Accepting request 961858 from home:lizhang:branches:Virtualization

Fix bsc#1189702 CVE-2021-3713 * Patches added: hw-nvram-at24-return-0xff-if-1-byte-addr.patch OBS-URL: https://build.opensuse.org/request/show/961858 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=694
2022-03-15 11:41:22 +00:00 · 2022-03-15 11:41:22 +00:00 · 29a74282dc
commit 29a74282dc
parent c977c5d4a8
4 changed files with 63 additions and 2 deletions
--- a/bundles.tar.xz
+++ b/bundles.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:15c93c65a944d8c0bfb4e22bbc9b0cdcca5b380f6e93e41d750b4c149bee72aa
-size 78080
+oid sha256:593a0eac10d5084f791cd4723ec9508b04d67c936369f8f83db7ccd4ccdb04d5
+size 78808
--- a/hw-nvram-at24-return-0xff-if-1-byte-addr.patch
+++ b/hw-nvram-at24-return-0xff-if-1-byte-addr.patch
@ -0,0 +1,53 @@
+From: Patrick Venture <venture@google.com>
+Date: Mon, 20 Dec 2021 13:21:37 -0800
+Subject: hw/nvram: at24 return 0xff if 1 byte address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 1cbab82e9d1bdb2c7b9ef46a396fdc03ea3fa04c
+References: bsc#1193880 CVE-2021-3929
+
+The at24 eeproms are 2 byte devices that return 0xff when they are read
+from with a partial (1-byte) address written.  This distinction was
+found comparing model behavior to real hardware testing.
+
+Tested: `i2ctransfer -f -y 45 w1@85 0 r1` returns 0xff instead of next
+byte
+
+Signed-off-by: Patrick Venture <venture@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211220212137.1244511-1-venture@google.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Li Zhang <lizhang@suse.de>
+---
+ hw/nvram/eeprom_at24c.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/nvram/eeprom_at24c.c b/hw/nvram/eeprom_at24c.c
+index af6f5dbb998475871b4defb59c47..b956b8e2b2d9d74a1bc61bc16eb9 100644
+--- a/hw/nvram/eeprom_at24c.c
+++ b/hw/nvram/eeprom_at24c.c
+@@ -58,9 +58,10 @@ int at24c_eeprom_event(I2CSlave *s, enum i2c_event event)
+ 
+     switch (event) {
+     case I2C_START_SEND:
+-    case I2C_START_RECV:
+     case I2C_FINISH:
+         ee->haveaddr = 0;
+        /* fallthrough */
+    case I2C_START_RECV:
+         DPRINTK("clear\n");
+         if (ee->blk && ee->changed) {
+             int len = blk_pwrite(ee->blk, 0, ee->mem, ee->rsize, 0);
+@@ -84,6 +85,10 @@ uint8_t at24c_eeprom_recv(I2CSlave *s)
+     EEPROMState *ee = AT24C_EE(s);
+     uint8_t ret;
+ 
+    if (ee->haveaddr == 1) {
+        return 0xff;
+    }
+
+     ret = ee->mem[ee->cur];
+ 
+     ee->cur = (ee->cur + 1u) % ee->rsize;
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar 15 09:58:18 UTC 2022 - Li Zhang <li.zhang@suse.com>
+Fix bsc#1189702 CVE-2021-3713
+* Patches added:
+  hw-nvram-at24-return-0xff-if-1-byte-addr.patch
+
 -------------------------------------------------------------------
 Mon Mar  7 15:45:42 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>

--- a/qemu.spec
+++ b/qemu.spec
@ -215,6 +215,7 @@ Patch00068:     iotests-declare-lack-of-support-for-comp.patch
 Patch00069:     block-backend-Retain-permissions-after-m.patch
 Patch00070:     virtiofsd-Drop-membership-of-all-supplem.patch
 Patch00071:     hw-scsi-megasas-check-for-NULL-frame-in-.patch
+Patch00072:     hw-nvram-at24-return-0xff-if-1-byte-addr.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@ -1206,6 +1207,7 @@ This package records qemu testsuite results and represents successful testing.
 %patch00069 -p1
 %patch00070 -p1
 %patch00071 -p1
+%patch00072 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1