Add patch for qemu CVE-2020-17380 (#618)

* Add upstream patch for qemu CVE-2020-17390

SPECS/qemu-kvm/CVE-2020-17380.patch

@@ -0,0 +1,64 @@
+
+From:	P J P
+Subject:	[PATCH v1] sd: sdhci: assert data_count is within fifo_buffer
+Date:	Thu, 3 Sep 2020 12:38:42 +0530
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While doing multi block SDMA, transfer block size may exceed
+the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
+current element pointer 's->data_count' pointing out of bounds.
+Leading the subsequent DMA r/w operation to OOB access issue.
+Assert that 's->data_count' is within fifo_buffer.
+
+ -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
+ ==1459837==ERROR: AddressSanitizer: heap-buffer-overflow
+ WRITE of size 54722048 at 0x61500001e280 thread T3
+ #0  __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d)
+ #1  flatview_read_continue ../exec.c:3245
+ #2  flatview_read ../exec.c:3278
+ #3  address_space_read_full ../exec.c:3291
+ #4  address_space_rw ../exec.c:3319
+ #5  dma_memory_rw_relaxed ../include/sysemu/dma.h:87
+ #6  dma_memory_rw ../include/sysemu/dma.h:110
+ #7  dma_memory_read ../include/sysemu/dma.h:116
+ #8  sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629
+ #9  sdhci_write ../hw/sd/sdhci.c:1097
+ #10 memory_region_write_accessor ../softmmu/memory.c:483
+ ...
+
+Reported-by: Ruhr-University <bugs-syssec@rub.de>
+Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Update v1: use assert(3) calls
+  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00966.html
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 1785d7e1f7..023acbed41 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -604,6 +604,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+                     s->blkcnt--;
+                 }
+             }
++            assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
+             dma_memory_write(s->dma_as, s->sdmasysad,
+                              &s->fifo_buffer[begin], s->data_count - begin);
+             s->sdmasysad += s->data_count - begin;
+@@ -626,6 +627,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+                 s->data_count = block_size;
+                 boundary_count -= block_size - begin;
+             }
++            assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
+             dma_memory_read(s->dma_as, s->sdmasysad,
+                             &s->fifo_buffer[begin], s->data_count - begin);
+             s->sdmasysad += s->data_count - begin;
+-- 
+2.26.2
+
+
+
+

SPECS/qemu-kvm/qemu-kvm.spec

@@ -1,7 +1,7 @@
 Summary:        QEMU is a machine emulator and virtualizer
 Name:           qemu-kvm
 Version:        4.2.0
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        GPLv2 AND GPLv2+ AND CC-BY AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -44,6 +44,7 @@ Patch25:        CVE-2020-12829.nopatch
 Patch26:        CVE-2018-12617.patch
 Patch27:        CVE-2020-25723.patch
 Patch28:        CVE-2020-27821.patch
+Patch29:        CVE-2020-17380.patch
 BuildRequires:  alsa-lib-devel
 BuildRequires:  glib-devel
 BuildRequires:  pixman-devel
@@ -97,6 +98,7 @@ This package provides a command line tool for manipulating disk images.
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
+%patch29 -p1
 
 %build
 
@@ -157,6 +159,9 @@ chmod 755 %{buildroot}%{_bindir}/qemu
 %{_bindir}/qemu-nbd
 
 %changelog
+* Mon Feb 08 2021 Rachel Menge <rachelmenge@microsoft.com> - 4.2.0-25
+- Update CVE-2020-17380
+
 * Wed Jan 13 2021 Henry Li <niontive@microsoft.com> - 4.2.0-24
 - Update CVE-2020-15469