
+ if (atomic_xchg(&bounce.in_use, true)) {
++ *plen = 0;
+ return NULL;
+ }
+ /* Avoid unbounded allocations */
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index bd7fdd60810..af8ca7824e0 100644
+--- a/include/exec/memory.h
++++ b/include/exec/memory.h
+@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
+ /* address_space_map: map a physical memory region into a host virtual address
+ *
+ * May map a subset of the requested range, given by and returned in @plen.
+- * May return %NULL if resources needed to perform the mapping are exhausted.
++ * May return %NULL and set *@plen to zero(0), if resources needed to perform
++ * the mapping are exhausted.
+ * Use only for reads OR writes - not for read-modify-write operations.
+ * Use cpu_register_map_client() to know when retrying the map operation is
+ * likely to succeed.