From 0532f87f2e4eb6463a3f9cc73434eb7e90c2c4fe Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 12 Jul 2021 17:30:45 +0800 Subject: [PATCH 1/3] hw/net/rocker_of_dpa: fix double free bug of rocker device The of_dpa_cmd_add_l2_flood function of the rocker device releases the memory of group->l2_flood.group_ids before applying for new memory. If the l2_group configured by the guest does not match the input group->l2_flood.group_ids, the err_out branch is redirected to release the memory of the group->l2_flood.group_ids branch. The pointer is not set to NULL after the memory is freed. When the guest accesses the of_dpa_cmd_add_l2_flood function again, the memory of group->l2_flood.group_ids is released again. As a result, the memory is double free. Fix that by setting group->l2_flood.group_ids to NULL after free. Signed-off-by: Jiajie Li Signed-off-by: Qiang Ning --- ..._dpa-fix-double-free-bug-of-rocker-d.patch | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch diff --git a/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch new file mode 100644 index 0000000..efa47f9 --- /dev/null +++ b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch @@ -0,0 +1,39 @@ +From c5ea78cfd76706b21746bf3881c068c896b3199b Mon Sep 17 00:00:00 2001 +From: Qiang Ning +Date: Mon, 12 Jul 2021 17:30:45 +0800 +Subject: [PATCH] hw/net/rocker_of_dpa: fix double free bug of rocker device + +The of_dpa_cmd_add_l2_flood function of the rocker device +releases the memory of group->l2_flood.group_ids before +applying for new memory. If the l2_group configured by +the guest does not match the input group->l2_flood.group_ids, +the err_out branch is redirected to release the memory of the +group->l2_flood.group_ids branch. The pointer is not set to +NULL after the memory is freed. When the guest accesses the +of_dpa_cmd_add_l2_flood function again, the memory of +group->l2_flood.group_ids is released again. As a result, +the memory is double free. + +Fix that by setting group->l2_flood.group_ids to NULL after free. + +Signed-off-by: Jiajie Li +Signed-off-by: Qiang Ning +--- + hw/net/rocker/rocker_of_dpa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c +index 8e347d1ee4..0c9de5f014 100644 +--- a/hw/net/rocker/rocker_of_dpa.c ++++ b/hw/net/rocker/rocker_of_dpa.c +@@ -2070,6 +2070,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group, + err_out: + group->l2_flood.group_count = 0; + g_free(group->l2_flood.group_ids); ++ group->l2_flood.group_ids = NULL; + g_free(tlvs); + + return err; +-- +2.27.0 + -- Gitee From 8748c2f4d279faeedc1b8bf832260b3d7f6fbbc6 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 13 Jul 2021 11:46:27 +0800 Subject: [PATCH 2/3] spec: Update patch and changelog with !153 hw/net/rocker_of_dpa: fix double free bug of rocker device !153 hw/net/rocker_of_dpa: fix double free bug of rocker device Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 32e5f80..ce4c4c6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -247,6 +247,7 @@ Patch0234: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch Patch0235: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch Patch0236: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch Patch0237: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch +Patch0238: hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch BuildRequires: flex BuildRequires: bison @@ -592,6 +593,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Jul 13 2021 Chen Qun +- hw/net/rocker_of_dpa: fix double free bug of rocker device + * Mon Jun 21 2021 Chen Qun - ide: ahci: add check to avoid null dereference (CVE-2019-12067) - hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register -- Gitee From 19c3f225e8473921a87465b6366ac4e230f558bd Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 13 Jul 2021 11:46:31 +0800 Subject: [PATCH 3/3] spec: Update release version with !153 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index ce4c4c6..0765889 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 43 +Release: 44 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee