Bug#988186: unblock: qemu/1:5.2+dfsg-10
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package qemu
The version in unstable contains just 2 (or 4 when counting
repeated ones) CVE fixes both taken from upstream stable.
It took me 20 days to realize the package will NOT migrate
automatically :)
The debdiff is rather large because one of the fixes turned out
to be a patch SET rather than a single fix, because the area of
the problem is quite wide and there are actually numerous probs
in there, not a single problem. This is the 5 sdhci device
emulation fixes. Another fix is for mptsas device emulation.
Both the risks and the impact are rather low because both
(virtual) devices are not very commonly used. However it
is better to fix security holes when possible, and the
resulting binaries can now pass all the trigger testcases
for the problems which I were able to find (qemu package
still does not have automatic testsuite).
The debdiff is below.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qemu/1:5.2+dfsg-10
---
diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog
--- qemu-5.2+dfsg/debian/changelog 2021-03-17 21:02:30.000000000 +0300
+++ qemu-5.2+dfsg/debian/changelog 2021-04-16 12:43:36.000000000 +0300
@@ -1,3 +1,18 @@
+qemu (1:5.2+dfsg-10) unstable; urgency=medium
+
+ * 5 sdhci fixes from upstream:
+ dont-transfer-any-data-when-command-time-out.patch
+ dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch
+ correctly-set-the-controller-status-for-ADMA.patch
+ limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch
+ reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size...patch
+ (Closes: #986795, #970937, CVE-2021-3409, CVE-2020-17380, CVE-2020-25085)
+ * mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch
+ fix possible use-after-free in mptsas_free_request
+ (Cloese: #984449, CVE-2021-3392)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Fri, 16 Apr 2021 12:43:36 +0300
+
qemu (1:5.2+dfsg-9) unstable; urgency=medium
* do not make qemu-system-data dependent on qemu-system-foo
diff -Nru qemu-5.2+dfsg/debian/patches/mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch qemu-5.2+dfsg/debian/patches/mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch
--- qemu-5.2+dfsg/debian/patches/mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch 2021-04-16 12:43:36.000000000 +0300
@@ -0,0 +1,61 @@
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Fri, 16 Apr 2021 13:18:59 +0300
+Subject: mptsas: remove unused MPTSASState.pending (CVE-2021-3392)
+Bug-Debian: http://bugs.debian.org/984449
+
+During previous attempt to fix CVE-2021-3392 it was discovered
+that MPTSASState.pending is actually not used. So instead of
+fixing the prob, just remove the offending code entirely
+
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+---
+ hw/scsi/mptsas.c | 4 ----
+ hw/scsi/mptsas.h | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 7416e78706..5abbc742aa 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -257,7 +257,6 @@ static void mptsas_free_request(MPTSASRequest *req)
+ req->sreq->hba_private = NULL;
+ scsi_req_unref(req->sreq);
+ req->sreq = NULL;
+- QTAILQ_REMOVE(&s->pending, req, next);
+ }
+ qemu_sglist_destroy(&req->qsg);
+ g_free(req);
+@@ -303,7 +302,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+ }
+
+ req = g_new0(MPTSASRequest, 1);
+- QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
+
+@@ -1319,8 +1317,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
+
+ s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
+
+- QTAILQ_INIT(&s->pending);
+-
+ scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
+ }
+
+diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
+index b85ac1a5fc..c046497db7 100644
+--- a/hw/scsi/mptsas.h
++++ b/hw/scsi/mptsas.h
+@@ -79,7 +79,6 @@ struct MPTSASState {
+ uint16_t reply_frame_size;
+
+ SCSIBus bus;
+- QTAILQ_HEAD(, MPTSASRequest) pending;
+ };
+
+ void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
+--
+2.30.2
+
diff -Nru qemu-5.2+dfsg/debian/patches/sdhci/correctly-set-the-controller-status-for-ADMA.patch qemu-5.2+dfsg/debian/patches/sdhci/correctly-set-the-controller-status-for-ADMA.patch
--- qemu-5.2+dfsg/debian/patches/sdhci/correctly-set-the-controller-status-for-ADMA.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/sdhci/correctly-set-the-controller-status-for-ADMA.patch 2021-04-13 20:15:32.000000000 +0300
@@ -0,0 +1,69 @@
+From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:37 +0800
+Subject: [PATCH 3/5] hw/sd: sdhci: Correctly set the controller status for ADMA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When an ADMA transfer is started, the codes forget to set the
+controller status to indicate a transfer is in progress.
+
+With this fix, the following 2 reproducers:
+
+https://paste.debian.net/plain/1185136
+https://paste.debian.net/plain/1185141
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+---
+ hw/sd/sdhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 3feb6c3a1f..7a2003b28b 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
+
+ switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
+ case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+ if (s->trnmod & SDHC_TRNS_READ) {
++ s->prnsts |= SDHC_DOING_READ;
+ while (length) {
+ if (s->data_count == 0) {
+ sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
+@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
+ }
+ }
+ } else {
++ s->prnsts |= SDHC_DOING_WRITE;
+ while (length) {
+ begin = s->data_count;
+ if ((length + begin) < block_size) {
+--
+2.30.2
+
diff -Nru qemu-5.2+dfsg/debian/patches/sdhci/dont-transfer-any-data-when-command-time-out.patch qemu-5.2+dfsg/debian/patches/sdhci/dont-transfer-any-data-when-command-time-out.patch
--- qemu-5.2+dfsg/debian/patches/sdhci/dont-transfer-any-data-when-command-time-out.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/sdhci/dont-transfer-any-data-when-command-time-out.patch 2021-04-13 20:15:36.000000000 +0300
@@ -0,0 +1,86 @@
+From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:35 +0800
+Subject: [PATCH 1/5] hw/sd: sdhci: Don't transfer any data when command time out
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+At the end of sdhci_send_command(), it starts a data transfer if the
+command register indicates data is associated. But the data transfer
+should only be initiated when the command execution has succeeded.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001810
+outl 0xcfc 0xe1068000
+outl 0xcf8 0x80001804
+outw 0xcfc 0x7
+write 0xe106802c 0x1 0x0f
+write 0xe1068004 0xc 0x2801d10101fffffbff28a384
+write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
+write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
+write 0xe1068003 0x1 0xfe
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
+ -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive \
+ -monitor none -serial none -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+---
+ hw/sd/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 9acf4467a3..f72d76c178 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
+ SDRequest request;
+ uint8_t response[16];
+ int rlen;
++ bool timeout = false;
+
+ s->errintsts = 0;
+ s->acmd12errsts = 0;
+@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
+ trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
+ s->rspreg[1], s->rspreg[0]);
+ } else {
++ timeout = true;
+ trace_sdhci_error("timeout waiting for command response");
+ if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+ s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
+
+ sdhci_update_irq(s);
+
+- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+ s->data_count = 0;
+ sdhci_data_transfer(s);
+ }
+--
+2.30.2
+
diff -Nru qemu-5.2+dfsg/debian/patches/sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch qemu-5.2+dfsg/debian/patches/sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch
--- qemu-5.2+dfsg/debian/patches/sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch 2021-04-13 20:15:39.000000000 +0300
@@ -0,0 +1,103 @@
+From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:36 +0800
+Subject: [PATCH 2/5] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per "SD Host Controller Standard Specification Version 7.00"
+chapter 2.2.1 SDMA System Address Register:
+
+This register can be accessed only if no transaction is executing
+(i.e., after a transaction has stopped).
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xfbefff00
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xfbefff2c 0x1 0x05
+write 0xfbefff0f 0x1 0x37
+write 0xfbefff0a 0x1 0x01
+write 0xfbefff0f 0x1 0x29
+write 0xfbefff0f 0x1 0x02
+write 0xfbefff0f 0x1 0x03
+write 0xfbefff04 0x1 0x01
+write 0xfbefff05 0x1 0x01
+write 0xfbefff07 0x1 0x02
+write 0xfbefff0c 0x1 0x33
+write 0xfbefff0e 0x1 0x20
+write 0xfbefff0f 0x1 0x00
+write 0xfbefff2a 0x1 0x01
+write 0xfbefff0c 0x1 0x00
+write 0xfbefff03 0x1 0x00
+write 0xfbefff05 0x1 0x00
+write 0xfbefff2a 0x1 0x02
+write 0xfbefff0c 0x1 0x32
+write 0xfbefff01 0x1 0x01
+write 0xfbefff02 0x1 0x01
+write 0xfbefff03 0x1 0x01
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+---
+ hw/sd/sdhci.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index f72d76c178..3feb6c3a1f 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+
+ switch (offset & ~0x3) {
+ case SDHC_SYSAD:
+- s->sdmasysad = (s->sdmasysad & mask) | value;
+- MASKED_WRITE(s->sdmasysad, mask, value);
+- /* Writing to last byte of sdmasysad might trigger transfer */
+- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+- if (s->trnmod & SDHC_TRNS_MULTI) {
+- sdhci_sdma_transfer_multi_blocks(s);
+- } else {
+- sdhci_sdma_transfer_single_block(s);
++ if (!TRANSFERRING_DATA(s->prnsts)) {
++ s->sdmasysad = (s->sdmasysad & mask) | value;
++ MASKED_WRITE(s->sdmasysad, mask, value);
++ /* Writing to last byte of sdmasysad might trigger transfer */
++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
++ if (s->trnmod & SDHC_TRNS_MULTI) {
++ sdhci_sdma_transfer_multi_blocks(s);
++ } else {
++ sdhci_sdma_transfer_single_block(s);
++ }
+ }
+ }
+ break;
+--
+2.30.2
+
diff -Nru qemu-5.2+dfsg/debian/patches/sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch qemu-5.2+dfsg/debian/patches/sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch
--- qemu-5.2+dfsg/debian/patches/sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch 2021-04-13 20:15:42.000000000 +0300
@@ -0,0 +1,50 @@
+From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:38 +0800
+Subject: [PATCH 4/5] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The codes to limit the maximum block size is only necessary when
+SDHC_BLKSIZE register is writable.
+
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+---
+ hw/sd/sdhci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 7a2003b28b..d0c8e293c0 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ if (!TRANSFERRING_DATA(s->prnsts)) {
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+- }
+
+- /* Limit block size to the maximum buffer size */
+- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+- "the maximum buffer 0x%x\n", __func__, s->blksize,
+- s->buf_maxsz);
++ /* Limit block size to the maximum buffer size */
++ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
++ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
++ "the maximum buffer 0x%x\n", __func__, s->blksize,
++ s->buf_maxsz);
+
+- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++ }
+ }
+
+ break;
+--
+2.30.2
+
diff -Nru qemu-5.2+dfsg/debian/patches/sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch qemu-5.2+dfsg/debian/patches/sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch
--- qemu-5.2+dfsg/debian/patches/sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch 2021-04-13 20:15:47.000000000 +0300
@@ -0,0 +1,93 @@
+From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:39 +0800
+Subject: [PATCH 5/5] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the block size is programmed to a different value from the
+previous one, reset the data pointer of s->fifo_buffer[] so that
+s->fifo_buffer[] can be filled in using the new block size in
+the next transfer.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xe000002c 0x1 0x05
+write 0xe0000005 0x1 0x02
+write 0xe0000007 0x1 0x01
+write 0xe0000028 0x1 0x10
+write 0x0 0x1 0x23
+write 0x2 0x1 0x08
+write 0xe000000c 0x1 0x01
+write 0xe000000e 0x1 0x20
+write 0xe000000f 0x1 0x00
+write 0xe000000c 0x1 0x32
+write 0xe0000004 0x2 0x0200
+write 0xe0000028 0x1 0x00
+write 0xe0000003 0x1 0x40
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+ -nodefaults -device sdhci-pci,sd-spec-version=3 \
+ -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+ -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+---
+ hw/sd/sdhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index d0c8e293c0..5b8678110b 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ break;
+ case SDHC_BLKSIZE:
+ if (!TRANSFERRING_DATA(s->prnsts)) {
++ uint16_t blksize = s->blksize;
++
+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+
+@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+
+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+ }
++
++ /*
++ * If the block size is programmed to a different value from
++ * the previous one, reset the data pointer of s->fifo_buffer[]
++ * so that s->fifo_buffer[] can be filled in using the new block
++ * size in the next transfer.
++ */
++ if (blksize != s->blksize) {
++ s->data_count = 0;
++ }
+ }
+
+ break;
+--
+2.30.2
+
diff -Nru qemu-5.2+dfsg/debian/patches/series qemu-5.2+dfsg/debian/patches/series
--- qemu-5.2+dfsg/debian/patches/series 2021-03-17 19:49:55.000000000 +0300
+++ qemu-5.2+dfsg/debian/patches/series 2021-04-16 12:43:36.000000000 +0300
@@ -32,3 +32,10 @@
net-qemu_receive_packet-for-loopback-sungem.patch
net-qemu_receive_packet-for-loopback-tx_pkt-iov.patch
net-e1000-fail-early-for-evil-descriptor-CVE-2021-20257.patch
+# sd/sdhci fixes: CVE-2020-17380 CVE-2020-25085 CVE-2021-3409
+sdhci/dont-transfer-any-data-when-command-time-out.patch
+sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch
+sdhci/correctly-set-the-controller-status-for-ADMA.patch
+sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch
+sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch
+mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch
Reply to: