Commit 0d253da7 authored by Armin Kuster's avatar Armin Kuster Committed by Richard Purdie
Browse files

qemu: Security fix CVE-2021-3544

Source: qemu.org
MR: 111833
Type: Security Fix
Disposition: Backport from qemu-project/qemu@86dd8fac..63736af5
ChangeID: 7f301e939cf9d1fdb826ac47d1fc96430086a68e
Description:

qemu-project/qemu@86dd8fac
qemu-project/qemu@b9f79858
qemu-project/qemu@b7afebcf
Tweeked the above patches as vhost-user-gpu.c does not exist.

qemu-project/qemu@f6091d86
qemu-project/qemu@63736af5



(From OE-Core rev: eca0abf120709fab20da1a2c190d04191733f5ed)
Signed-off-by: default avatarArmin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman's avatarSteve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie's avatarRichard Purdie <richard.purdie@linuxfoundation.org>
parent 4ed99725
......@@ -72,6 +72,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3416_9.patch \
file://CVE-2021-3416_10.patch \
file://CVE-2021-20257.patch \
file://CVE-2021-3544.patch \
file://CVE-2021-3544_2.patch \
file://CVE-2021-3544_3.patch \
file://CVE-2021-3544_4.patch \
file://CVE-2021-3544_5.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
......
vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
Fixes: CVE-2021-3544
Reported-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-3-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Upstream-Status: Backport
[vhost-user-gpu does not exist in 4.2.0]
CVE: CVE-2021-3544
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
===================================================================
--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
g_critical("%s: resource creation failed %d %d %d",
__func__, c2d.resource_id, c2d.width, c2d.height);
g_free(res);
+ vugbm_buffer_destroy(&res->buffer);
cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
return;
}
vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
Check whether the 'res' has already been attach_backing to avoid
memory leak.
Fixes: CVE-2021-3544
Reported-by: default avatarLi Qiang <liq3ea@163.com>
virtio-gpu fix: 204f01b3
("virtio-gpu: fix memory leak
in resource attach backing")
Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-4-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Upstream-Status: Backport
[vhost-user-gpu does not exist in 4.2.0 context]
CVE: CVE-2021-3544
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
===================================================================
--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
return;
}
+ if (res->iov) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+ return;
+ }
+
ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
if (ret != 0) {
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
If the guest trigger following sequences, the attach_backing will be leaked:
vg_resource_create_2d
vg_resource_attach_backing
vg_resource_unref
This patch fix this by freeing 'res->iov' in vg_resource_destroy.
Fixes: CVE-2021-3544
Reported-by: default avatarLi Qiang <liq3ea@163.com>
virtio-gpu fix: 5e8e3c4c
("virtio-gpu: fix resource leak
in virgl_cmd_resource_unref")
Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-5-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Upstream-Status: Backport
CVE: CVE-2021-3544
[vhost-user-gpu does not exist in the 4.2.0]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
===================================================================
--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
}
vugbm_buffer_destroy(&res->buffer);
+ g_free(res->iov);
pixman_image_unref(res->image);
QTAILQ_REMOVE(&g->reslist, res, next);
g_free(res);
vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
The 'res->iov' will be leaked if the guest trigger following sequences:
virgl_cmd_create_resource_2d
virgl_resource_attach_backing
virgl_cmd_resource_unref
This patch fixes this.
Fixes: CVE-2021-3544
Reported-by: default avatarLi Qiang <liq3ea@163.com>
virtio-gpu fix: 5e8e3c4c
("virtio-gpu: fix resource leak
in virgl_cmd_resource_unref"
Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-6-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
Upstream-Status: Backport
CVE: CVE-2021-3544
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
===================================================================
--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_unref unref;
+ struct iovec *res_iovs = NULL;
+ int num_iovs = 0;
VUGPU_FILL_CMD(unref);
+ virgl_renderer_resource_detach_iov(unref.resource_id,
+ &res_iovs,
+ &num_iovs);
+ g_free(res_iovs);
+
virgl_renderer_resource_unref(unref.resource_id);
}
From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@163.com>
Date: Sat, 15 May 2021 20:04:01 -0700
Subject: [PATCH] vhost-user-gpu: fix memory leak in
'virgl_resource_attach_backing' (CVE-2021-3544)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
be leaked.
Fixes: CVE-2021-3544
Reported-by: Li Qiang <liq3ea@163.com>
virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
in resource attach backing")
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-7-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Upstream-Status: Backport
CVE: CVE-2021-3544
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
contrib/vhost-user-gpu/virgl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
===================================================================
--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g,
return;
}
- virgl_renderer_resource_attach_iov(att_rb.resource_id,
+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
res_iovs, att_rb.nr_entries);
+ if (ret != 0) {
+ g_free(res_iovs);
+ }
}
static void
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment