!395 Automatically generate code patches with openeuler !207

From: @kuhnchen18
Reviewed-by: @imxcc
Signed-off-by: @imxcc

fix-cve-2020-35504.patch

@@ -0,0 +1,30 @@
+From ad1af4b1ba099a9ab128129edf44f57dccc2e825 Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Mon, 21 Jun 2021 17:15:39 +0800
+Subject: [PATCH] fix cve-2020-35504
+
+esp: always check current_req is not NULL before use in DMA callbacks
+
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ hw/scsi/esp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 7508d035ca..d1f13b350e 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s)
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+         return;
+     }
++    if (!s->current_req) {
++        return;
++    }
+     if (s->async_len == 0) {
+         /* Defer until data is available.  */
+         return;
+-- 
+2.27.0
+

fix-cve-2020-35505.patch

@@ -0,0 +1,46 @@
+From 3aedcaaaef0653a413174c35f183b1703ce10a4d Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Mon, 21 Jun 2021 17:20:55 +0800
+Subject: [PATCH] fix cve-2020-35505
+
+esp: ensure cmdfifo is not empty and current_dev is non-NULL
+
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ hw/scsi/esp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index d1f13b350e..db6bed4f00 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req)
+         scsi_req_unref(s->current_req);
+         s->current_req = NULL;
+         s->current_dev = NULL;
++        s->async_len = 0;
+     }
+ }
+ 
+@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+     if (s->current_req) {
+         /* Started a new command before the old one finished.  Cancel it.  */
+         scsi_req_cancel(s->current_req);
+-        s->async_len = 0;
+     }
+ 
+     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
+@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
+ 
+     trace_esp_do_busid_cmd(busid);
+     lun = busid & 7;
++    if (!s->current_dev) {
++        return;
++    }
+     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+     datalen = scsi_req_enqueue(s->current_req);
+-- 
+2.27.0
+

qemu.spec

@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 60
+Release: 61
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -340,6 +340,8 @@ Patch0327: bootp-check-bootp_input-buffer-size.patch
 Patch0328: upd6-check-udp6_input-buffer-size.patch
 Patch0329: tftp-check-tftp_input-buffer-size.patch
 Patch0330: tftp-introduce-a-header-structure.patch
+Patch0331: fix-cve-2020-35504.patch
+Patch0332: fix-cve-2020-35505.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -736,6 +738,10 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Wed Oct 27 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- fix cve-2020-35504
+- fix cve-2020-35505
+
 * Tue Oct 19 2021 imxcc <xingchaochao@huawei.com>
 - fix cve-2021-3592 cve-2021-3593 cve-2021-3595