diff --git a/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..b249726089ccc52ac4c7780a9609f711e294075f --- /dev/null +++ b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch @@ -0,0 +1,39 @@ +From 70573b16a207910019fb71ac0d9342944e6b0c7a Mon Sep 17 00:00:00 2001 +From: Qiang Ning +Date: Mon, 12 Jul 2021 17:30:45 +0800 +Subject: [PATCH] hw/net/rocker_of_dpa: fix double free bug of rocker device + +The of_dpa_cmd_add_l2_flood function of the rocker device +releases the memory of group->l2_flood.group_ids before +applying for new memory. If the l2_group configured by +the guest does not match the input group->l2_flood.group_ids, +the err_out branch is redirected to release the memory of the +group->l2_flood.group_ids branch. The pointer is not set to +NULL after the memory is freed. When the guest accesses the +of_dpa_cmd_add_l2_flood function again, the memory of +group->l2_flood.group_ids is released again. As a result, +the memory is double free. + +Fix that by setting group->l2_flood.group_ids to NULL after free. + +Signed-off-by: Jiajie Li +Signed-off-by: Qiang Ning +--- + hw/net/rocker/rocker_of_dpa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c +index 8e347d1ee4..0c9de5f014 100644 +--- a/hw/net/rocker/rocker_of_dpa.c ++++ b/hw/net/rocker/rocker_of_dpa.c +@@ -2070,6 +2070,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group, + err_out: + group->l2_flood.group_count = 0; + g_free(group->l2_flood.group_ids); ++ group->l2_flood.group_ids = NULL; + g_free(tlvs); + + return err; +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 78a5b7c1ce43feef0d29ee33b69a6df8d365b548..9574f6ccd44f63fb7068134587ec4eb83df09da4 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 50 +Release: 51 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -289,6 +289,7 @@ Patch0276: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch Patch0277: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch Patch0278: fix-cve-2020-35504.patch Patch0279: fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch +Patch0280: hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch BuildRequires: flex BuildRequires: bison @@ -677,6 +678,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Jul 13 2021 Chen Qun +- hw/net/rocker_of_dpa: fix double free bug of rocker device + * Mon Jun 21 2021 Chen Qun - fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks - fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL