From 385d7baf6556522fcf25f37d533b1b5ad18e6dc4 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 1 Jun 2021 20:38:59 +0800 Subject: [PATCH 01/13] bugfix: fix Uninitialized Free Vulnerability Signed-off-by: nocjj <1250062498@qq.com> Signed-off-by: imxcc --- ...fix-Uninitialized-Free-Vulnerability.patch | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 bugfix-fix-Uninitialized-Free-Vulnerability.patch diff --git a/bugfix-fix-Uninitialized-Free-Vulnerability.patch b/bugfix-fix-Uninitialized-Free-Vulnerability.patch new file mode 100644 index 00000000..94d424dc --- /dev/null +++ b/bugfix-fix-Uninitialized-Free-Vulnerability.patch @@ -0,0 +1,72 @@ +From b779bc13f309b94aa5c9143e74fba5fbbe6d988f Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Tue, 1 Jun 2021 20:38:59 +0800 +Subject: [PATCH] bugfix: fix Uninitialized Free Vulnerability + +Signed-off-by: nocjj <1250062498@qq.com> +Signed-off-by: imxcc +--- + hw/block/nvme.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index 4f3ab5034a..ada0d326a5 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -219,15 +219,26 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + return NVME_SUCCESS; + + unmap: +- qemu_sglist_destroy(qsg); ++ if (iov && iov->iov) { ++ qemu_iovec_destroy(iov); ++ } ++ ++ if (qsg && qsg->sg) { ++ qemu_sglist_destroy(qsg); ++ } ++ + return NVME_INVALID_FIELD | NVME_DNR; + } + + static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len, + uint64_t prp1, uint64_t prp2) + { +- QEMUSGList qsg; +- QEMUIOVector iov; ++ QEMUSGList qsg = { ++ .sg = NULL, ++ }; ++ QEMUIOVector iov = { ++ .iov = NULL, ++ }; + uint16_t status = NVME_SUCCESS; + + if (nvme_map_prp(&qsg, &iov, prp1, prp2, len, n)) { +@@ -250,8 +261,12 @@ static uint16_t nvme_dma_write_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len, + static uint16_t nvme_dma_read_prp(NvmeCtrl *n, uint8_t *ptr, uint32_t len, + uint64_t prp1, uint64_t prp2) + { +- QEMUSGList qsg; +- QEMUIOVector iov; ++ QEMUSGList qsg = { ++ .sg = NULL, ++ }; ++ QEMUIOVector iov = { ++ .iov = NULL, ++ }; + uint16_t status = NVME_SUCCESS; + + trace_nvme_dma_read(prp1, prp2); +@@ -503,7 +518,7 @@ static void nvme_init_sq(NvmeSQueue *sq, NvmeCtrl *n, uint64_t dma_addr, + sq->size = size; + sq->cqid = cqid; + sq->head = sq->tail = 0; +- sq->io_req = g_new(NvmeRequest, sq->size); ++ sq->io_req = g_new0(NvmeRequest, sq->size); + + QTAILQ_INIT(&sq->req_list); + QTAILQ_INIT(&sq->out_req_list); +-- +2.27.0 + -- Gitee From 71fff30a35a95024c20e4ea193705539066b42a0 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 17 Jun 2021 21:27:38 +0800 Subject: [PATCH 02/13] spec: Update patch and changelog with !133 fix Uninitialized Free Vulnerability !133 bugfix: fix Uninitialized Free Vulnerability Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 8916697a..7da045a4 100644 --- a/qemu.spec +++ b/qemu.spec @@ -324,6 +324,7 @@ Patch0311: nvram-add-nrf51_soc-flash-read-method.patch Patch0312: spapr_pci-add-spapr-msi-read-method.patch Patch0313: tz-ppc-add-dummy-read-write-methods.patch Patch0314: imx7-ccm-add-digprog-mmio-write-method.patch +Patch0315: bugfix-fix-Uninitialized-Free-Vulnerability.patch BuildRequires: flex BuildRequires: bison @@ -717,6 +718,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Jun 17 2021 Chen Qun +- bugfix: fix Uninitialized Free Vulnerability + * Wed May 19 2021 Ming Yang - add strip for block-iscsi.so, block-rbd.so and block-ssh.so. -- Gitee From ff5111d5f46a5ee8fa9f2c1651f51e54e288f913 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 8 Jun 2021 09:07:17 +0800 Subject: [PATCH 03/13] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) Fix CVE-2021-20181 Depending on the client activity, the server can be asked to open a huge number of file descriptors and eventually hit RLIMIT_NOFILE. This is currently mitigated using a reclaim logic : the server closes the file descriptors of idle fids, based on the assumption that it will be able to re-open them later. This assumption doesn't hold of course if the client requests the file to be unlinked. In this case, we loop on the entire fid list and mark all related fids as unreclaimable (the reclaim logic will just ignore them) and, of course, we open or re-open their file descriptors if needed since we're about to unlink the file. This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual opening of a file can cause the coroutine to yield, another client request could possibly add a new fid that we may want to mark as non-reclaimable as well. The loop is thus restarted if the re-open request was actually transmitted to the backend. This is achieved by keeping a reference on the first fid (head) before traversing the list. This is wrong in several ways: - a potential clunk request from the client could tear the first fid down and cause the reference to be stale. This leads to a use-after-free error that can be detected with ASAN, using a custom 9p client - fids are added at the head of the list : restarting from the previous head will always miss fids added by a some other potential request All these problems could be avoided if fids were being added at the end of the list. This can be achieved with a QSIMPLEQ, but this is probably too much change for a bug fix. For now let's keep it simple and just restart the loop from the current head. Fixes: CVE-2021-20181 Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 Reported-by: Zero Day Initiative Reviewed-by: Christian Schoenebeck Reviewed-by: Stefano Stabellini Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> Signed-off-by: Greg Kurz Signed-off-by: Jiajie Li --- ...estart-unreclaim-loop-CVE-2021-20181.patch | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch diff --git a/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch b/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch new file mode 100644 index 00000000..3b7cefab --- /dev/null +++ b/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch @@ -0,0 +1,80 @@ +From 3b4f09d7b5a2b8df37781acf057ed287f30aa0b6 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 8 Jun 2021 09:07:17 +0800 +Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + +Fix CVE-2021-20181 + +Depending on the client activity, the server can be asked to open a huge +number of file descriptors and eventually hit RLIMIT_NOFILE. This is +currently mitigated using a reclaim logic : the server closes the file +descriptors of idle fids, based on the assumption that it will be able +to re-open them later. This assumption doesn't hold of course if the +client requests the file to be unlinked. In this case, we loop on the +entire fid list and mark all related fids as unreclaimable (the reclaim +logic will just ignore them) and, of course, we open or re-open their +file descriptors if needed since we're about to unlink the file. + +This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual +opening of a file can cause the coroutine to yield, another client +request could possibly add a new fid that we may want to mark as +non-reclaimable as well. The loop is thus restarted if the re-open +request was actually transmitted to the backend. This is achieved +by keeping a reference on the first fid (head) before traversing +the list. + +This is wrong in several ways: +- a potential clunk request from the client could tear the first + fid down and cause the reference to be stale. This leads to a + use-after-free error that can be detected with ASAN, using a + custom 9p client +- fids are added at the head of the list : restarting from the + previous head will always miss fids added by a some other + potential request + +All these problems could be avoided if fids were being added at the +end of the list. This can be achieved with a QSIMPLEQ, but this is +probably too much change for a bug fix. For now let's keep it +simple and just restart the loop from the current head. + +Fixes: CVE-2021-20181 +Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 +Reported-by: Zero Day Initiative +Reviewed-by: Christian Schoenebeck +Reviewed-by: Stefano Stabellini +Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> +Signed-off-by: Greg Kurz + +Signed-off-by: Jiajie Li +--- + hw/9pfs/9p.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 55821343e5..289d00b01a 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -498,9 +498,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + { + int err; + V9fsState *s = pdu->s; +- V9fsFidState *fidp, head_fid; ++ V9fsFidState *fidp; + +- head_fid.next = s->fid_list; ++again: + for (fidp = s->fid_list; fidp; fidp = fidp->next) { + if (fidp->path.size != path->size) { + continue; +@@ -520,7 +520,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + * switched to the worker thread + */ + if (err == 0) { +- fidp = &head_fid; ++ goto again; + } + } + } +-- +2.27.0 + -- Gitee From c90c7f1e496aeb55dc815bf127149c4698356231 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 17 Jun 2021 21:27:40 +0800 Subject: [PATCH 04/13] spec: Update patch and changelog with !140 fix CVE-2021-20181 #I3UFOQ !140 9pfs: Fully restart unreclaim loop (CVE-2021-20181) Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 7da045a4..b57c625e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -325,6 +325,7 @@ Patch0312: spapr_pci-add-spapr-msi-read-method.patch Patch0313: tz-ppc-add-dummy-read-write-methods.patch Patch0314: imx7-ccm-add-digprog-mmio-write-method.patch Patch0315: bugfix-fix-Uninitialized-Free-Vulnerability.patch +Patch0316: 9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch BuildRequires: flex BuildRequires: bison @@ -718,6 +719,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Jun 17 2021 Chen Qun +- 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + * Thu Jun 17 2021 Chen Qun - bugfix: fix Uninitialized Free Vulnerability -- Gitee From 4a0f0f10ba737eaae8e8983142807b00fa9969d5 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 09:53:22 +0800 Subject: [PATCH 05/13] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Call 'vugbm_buffer_destroy' in error path to avoid resource leak. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-3-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-resource-leak-in-vg_resource_crea.patch | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch diff --git a/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch new file mode 100644 index 00000000..4bea784b --- /dev/null +++ b/vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch @@ -0,0 +1,41 @@ +From 3a65c4dcf00ef4c8d4f42da07586e1f628df0724 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 09:53:22 +0800 +Subject: [PATCH] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index b45d2019b4..f69af7d17f 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } +-- +2.27.0 + -- Gitee From fd89d326b0c11923e8102375fc9e849e018d9842 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 09:56:42 +0800 Subject: [PATCH 06/13] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Check whether the 'res' has already been attach_backing to avoid memory leak. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 204f01b3 ("virtio-gpu: fix memory leak in resource attach backing") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-4-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-in-vg_resource_attach.patch | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch diff --git a/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch new file mode 100644 index 00000000..5f15473f --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch @@ -0,0 +1,49 @@ +From c58963a8c9c8e638ceb38245c28b3c21de6ee013 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 09:56:42 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in vg_resource_attach_backing + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 204f01b3 + + ("virtio-gpu: fix memory leak +in resource attach backing") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index f69af7d17f..4f087d6000 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.27.0 + -- Gitee From cf5df216c60cec659442fb4214993c16fbd213b5 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:02:08 +0800 Subject: [PATCH 07/13] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If the guest trigger following sequences, the attach_backing will be leaked: vg_resource_create_2d vg_resource_attach_backing vg_resource_unref This patch fix this by freeing 'res->iov' in vg_resource_destroy. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 5e8e3c4c ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref") Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-5-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-while-calling-vg_reso.patch | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch diff --git a/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch new file mode 100644 index 00000000..cb54e96a --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch @@ -0,0 +1,51 @@ +From 57c2497680e638c12988c386e671f6ed04f5baab Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:02:08 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 5e8e3c4c + + ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index 4f087d6000..43d9851800 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +-- +2.27.0 + -- Gitee From 3da1661aefcb34fb5d3d6c2111aa72df8642096f Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:05:40 +0800 Subject: [PATCH 08/13] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 The 'res->iov' will be leaked if the guest trigger following sequences: virgl_cmd_create_resource_2d virgl_resource_attach_backing virgl_cmd_resource_unref This patch fixes this. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 5e8e3c4c ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref" Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-6-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-in-virgl_cmd_resource.patch | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch diff --git a/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch new file mode 100644 index 00000000..51515660 --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch @@ -0,0 +1,57 @@ +From 090a3fe7f18afcdf77d24db61ec27eb62eb424c4 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:05:40 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' + (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 5e8e3c4c + + ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 43413e29df..4b8b536edf 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -105,8 +105,14 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); + + virgl_renderer_resource_unref(unref.resource_id); + } +-- +2.27.0 + -- Gitee From 1cc6464325b626dc075f4a98739f68e0a62482ba Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:09:13 +0800 Subject: [PATCH 09/13] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will be leaked. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 33243031 ("virtio-gpu-3d: fix memory leak in resource attach backing") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-7-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-leak-in-virgl_resource_att.patch | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch diff --git a/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch new file mode 100644 index 00000000..46554dbe --- /dev/null +++ b/vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch @@ -0,0 +1,50 @@ +From 12faa627618299c169ae5dc56ad1bf406d0570a0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:09:13 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 33243031 + + ("virtio-gpu-3d: fix memory leak +in resource attach backing") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 4b8b536edf..79556df094 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -282,8 +282,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void +-- +2.27.0 + -- Gitee From 92fd2d683e69b97ad0f38e22d6db33729c6910d0 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:11:17 +0800 Subject: [PATCH 10/13] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Otherwise some of the 'resp' will be leaked to guest. Fixes: CVE-2021-3545 Reported-by: default avatarLi Qiang virtio-gpu fix: 42a8dadc ("virtio-gpu: fix information leak in getting capset info dispatch") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-2-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-memory-disclosure-in-virgl_cmd_ge.patch | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch diff --git a/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch new file mode 100644 index 00000000..b7cb2859 --- /dev/null +++ b/vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch @@ -0,0 +1,44 @@ +From 2eeb26404797e2b88fd9cc5d624bc9faa76326e0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:11:17 +0800 +Subject: [PATCH] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: default avatarLi Qiang +virtio-gpu fix: 42a8dadc + + ("virtio-gpu: fix information leak +in getting capset info dispatch") +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 79556df094..44e79ab82a 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -131,6 +131,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.27.0 + -- Gitee From 6eef077071148d6c2c86784c94b2b16ffa3a36f1 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 15 Jun 2021 10:14:06 +0800 Subject: [PATCH 11/13] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If 'virgl_cmd_get_capset' set 'max_size' to 0, the 'virgl_renderer_fill_caps' will write the data after the 'resp'. This patch avoid this by checking the returned 'max_size'. virtio-gpu fix: abd7f08b ("display: virtio-gpu-3d: check virgl capabilities max_size") Fixes: CVE-2021-3546 Reported-by: default avatarLi Qiang Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-8-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- ...ix-OOB-write-in-virgl_cmd_get_capset.patch | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch diff --git a/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch new file mode 100644 index 00000000..79febe7f --- /dev/null +++ b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch @@ -0,0 +1,51 @@ +From 4ed508b61a118bf8862a9808efaec83f27c6c9c6 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 15 Jun 2021 10:14:06 +0800 +Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix CVE-2021-3544 + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b + + ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: default avatarLi Qiang +Reviewed-by: default avatarPrasad J Pandit +Signed-off-by: default avatarLi Qiang +Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann + +Signed-off-by: Jiajie Li +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 44e79ab82a..ad2834902b 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -173,6 +173,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.27.0 + -- Gitee From 0302f197b99ed5219e7f199649b42382960db272 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 17 Jun 2021 21:27:41 +0800 Subject: [PATCH 12/13] spec: Update patch and changelog with !145 fix CVE-2021-3544 #I3VG5I && fix CVE-2021-3545 #I3V9I8 && fix CVE-2021-3546 #I3V9I7 !145 vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) Signed-off-by: Chen Qun --- qemu.spec | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/qemu.spec b/qemu.spec index b57c625e..5daa80c4 100644 --- a/qemu.spec +++ b/qemu.spec @@ -326,6 +326,13 @@ Patch0313: tz-ppc-add-dummy-read-write-methods.patch Patch0314: imx7-ccm-add-digprog-mmio-write-method.patch Patch0315: bugfix-fix-Uninitialized-Free-Vulnerability.patch Patch0316: 9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch +Patch0317: vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch +Patch0318: vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch +Patch0319: vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch +Patch0320: vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch +Patch0321: vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch +Patch0322: vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch +Patch0323: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch BuildRequires: flex BuildRequires: bison @@ -719,6 +726,15 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Jun 17 2021 Chen Qun +- vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) +- vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) +- vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) +- vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) +- vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) + * Thu Jun 17 2021 Chen Qun - 9pfs: Fully restart unreclaim loop (CVE-2021-20181) -- Gitee From e68a16c47bce32f0489f0593acf1aabeb83d14ba Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 17 Jun 2021 21:27:41 +0800 Subject: [PATCH 13/13] spec: Update release version with !133 !140 !145 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 5daa80c4..6733e2c8 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 55 +Release: 56 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee