diff --git a/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch b/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b7cefab51410efa77851fccb969d21824667385 --- /dev/null +++ b/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch @@ -0,0 +1,80 @@ +From 3b4f09d7b5a2b8df37781acf057ed287f30aa0b6 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 8 Jun 2021 09:07:17 +0800 +Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + +Fix CVE-2021-20181 + +Depending on the client activity, the server can be asked to open a huge +number of file descriptors and eventually hit RLIMIT_NOFILE. This is +currently mitigated using a reclaim logic : the server closes the file +descriptors of idle fids, based on the assumption that it will be able +to re-open them later. This assumption doesn't hold of course if the +client requests the file to be unlinked. In this case, we loop on the +entire fid list and mark all related fids as unreclaimable (the reclaim +logic will just ignore them) and, of course, we open or re-open their +file descriptors if needed since we're about to unlink the file. + +This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual +opening of a file can cause the coroutine to yield, another client +request could possibly add a new fid that we may want to mark as +non-reclaimable as well. The loop is thus restarted if the re-open +request was actually transmitted to the backend. This is achieved +by keeping a reference on the first fid (head) before traversing +the list. + +This is wrong in several ways: +- a potential clunk request from the client could tear the first + fid down and cause the reference to be stale. This leads to a + use-after-free error that can be detected with ASAN, using a + custom 9p client +- fids are added at the head of the list : restarting from the + previous head will always miss fids added by a some other + potential request + +All these problems could be avoided if fids were being added at the +end of the list. This can be achieved with a QSIMPLEQ, but this is +probably too much change for a bug fix. For now let's keep it +simple and just restart the loop from the current head. + +Fixes: CVE-2021-20181 +Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 +Reported-by: Zero Day Initiative +Reviewed-by: Christian Schoenebeck +Reviewed-by: Stefano Stabellini +Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> +Signed-off-by: Greg Kurz + +Signed-off-by: Jiajie Li +--- + hw/9pfs/9p.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 55821343e5..289d00b01a 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -498,9 +498,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + { + int err; + V9fsState *s = pdu->s; +- V9fsFidState *fidp, head_fid; ++ V9fsFidState *fidp; + +- head_fid.next = s->fid_list; ++again: + for (fidp = s->fid_list; fidp; fidp = fidp->next) { + if (fidp->path.size != path->size) { + continue; +@@ -520,7 +520,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + * switched to the worker thread + */ + if (err == 0) { +- fidp = &head_fid; ++ goto again; + } + } + } +-- +2.27.0 + diff --git a/bugfix-fix-Uninitialized-Free-Vulnerability.patch b/bugfix-fix-Uninitialized-Free-Vulnerability.patch new file mode 100644 index 0000000000000000000000000000000000000000..94d424dcb7909db167a6b83f3b2f29ced5b0e305 --- /dev/null +++ b/bugfix-fix-Uninitialized-Free-Vulnerability.patch @@ -0,0 +1,72 @@ +From b779bc13f309b94aa5c9143e74fba5fbbe6d988f Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Tue, 1 Jun 2021 20:38:59 +0800 +Subject: [PATCH] bugfix: fix Uninitialized Free Vulnerability + +Signed-off-by: nocjj <1250062498@qq.com> +Signed-off-by: imxcc +--- + hw/block/nvme.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index 4f3ab5034a..ada0d326a5 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -219,15 +219,26 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + return NVME_SUCCESS; + + unmap: +- qemu_sglist_destroy(qsg); ++ if (iov && iov->iov) { ++ qemu_iovec_destroy(iov); ++ } ++ ++ if (qsg && qsg->sg) { ++ qemu_sglist_destroy(qsg); ++ } ++ + return NVME_INVALID_FIELD | NVME_DNR; + } + + static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len, + uint64_t prp1, uint64_t prp2) + { +- QEMUSGList qsg; +- QEMUIOVector iov; ++ QEMUSGList qsg = { ++ .sg = NULL, ++ }; ++ QEMUIOVector iov = { ++ .iov = NULL, ++ }; + uint16_t status = NVME_SUCCESS; + + if (nvme_map_prp(&qsg, &iov, prp1, prp2, len, n)) { +@@ -250,8 +261,12 @@ static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len, + static uint16_t nvme_dma_read_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len, + uint64_t prp1, uint64_t prp2) + { +- QEMUSGList qsg; +- QEMUIOVector iov; ++ QEMUSGList qsg = { ++ .sg = NULL, ++ }; ++ QEMUIOVector iov = { ++ .iov = NULL, ++ }; + uint16_t status = NVME_SUCCESS; + + trace_nvme_dma_read(prp1, prp2); +@@ -503,7 +518,7 @@ static void nvme_init_sq(NvmeSQueue *sq, NvmeCtrl *n, uint64_t dma_addr, + sq->size = size; + sq->cqid = cqid; + sq->head = sq->tail = 0; +- sq->io_req = g_new(NvmeRequest, sq->size); ++ sq->io_req = g_new0(NvmeRequest, sq->size); + + QTAILQ_INIT(&sq->req_list); + QTAILQ_INIT(&sq->out_req_list); +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 8916697a412e285a815a3e5ef68373b320435e54..6733e2c82bad27b6cc182fb4066c85b2e727fc88 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 55 +Release: 56 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -324,6 +324,15 @@ Patch0311: nvram-add-nrf51_soc-flash-read-method.patch Patch0312: spapr_pci-add-spapr-msi-read-method.patch Patch0313: tz-ppc-add-dummy-read-write-methods.patch Patch0314: imx7-ccm-add-digprog-mmio-write-method.patch +Patch0315: bugfix-fix-Uninitialized-Free-Vulnerability.patch +Patch0316: 9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch +Patch0317: vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch +Patch0318: vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch +Patch0319: vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch +Patch0320: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch +Patch0321: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch +Patch0322: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch +Patch0323: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch BuildRequires: flex BuildRequires: bison @@ -717,6 +726,21 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Jun 17 2021 Chen Qun +- vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) +- vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) +- vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) +- vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) + +* Thu Jun 17 2021 Chen Qun +- 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + +* Thu Jun 17 2021 Chen Qun +- bugfix: fix Uninitialized Free Vulnerability + * Wed May 19 2021 Ming Yang - add strip for block-iscsi.so, block-rbd.so and block-ssh.so. diff --git a/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch new file mode 100644 index 0000000000000000000000000000000000000000..79febe7f18d91a576b032e07eda41b35f7dd798f --- /dev/null +++ b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch @@ -0,0 +1,51 @@ +From 4ed508b61a118bf8862a9808efaec83f27c6c9c6 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:14:06 +0800 +Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b + + ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: default avatarLi Qiang +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 44e79ab82a..ad2834902b 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -173,6 +173,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.27.0 + diff --git a/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7cb28598d0c4d4c0d14d53acbc0f07d6042d7d9 --- /dev/null +++ b/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch @@ -0,0 +1,44 @@ +From 2eeb26404797e2b88fd9cc5d624bc9faa76326e0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:11:17 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 42a8dadc + + ("virtio-gpu: fix information leak +in getting capset info dispatch") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 79556df094..44e79ab82a 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -131,6 +131,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.27.0 + diff --git a/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f15473fca86ffad6f815b26e33cf5c0cb15c612 --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch @@ -0,0 +1,49 @@ +From c58963a8c9c8e638ceb38245c28b3c21de6ee013 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 09:56:42 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in vg_resource_attach_backing + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 204f01b3 + + ("virtio-gpu: fix memory leak +in resource attach backing") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index f69af7d17f..4f087d6000 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.27.0 + diff --git a/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch new file mode 100644 index 0000000000000000000000000000000000000000..51515660fb193a5323e9c6945eb552f200790551 --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch @@ -0,0 +1,57 @@ +From 090a3fe7f18afcdf77d24db61ec27eb62eb424c4 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:05:40 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 5e8e3c4c + + ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 43413e29df..4b8b536edf 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -105,8 +105,14 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); + + virgl_renderer_resource_unref(unref.resource_id); + } +-- +2.27.0 + diff --git a/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch new file mode 100644 index 0000000000000000000000000000000000000000..46554dbef48d8cde5cb62a097511fd2400b290d7 --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch @@ -0,0 +1,50 @@ +From 12faa627618299c169ae5dc56ad1bf406d0570a0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:09:13 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 33243031 + + ("virtio-gpu-3d: fix memory leak +in resource attach backing") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 4b8b536edf..79556df094 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -282,8 +282,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void +-- +2.27.0 + diff --git a/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb54e96a040e6f5a1161ff07e7ca3a0a660201fb --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch @@ -0,0 +1,51 @@ +From 57c2497680e638c12988c386e671f6ed04f5baab Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:02:08 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 5e8e3c4c + + ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index 4f087d6000..43d9851800 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +-- +2.27.0 + diff --git a/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bea784b394e82620e2151c482dd6941b4a76b32 --- /dev/null +++ b/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch @@ -0,0 +1,41 @@ +From 3a65c4dcf00ef4c8d4f42da07586e1f628df0724 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 09:53:22 +0800 +Subject: [PATCH] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index b45d2019b4..f69af7d17f 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } +-- +2.27.0 +