From 9bf4924b7c79404e81e0091834d915d643268712 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 09:53:22 +0800 Subject: [PATCH 1/9] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Call 'vugbm_buffer_destroy' in error path to avoid resource leak. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-3-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-resource-leak-in-vg_resource_crea.patch | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch diff --git a/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch new file mode 100644 index 0000000..4c4ce4f --- /dev/null +++ b/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch @@ -0,0 +1,41 @@ +From 734b265de887fecba99d98c79adb0af6c96c7922 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 09:53:22 +0800 +Subject: [PATCH] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index b45d2019b4..f69af7d17f 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } +-- +2.27.0 + -- Gitee From 1491e58d6185d3e3d7d8dfbf35f75d33c1715c1e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 09:56:42 +0800 Subject: [PATCH 2/9] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Check whether the 'res' has already been attach_backing to avoid memory leak. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 204f01b3 ("virtio-gpu: fix memory leak in resource attach backing") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-4-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-in-vg_resource_attach.patch | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch diff --git a/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch new file mode 100644 index 0000000..cc11423 --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch @@ -0,0 +1,49 @@ +From b3bfd8695429ee8ca1a23fc3c641afd7e85ed96f Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 09:56:42 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in vg_resource_attach_backing + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 204f01b3 + + ("virtio-gpu: fix memory leak +in resource attach backing") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index f69af7d17f..4f087d6000 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.27.0 + -- Gitee From 5a9e8f1a79ca69ef6d9405b6ab9a59c4b709a279 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:02:08 +0800 Subject: [PATCH 3/9] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If the guest trigger following sequences, the attach_backing will be leaked: vg_resource_create_2d vg_resource_attach_backing vg_resource_unref This patch fix this by freeing 'res->iov' in vg_resource_destroy. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 5e8e3c4c ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref") Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-5-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-while-calling-vg_reso.patch | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch diff --git a/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch new file mode 100644 index 0000000..d62399d --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch @@ -0,0 +1,51 @@ +From b96489ee56fa5bae7653878ef3a93c1f93fd47fb Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:02:08 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 5e8e3c4c + + ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index 4f087d6000..43d9851800 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +-- +2.27.0 + -- Gitee From 856b8465ada10f089bcecb1d389b30ecfe990672 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:05:40 +0800 Subject: [PATCH 4/9] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 The 'res->iov' will be leaked if the guest trigger following sequences: virgl_cmd_create_resource_2d virgl_resource_attach_backing virgl_cmd_resource_unref This patch fixes this. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 5e8e3c4c ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref" Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-6-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-in-virgl_cmd_resource.patch | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch diff --git a/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch new file mode 100644 index 0000000..dee9472 --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch @@ -0,0 +1,57 @@ +From 0fd03a85c2c06929827c954955d6f300cb76b923 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:05:40 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 5e8e3c4c + + ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 43413e29df..4b8b536edf 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -105,8 +105,14 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); + + virgl_renderer_resource_unref(unref.resource_id); + } +-- +2.27.0 + -- Gitee From df600f8499a6a41d3b7f2ac2deb0bddb35213486 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:09:13 +0800 Subject: [PATCH 5/9] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will be leaked. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 33243031 ("virtio-gpu-3d: fix memory leak in resource attach backing") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-7-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-in-virgl_resource_att.patch | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch diff --git a/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch new file mode 100644 index 0000000..1723f4c --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch @@ -0,0 +1,50 @@ +From dc0f0eb6ab37398a03c91099a06e9fbd9e56da3c Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:09:13 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 33243031 + + ("virtio-gpu-3d: fix memory leak +in resource attach backing") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 4b8b536edf..79556df094 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -282,8 +282,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void +-- +2.27.0 + -- Gitee From fb7ba6d75d2462459aa1970626bc87f21f1d97df Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:11:17 +0800 Subject: [PATCH 6/9] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Otherwise some of the 'resp' will be leaked to guest. Fixes: CVE-2021-3545 Reported-by: default avatarLi Qiang virtio-gpu fix: 42a8dadc ("virtio-gpu: fix information leak in getting capset info dispatch") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-2-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-disclosure-in-virgl_cmd_ge.patch | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch diff --git a/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch new file mode 100644 index 0000000..f7eba5a --- /dev/null +++ b/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch @@ -0,0 +1,44 @@ +From b7cc35c1da3d590389768067c0324d80f7de80c7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:11:17 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 42a8dadc + + ("virtio-gpu: fix information leak +in getting capset info dispatch") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 79556df094..44e79ab82a 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -131,6 +131,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.27.0 + -- Gitee From c6b63ff2c6e986ec21fd5f7f9568d7f94dfa3461 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:14:06 +0800 Subject: [PATCH 7/9] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If 'virgl_cmd_get_capset' set 'max_size' to 0, the 'virgl_renderer_fill_caps' will write the data after the 'resp'. This patch avoid this by checking the returned 'max_size'. virtio-gpu fix: abd7f08b ("display: virtio-gpu-3d: check virgl capabilities max_size") Fixes: CVE-2021-3546 Reported-by: default avatarLi Qiang Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-8-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-OOB-write-in-virgl_cmd_get_capset.patch | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch diff --git a/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch new file mode 100644 index 0000000..67ecf68 --- /dev/null +++ b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch @@ -0,0 +1,51 @@ +From f60098afc3a85dcd8ee89446e0c8d34321b74229 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:14:06 +0800 +Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b + + ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: default avatarLi Qiang +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 44e79ab82a..ad2834902b 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -173,6 +173,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.27.0 + -- Gitee From cef20bebaab4e76cbbb4204972559a9563116520 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 16:27:16 +0800 Subject: [PATCH 8/9] spec: Update patch and changelog with !142 fix CVE-2021-3544 #I3VG5I && fix CVE-2021-3545 #I3V9I8 && fix CVE-2021-3546 #I3V9I7 !142 vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) Signed-off-by: Chen Qun --- qemu.spec | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/qemu.spec b/qemu.spec index daedbef..248b2ab 100644 --- a/qemu.spec +++ b/qemu.spec @@ -237,6 +237,13 @@ Patch0224: tz-ppc-add-dummy-read-write-methods.patch Patch0225: imx7-ccm-add-digprog-mmio-write-method.patch Patch0226: bugfix-fix-Uninitialized-Free-Vulnerability.patch Patch0227: 9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch +Patch0228: vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch +Patch0229: vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch +Patch0230: vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch +Patch0231: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch +Patch0232: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch +Patch0233: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch +Patch0234: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch BuildRequires: flex BuildRequires: bison @@ -582,6 +589,15 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Jun 15 2021 Chen Qun +- vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) +- vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) +- vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) +- vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) + * Tue Jun 08 2021 Chen Qun - 9pfs: Fully restart unreclaim loop (CVE-2021-20181) -- Gitee From 6f8384add1b72f3cac9b4be7bf949945d396eb82 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 16:27:49 +0800 Subject: [PATCH 9/9] spec: Update release version with !142 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 248b2ab..c357c61 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 41 +Release: 42 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee