Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380

Source: Qemu.org MR: 105781, 109964, 108621 Type: Security Fix Disposition: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05905.html ChangeID: 0acf082885e7ab3ac2fb41d6e503449869dd46a8 Description: This address: CVE-2020-25625 and its two fixes address an incomplete fix for CVE-2020-25625 CVE-2021-3409 CVE-2020-17380 (From OE-Core rev: 721a14f13005dc0b5bddaac131c444b97be700a8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-05 16:28:43 +01:00 · 2021-08-20 16:55:15 -07:00
parent ea562eaec5
commit c00a882bd6
2 changed files with 43 additions and 0 deletions
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -58,6 +58,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-25085.patch \
           file://CVE-2020-25624_1.patch \
           file://CVE-2020-25624_2.patch \
+           file://CVE-2020-25625.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
@@ -0,0 +1,42 @@
+From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:59 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire
+
+While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
+retires a TD if it has passed its time frame. It does not check if
+the TD was already processed once and holds an error code in TD_CC.
+It may happen if the TD list has a loop. Add check to avoid an
+infinite loop condition.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200915182259.68522-3-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25625
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 9dc59101f9..8b912e95d3 100644
+--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
+@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+            the next ISO TD of the same ED */
+         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
+                                                         frame_count);
+        if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
+            /* avoid infinite loop */
+            return 1;
+        }
+         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
+         ed->head &= ~OHCI_DPTR_MASK;
+         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
+-- 
+2.25.1
+