packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!395 Automatically generate code patches with openeuler !207

Browse Source 
From: @kuhnchen18
Reviewed-by: @imxcc
Signed-off-by: @imxcc
This commit is contained in:
openeuler-ci-bot 2021-10-28 01:06:49 +00:00 committed by Gitee
commit 8a5b41c0d0
3 changed files with 83 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
fix-cve-2020-35504.patch Normal file
View File

@ -0,0 +1,30 @@
From ad1af4b1ba099a9ab128129edf44f57dccc2e825 Mon Sep 17 00:00:00 2001
From: imxcc <xingchaochao@huawei.com>
Date: Mon, 21 Jun 2021 17:15:39 +0800
Subject: [PATCH] fix cve-2020-35504
esp: always check current_req is not NULL before use in DMA callbacks
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: imxcc <xingchaochao@huawei.com>
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 7508d035ca..d1f13b350e 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s)
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
return;
}
+ if (!s->current_req) {
+ return;
+ }
if (s->async_len == 0) {
/* Defer until data is available. */
return;
--
2.27.0

46
fix-cve-2020-35505.patch Normal file
View File

@ -0,0 +1,46 @@
From 3aedcaaaef0653a413174c35f183b1703ce10a4d Mon Sep 17 00:00:00 2001
From: imxcc <xingchaochao@huawei.com>
Date: Mon, 21 Jun 2021 17:20:55 +0800
Subject: [PATCH] fix cve-2020-35505
esp: ensure cmdfifo is not empty and current_dev is non-NULL
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: imxcc <xingchaochao@huawei.com>
---
hw/scsi/esp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index d1f13b350e..db6bed4f00 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req)
scsi_req_unref(s->current_req);
s->current_req = NULL;
s->current_dev = NULL;
+ s->async_len = 0;
}
}
@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
if (s->current_req) {
/* Started a new command before the old one finished. Cancel it. */
scsi_req_cancel(s->current_req);
- s->async_len = 0;
}
s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
trace_esp_do_busid_cmd(busid);
lun = busid & 7;
+ if (!s->current_dev) {
+ return;
+ }
current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
datalen = scsi_req_enqueue(s->current_req);
--
2.27.0

8
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu Name: qemu
Version: 4.1.0 Version: 4.1.0
Release: 60 Release: 61
Epoch: 2 Epoch: 2
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -340,6 +340,8 @@ Patch0327: bootp-check-bootp_input-buffer-size.patch
Patch0328: upd6-check-udp6_input-buffer-size.patch Patch0328: upd6-check-udp6_input-buffer-size.patch
Patch0329: tftp-check-tftp_input-buffer-size.patch Patch0329: tftp-check-tftp_input-buffer-size.patch
Patch0330: tftp-introduce-a-header-structure.patch Patch0330: tftp-introduce-a-header-structure.patch
Patch0331: fix-cve-2020-35504.patch
Patch0332: fix-cve-2020-35505.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: bison BuildRequires: bison
@ -736,6 +738,10 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Wed Oct 27 2021 Chen Qun <kuhn.chenqun@huawei.com>
- fix cve-2020-35504
- fix cve-2020-35505
* Tue Oct 19 2021 imxcc <xingchaochao@huawei.com> * Tue Oct 19 2021 imxcc <xingchaochao@huawei.com>
- fix cve-2021-3592 cve-2021-3593 cve-2021-3595 - fix cve-2021-3592 cve-2021-3593 cve-2021-3595