From bc1be870b029b7d290ecefb422d5cb19c4914dc3 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Mon, 6 Apr 2020 12:19:31 -0500
Subject: user/qemu: patch CVE-2020-11102

---
 user/qemu/APKBUILD             |   6 +-
 user/qemu/CVE-2020-11102.patch | 144 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 149 insertions(+), 1 deletion(-)
 create mode 100644 user/qemu/CVE-2020-11102.patch

(limited to 'user/qemu')

diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD
index 579eed14f..bc3744541 100644
--- a/user/qemu/APKBUILD
+++ b/user/qemu/APKBUILD
@@ -6,7 +6,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=qemu
 pkgver=4.2.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Machine emulator and virtualisation software"
 url="https://www.qemu.org/"
 arch="all"
@@ -160,6 +160,7 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz
 	time64.patch
 	MAP_SYNC-fix.patch
 	CVE-2020-1711.patch
+	CVE-2020-11102.patch
 
 	$pkgname-guest-agent.confd
 	$pkgname-guest-agent.initd
@@ -230,6 +231,8 @@ builddir="$srcdir/$pkgname-$pkgver"
 #     - CVE-2020-1711
 #     - CVE-2020-7039
 #     - CVE-2020-8608
+#   4.2.0-r1:
+#     - CVE-2020-11102
 
 prepare() {
 	default_prepare  # apply patches
@@ -454,6 +457,7 @@ c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0d
 87f659800b78b31731ea1828a27a3762662ef124d10e942f6029b332d5e8cf4487f62a3d742ad59709c2eb9e3ae8af36fa849d6cbac89978a282d29786b9b41a  time64.patch
 d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7  MAP_SYNC-fix.patch
 0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9  CVE-2020-1711.patch
+5d9e7e065c6716024eab4984331071f42dcd5363c5456023f81a3ef0329ae578348d0f875868f85c9e1fee5e435d86e2eb7e342a957c36cd099cb5d5d9f3a78d  CVE-2020-11102.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6  qemu-guest-agent.initd
 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules
diff --git a/user/qemu/CVE-2020-11102.patch b/user/qemu/CVE-2020-11102.patch
new file mode 100644
index 000000000..c437a7d47
--- /dev/null
+++ b/user/qemu/CVE-2020-11102.patch
@@ -0,0 +1,144 @@
+From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 24 Mar 2020 22:57:22 +0530
+Subject: [PATCH 1/1] net: tulip: check frame size and r/w data length
+
+Tulip network driver while copying tx/rx buffers does not check
+frame size against r/w data length. This may lead to OOB buffer
+access. Add check to avoid it.
+
+Limit iterations over descriptors to avoid potential infinite
+loop issue in tulip_xmit_list_update.
+
+Reported-by: Li Qiang <pangpei.lq@antfin.com>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reported-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/tulip.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index cfac271..1295f51 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
+         } else {
+             len = s->rx_frame_len;
+         }
++
++        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
++            return;
++        }
+         pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
+             (s->rx_frame_size - s->rx_frame_len), len);
+         s->rx_frame_len -= len;
+@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
+         } else {
+             len = s->rx_frame_len;
+         }
++
++        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
++            return;
++        }
+         pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
+             (s->rx_frame_size - s->rx_frame_len), len);
+         s->rx_frame_len -= len;
+@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size)
+ 
+     trace_tulip_receive(buf, size);
+ 
+-    if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) {
++    if (size < 14 || size > sizeof(s->rx_frame) - 4
++        || s->rx_frame_len || tulip_rx_stopped(s)) {
+         return 0;
+     }
+ 
+@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc,
+     return tulip_receive(qemu_get_nic_opaque(nc), buf, size);
+ }
+ 
+-
+ static NetClientInfo net_tulip_info = {
+     .type = NET_CLIENT_DRIVER_NIC,
+     .size = sizeof(NICState),
+@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
+         if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) {
+             /* Internal or external Loopback */
+             tulip_receive(s, s->tx_frame, s->tx_frame_len);
+-        } else {
++        } else if (s->tx_frame_len <= sizeof(s->tx_frame)) {
+             qemu_send_packet(qemu_get_queue(s->nic),
+                 s->tx_frame, s->tx_frame_len);
+         }
+@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
+     }
+ }
+ 
+-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
+ {
+     int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK;
+     int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK;
+ 
++    if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) {
++        return -1;
++    }
+     if (len1) {
+         pci_dma_read(&s->dev, desc->buf_addr1,
+             s->tx_frame + s->tx_frame_len, len1);
+         s->tx_frame_len += len1;
+     }
+ 
++    if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) {
++        return -1;
++    }
+     if (len2) {
+         pci_dma_read(&s->dev, desc->buf_addr2,
+             s->tx_frame + s->tx_frame_len, len2);
+         s->tx_frame_len += len2;
+     }
+     desc->status = (len1 + len2) ? 0 : 0x7fffffff;
++
++    return 0;
+ }
+ 
+ static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n)
+@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s)
+ 
+ static void tulip_xmit_list_update(TULIPState *s)
+ {
++#define TULIP_DESC_MAX 128
++    uint8_t i = 0;
+     struct tulip_descriptor desc;
+ 
+     if (tulip_ts(s) != CSR5_TS_SUSPENDED) {
+         return;
+     }
+ 
+-    for (;;) {
++    for (i = 0; i < TULIP_DESC_MAX; i++) {
+         tulip_desc_read(s, s->current_tx_desc, &desc);
+         tulip_dump_tx_descriptor(s, &desc);
+ 
+@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s)
+                 s->tx_frame_len = 0;
+             }
+ 
+-            tulip_copy_tx_buffers(s, &desc);
+-
+-            if (desc.control & TDES1_LS) {
+-                tulip_tx(s, &desc);
++            if (!tulip_copy_tx_buffers(s, &desc)) {
++                if (desc.control & TDES1_LS) {
++                    tulip_tx(s, &desc);
++                }
+             }
+         }
+         tulip_desc_write(s, s->current_tx_desc, &desc);
+-- 
+1.8.3.1
+
-- 
cgit v1.2.3-60-g2f50