From 29a74282dc686c4e53ea7afc1e4ded5454d24bf5a6f4a9b0f6f56826ebdee16c Mon Sep 17 00:00:00 2001
From: Li Zhang <li.zhang@suse.com>
Date: Tue, 15 Mar 2022 11:41:22 +0000
Subject: [PATCH] Accepting request 961858 from
 home:lizhang:branches:Virtualization

Fix bsc#1189702 CVE-2021-3713
* Patches added:
  hw-nvram-at24-return-0xff-if-1-byte-addr.patch

OBS-URL: https://build.opensuse.org/request/show/961858
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=694
---
 bundles.tar.xz                                |  4 +-
 ...vram-at24-return-0xff-if-1-byte-addr.patch | 53 +++++++++++++++++++
 qemu.changes                                  |  6 +++
 qemu.spec                                     |  2 +
 4 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 hw-nvram-at24-return-0xff-if-1-byte-addr.patch

diff --git a/bundles.tar.xz b/bundles.tar.xz
index 9fd38454..be946154 100644
--- a/bundles.tar.xz
+++ b/bundles.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:15c93c65a944d8c0bfb4e22bbc9b0cdcca5b380f6e93e41d750b4c149bee72aa
-size 78080
+oid sha256:593a0eac10d5084f791cd4723ec9508b04d67c936369f8f83db7ccd4ccdb04d5
+size 78808
diff --git a/hw-nvram-at24-return-0xff-if-1-byte-addr.patch b/hw-nvram-at24-return-0xff-if-1-byte-addr.patch
new file mode 100644
index 00000000..278b4ece
--- /dev/null
+++ b/hw-nvram-at24-return-0xff-if-1-byte-addr.patch
@@ -0,0 +1,53 @@
+From: Patrick Venture <venture@google.com>
+Date: Mon, 20 Dec 2021 13:21:37 -0800
+Subject: hw/nvram: at24 return 0xff if 1 byte address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 1cbab82e9d1bdb2c7b9ef46a396fdc03ea3fa04c
+References: bsc#1193880 CVE-2021-3929
+
+The at24 eeproms are 2 byte devices that return 0xff when they are read
+from with a partial (1-byte) address written.  This distinction was
+found comparing model behavior to real hardware testing.
+
+Tested: `i2ctransfer -f -y 45 w1@85 0 r1` returns 0xff instead of next
+byte
+
+Signed-off-by: Patrick Venture <venture@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211220212137.1244511-1-venture@google.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Li Zhang <lizhang@suse.de>
+---
+ hw/nvram/eeprom_at24c.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/nvram/eeprom_at24c.c b/hw/nvram/eeprom_at24c.c
+index af6f5dbb998475871b4defb59c47..b956b8e2b2d9d74a1bc61bc16eb9 100644
+--- a/hw/nvram/eeprom_at24c.c
++++ b/hw/nvram/eeprom_at24c.c
+@@ -58,9 +58,10 @@ int at24c_eeprom_event(I2CSlave *s, enum i2c_event event)
+ 
+     switch (event) {
+     case I2C_START_SEND:
+-    case I2C_START_RECV:
+     case I2C_FINISH:
+         ee->haveaddr = 0;
++        /* fallthrough */
++    case I2C_START_RECV:
+         DPRINTK("clear\n");
+         if (ee->blk && ee->changed) {
+             int len = blk_pwrite(ee->blk, 0, ee->mem, ee->rsize, 0);
+@@ -84,6 +85,10 @@ uint8_t at24c_eeprom_recv(I2CSlave *s)
+     EEPROMState *ee = AT24C_EE(s);
+     uint8_t ret;
+ 
++    if (ee->haveaddr == 1) {
++        return 0xff;
++    }
++
+     ret = ee->mem[ee->cur];
+ 
+     ee->cur = (ee->cur + 1u) % ee->rsize;
diff --git a/qemu.changes b/qemu.changes
index 6a582763..0ac7ee41 100644
--- a/qemu.changes
+++ b/qemu.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar 15 09:58:18 UTC 2022 - Li Zhang <li.zhang@suse.com>
+Fix bsc#1189702 CVE-2021-3713
+* Patches added:
+  hw-nvram-at24-return-0xff-if-1-byte-addr.patch
+
 -------------------------------------------------------------------
 Mon Mar  7 15:45:42 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
 
diff --git a/qemu.spec b/qemu.spec
index d91df197..187da0ee 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -215,6 +215,7 @@ Patch00068:     iotests-declare-lack-of-support-for-comp.patch
 Patch00069:     block-backend-Retain-permissions-after-m.patch
 Patch00070:     virtiofsd-Drop-membership-of-all-supplem.patch
 Patch00071:     hw-scsi-megasas-check-for-NULL-frame-in-.patch
+Patch00072:     hw-nvram-at24-return-0xff-if-1-byte-addr.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@@ -1206,6 +1207,7 @@ This package records qemu testsuite results and represents successful testing.
 %patch00069 -p1
 %patch00070 -p1
 %patch00071 -p1
+%patch00072 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1