From 52b5f8ba30600b6d5286b992ffd042709ac9b085 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 1 Jun 2021 20:38:59 +0800
Subject: [PATCH 1/3] bugfix: fix Uninitialized Free Vulnerability

Signed-off-by: nocjj <1250062498@qq.com>
Signed-off-by: imxcc <xingchaochao@huawei.com>
---
 ...fix-Uninitialized-Free-Vulnerability.patch | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 bugfix-fix-Uninitialized-Free-Vulnerability.patch

diff --git a/bugfix-fix-Uninitialized-Free-Vulnerability.patch b/bugfix-fix-Uninitialized-Free-Vulnerability.patch
new file mode 100644
index 00000000..d51c9718
--- /dev/null
+++ b/bugfix-fix-Uninitialized-Free-Vulnerability.patch
@@ -0,0 +1,72 @@
+From 58fe713b575a7b24b4e4694154a16808ff4a9009 Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Tue, 1 Jun 2021 20:38:59 +0800
+Subject: [PATCH] bugfix: fix Uninitialized Free Vulnerability
+
+Signed-off-by: nocjj <1250062498@qq.com>
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ hw/block/nvme.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index 36d6a8bb3a..387e8b5c8f 100644
+--- a/hw/block/nvme.c
++++ b/hw/block/nvme.c
+@@ -216,15 +216,26 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
+     return NVME_SUCCESS;
+ 
+  unmap:
+-    qemu_sglist_destroy(qsg);
++    if (iov && iov->iov) {
++        qemu_iovec_destroy(iov);
++    }
++
++    if (qsg && qsg->sg) {
++        qemu_sglist_destroy(qsg);
++    }
++
+     return NVME_INVALID_FIELD | NVME_DNR;
+ }
+ 
+ static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len,
+                                    uint64_t prp1, uint64_t prp2)
+ {
+-    QEMUSGList qsg;
+-    QEMUIOVector iov;
++    QEMUSGList qsg = {
++        .sg = NULL,
++    };
++    QEMUIOVector iov = {
++        .iov = NULL,
++    };
+     uint16_t status = NVME_SUCCESS;
+ 
+     if (nvme_map_prp(&qsg, &iov, prp1, prp2, len, n)) {
+@@ -247,8 +258,12 @@ static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len,
+ static uint16_t nvme_dma_read_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len,
+     uint64_t prp1, uint64_t prp2)
+ {
+-    QEMUSGList qsg;
+-    QEMUIOVector iov;
++    QEMUSGList qsg = {
++        .sg = NULL,
++    };
++    QEMUIOVector iov = {
++        .iov = NULL,
++    };
+     uint16_t status = NVME_SUCCESS;
+ 
+     trace_nvme_dma_read(prp1, prp2);
+@@ -500,7 +515,7 @@ static void nvme_init_sq(NvmeSQueue *sq, NvmeCtrl *n, uint64_t dma_addr,
+     sq->size = size;
+     sq->cqid = cqid;
+     sq->head = sq->tail = 0;
+-    sq->io_req = g_new(NvmeRequest, sq->size);
++    sq->io_req = g_new0(NvmeRequest, sq->size);
+ 
+     QTAILQ_INIT(&sq->req_list);
+     QTAILQ_INIT(&sq->out_req_list);
+-- 
+2.27.0
+
-- 
Gitee


From 8b44fa686d0d6879144caed5dde5b176555f6ced Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Wed, 2 Jun 2021 11:29:35 +0800
Subject: [PATCH 2/3] spec: Update patch and changelog with !132 fix
 Uninitialized Free Vulnerability  !132

bugfix: fix Uninitialized Free Vulnerability

Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 8283952e..bff56453 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -309,6 +309,7 @@ Patch0296: nvram-add-nrf51_soc-flash-read-method.patch
 Patch0297: spapr_pci-add-spapr-msi-read-method.patch
 Patch0298: tz-ppc-add-dummy-read-write-methods.patch
 Patch0299: imx7-ccm-add-digprog-mmio-write-method.patch
+Patch0300: bugfix-fix-Uninitialized-Free-Vulnerability.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -697,6 +698,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Wed Jun 02 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- bugfix: fix Uninitialized Free Vulnerability
+
 * Tue Jun 01 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - hw/pci-host: add pci-intack write method
 - pci-host: add pcie-msi read method
-- 
Gitee


From 1333200f6c367c3e4b815f18d446686baf2bfdab Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Wed, 2 Jun 2021 11:29:47 +0800
Subject: [PATCH 3/3] spec: Update release version with !132

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index bff56453..dc3ef55a 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 47
+Release: 48
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
-- 
Gitee