diff mbox series

[scarthgap] qemu 8.2.7: Fix CVE-2024-8354

Message ID 20250214135554.1137043-1-madmarri@cisco.com
State Changes Requested
Delegated to: Steve Sakoman
Headers show
Series [scarthgap] qemu 8.2.7: Fix CVE-2024-8354 | expand

Commit Message

Madhu Marri -X (madmarri - E INFOCHIPS PRIVATE LIMITED at Cisco) Feb. 14, 2025, 1:55 p.m. UTC 
Upstream Repository: https://gitlab.com/qemu-project/qemu.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-8354
Type: Security Fix
CVE: CVE-2024-8354
Score: 5.5

Signed-off-by: Madhu Marri <madmarri@cisco.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2024-8354.patch             | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch

Comments

Madhu Marri -X (madmarri - E INFOCHIPS PRIVATE LIMITED at Cisco) July 18, 2025, 4:32 a.m. UTC | #1 
Hi Team,

Could you please help in review this patch.

Best Regards
Madhu
Gyorgy Sarvari July 18, 2025, 6:26 a.m. UTC | #2 
On 7/18/25 06:32, Madhu Marri via lists.openembedded.org wrote:
> Hi Team,
>
> Could you please help in review this patch. 

I suspect back then this was rejected accidentally, but looking at it,
this CVE-fix seems to be missing from the master branch also (where it
should go first before Scarthgap).
Do you know why it wasn't accepted by upstream qemu?

>
> Best Regards
> Madhu 
> ------------------------------------------------------------------------
> *From:* Madhu Marri <madmarri@cisco.com>
> *Sent:* Friday, February 14, 2025 7:25 PM
> *To:* openembedded-core@lists.openembedded.org
> <openembedded-core@lists.openembedded.org>
> *Cc:* xe-linux-external(mailer list) <xe-linux-external@cisco.com>;
> Madhu Marri -X (madmarri - E INFOCHIPS PRIVATE LIMITED at Cisco)
> <madmarri@cisco.com>
> *Subject:* [OE-core] [scarthgap] [PATCH] qemu 8.2.7: Fix CVE-2024-8354
>  
> Upstream Repository: https://gitlab.com/qemu-project/qemu.git
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-8354
> Type: Security Fix
> CVE: CVE-2024-8354
> Score: 5.5
>
> Signed-off-by: Madhu Marri <madmarri@cisco.com>
> ---
>  meta/recipes-devtools/qemu/qemu.inc           |  1 +
>  .../qemu/qemu/CVE-2024-8354.patch             | 42 +++++++++++++++++++
>  2 files changed, 43 insertions(+)
>  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc
> b/meta/recipes-devtools/qemu/qemu.inc
> index 4dc6c104c7..b967b45b6b 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -40,6 +40,7 @@ SRC_URI =
> "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>            
> file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch
> <file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch> \
>             file://qemu-guest-agent.init <file://qemu-guest-agent.init> \
>             file://qemu-guest-agent.udev <file://qemu-guest-agent.udev> \
> +          file://CVE-2024-8354.patch <file://CVE-2024-8354.patch> \
>             "
>  UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>  
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch
> new file mode 100644
> index 0000000000..6595803341
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch
> @@ -0,0 +1,42 @@
> +From f84399128601942228f3decfa4304d86c3fc1a10 Mon Sep 17 00:00:00 2001
> +From: Madhu Marri <madmarri@cisco.com>
> +Date: Thu, 13 Feb 2025 12:19:44 +0000
> +Subject: [PATCH] usb: Check USB_TOKEN_SETUP in usb_ep_get(CVE-2024-8354)
> +
> +USB_TOKEN_SETUP packet not being handled in usb_ep_get function.
> +This causes the program to hit the assertion that checks for only
> +USB_TOKEN_IN or USB_TOKEN_OUT, leading to the failure and core
> +dump when the USB_TOKEN_SETUP packet is processed.
> +
> +Added a check for USB_TOKEN_SETUP to avoid triggering an assertion
> +failure and crash.
> +
> +CVE: CVE-2024-8354
> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2548
> +
> +Upstream-Status: Submitted [qemu-devel@nongnu.org]
> +Signed-off-by: Madhu Marri <madmarri@cisco.com>
> +---
> + hw/usb/core.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/hw/usb/core.c b/hw/usb/core.c
> +index 975f76250a..df2aec5aca 100644
> +--- a/hw/usb/core.c
> ++++ b/hw/usb/core.c
> +@@ -741,6 +741,12 @@ struct USBEndpoint *usb_ep_get(USBDevice *dev,
> int pid, int ep)
> +     if (ep == 0) {
> +         return &dev->ep_ctl;
> +     }
> ++
> ++    if (pid == USB_TOKEN_SETUP) {
> ++        /* Do not handle setup packets here */
> ++        return &dev->ep_ctl;
> ++    }
> ++
> +     assert(pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT);
> +     assert(ep > 0 && ep <= USB_MAX_ENDPOINTS);
> +     eps = (pid == USB_TOKEN_IN) ? dev->ep_in : dev->ep_out;
> +--
> +2.44.1
> +
> -- 
> 2.44.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#220570): https://lists.openembedded.org/g/openembedded-core/message/220570
> Mute This Topic: https://lists.openembedded.org/mt/111180230/6084445
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 4dc6c104c7..b967b45b6b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@  SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
            file://qemu-guest-agent.init \
            file://qemu-guest-agent.udev \
+	   file://CVE-2024-8354.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch
new file mode 100644
index 0000000000..6595803341
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-8354.patch
@@ -0,0 +1,42 @@ 
+From f84399128601942228f3decfa4304d86c3fc1a10 Mon Sep 17 00:00:00 2001
+From: Madhu Marri <madmarri@cisco.com>
+Date: Thu, 13 Feb 2025 12:19:44 +0000
+Subject: [PATCH] usb: Check USB_TOKEN_SETUP in usb_ep_get(CVE-2024-8354)
+
+USB_TOKEN_SETUP packet not being handled in usb_ep_get function.
+This causes the program to hit the assertion that checks for only
+USB_TOKEN_IN or USB_TOKEN_OUT, leading to the failure and core
+dump when the USB_TOKEN_SETUP packet is processed.
+
+Added a check for USB_TOKEN_SETUP to avoid triggering an assertion
+failure and crash.
+
+CVE: CVE-2024-8354
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2548
+
+Upstream-Status: Submitted [qemu-devel@nongnu.org]
+Signed-off-by: Madhu Marri <madmarri@cisco.com>
+---
+ hw/usb/core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 975f76250a..df2aec5aca 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -741,6 +741,12 @@ struct USBEndpoint *usb_ep_get(USBDevice *dev, int pid, int ep)
+     if (ep == 0) {
+         return &dev->ep_ctl;
+     }
++
++    if (pid == USB_TOKEN_SETUP) {
++        /* Do not handle setup packets here */
++        return &dev->ep_ctl;
++    }
++
+     assert(pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT);
+     assert(ep > 0 && ep <= USB_MAX_ENDPOINTS);
+     eps = (pid == USB_TOKEN_IN) ? dev->ep_in : dev->ep_out;
+-- 
+2.44.1
+