* [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 @ 2021-08-11 3:08 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal ` (3 more replies) 0 siblings, 4 replies; 6+ messages in thread From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw) To: openembedded-core Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3527_1.patch | 57 +++++++++++++++++++ .../qemu/qemu/CVE-2021-3527_2.patch | 40 +++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3921546df7..8b77da7ebf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -57,6 +57,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-27821.patch \ file://CVE-2021-20263.patch \ file://CVE-2021-3392.patch \ + file://CVE-2021-3527_1.patch \ + file://CVE-2021-3527_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch new file mode 100644 index 0000000000..0e116b5e70 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch @@ -0,0 +1,57 @@ +From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 May 2021 15:29:12 +0200 +Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use autofree heap allocation instead. + +Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> + +CVE: CVE-2021-3527 +Upstream-Status: Backport [7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/usb/redirect.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 17f06f3417..6a75b0dc4a 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, + .endpoint = ep, + .length = p->iov.size + }; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, +@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, + usbredirparser_send_bulk_packet(dev->parser, p->id, + &bulk_packet, NULL, 0); + } else { +- uint8_t buf[size]; ++ g_autofree uint8_t *buf = g_malloc(size); + usb_packet_copy(p, buf, size); + usbredir_log_data(dev, "bulk data out:", buf, size); + usbredirparser_send_bulk_packet(dev->parser, p->id, +@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, + USBPacket *p, uint8_t ep) + { + struct usb_redir_interrupt_packet_header interrupt_packet; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + + DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, + p->iov.size, p->id); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch new file mode 100644 index 0000000000..d9ced3a8c7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch @@ -0,0 +1,40 @@ +From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> + +CVE: CVE-2021-3527 +Upstream-Status: Backport [05a40b172e4d691371534828078be47e7fff524c] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dc..e56802f89a 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +2.25.1 + -- 2.32.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal @ 2021-08-11 3:08 ` Sakib Sajal 2021-08-15 15:56 ` [OE-core] " Anuj Mittal 2021-08-11 3:08 ` [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 Sakib Sajal ` (2 subsequent siblings) 3 siblings, 1 reply; 6+ messages in thread From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw) To: openembedded-core Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 7 +++ .../qemu/qemu/CVE-2021-3544_1.patch | 43 ++++++++++++++ .../qemu/qemu/CVE-2021-3544_2.patch | 41 +++++++++++++ .../qemu/qemu/CVE-2021-3544_3.patch | 48 +++++++++++++++ .../qemu/qemu/CVE-2021-3544_4.patch | 50 ++++++++++++++++ .../qemu/qemu/CVE-2021-3544_5.patch | 58 +++++++++++++++++++ .../qemu/qemu/CVE-2021-3544_6.patch | 49 ++++++++++++++++ .../qemu/qemu/CVE-2021-3544_7.patch | 49 ++++++++++++++++ 8 files changed, 345 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 8b77da7ebf..0a0893d6ae 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -59,6 +59,13 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3392.patch \ file://CVE-2021-3527_1.patch \ file://CVE-2021-3527_2.patch \ + file://CVE-2021-3544_1.patch \ + file://CVE-2021-3544_2.patch \ + file://CVE-2021-3544_3.patch \ + file://CVE-2021-3544_4.patch \ + file://CVE-2021-3544_5.patch \ + file://CVE-2021-3544_6.patch \ + file://CVE-2021-3544_7.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch new file mode 100644 index 0000000000..e0702a4aa9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch @@ -0,0 +1,43 @@ +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:56 -0700 +Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak +in getting capset info dispatch") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3545 +Upstream-Status: Backport [121841b25d72d13f8cad554363138c360f1250ea] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 9e6660c7ab..6a332d601f 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch new file mode 100644 index 0000000000..a4894441e1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch @@ -0,0 +1,41 @@ +From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:57 -0700 +Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in + 'vg_resource_create_2d' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3544 +Upstream-Status: Backport [86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index f73f292c9f..b5e153d0d6 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch new file mode 100644 index 0000000000..6300a90e5d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch @@ -0,0 +1,48 @@ +From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:58 -0700 +Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in + vg_resource_attach_backing (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3544 +Upstream-Status: Backport [b9f79858a614d95f5de875d0ca31096eaab72c3b] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index b5e153d0d6..0437e52b64 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch new file mode 100644 index 0000000000..bbc56d73e8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch @@ -0,0 +1,50 @@ +From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:59 -0700 +Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") + +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3544 +Upstream-Status: Backport [b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index 0437e52b64..770dfad529 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch new file mode 100644 index 0000000000..3adacc7a3d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch @@ -0,0 +1,58 @@ +From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:00 -0700 +Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in + 'virgl_cmd_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3544 +Upstream-Status: Backport [f6091d86ba9ea05f4e111b9b42ee0005c37a6779] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/virgl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 6a332d601f..c669d73a1d 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); ++ + virgl_renderer_resource_unref(unref.resource_id); + } + +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch new file mode 100644 index 0000000000..3410d15fb0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch @@ -0,0 +1,49 @@ +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:01 -0700 +Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3544 +Upstream-Status: Backport [63736af5a6571d9def93769431e0d7e38c6677bf] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index c669d73a1d..a16a311d80 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch new file mode 100644 index 0000000000..fea0562f7b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch @@ -0,0 +1,49 @@ +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:02 -0700 +Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3546 +Upstream-Status: Backport [9f22893adcb02580aee5968f32baa2cd109b3ec2] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index a16a311d80..7172104b19 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.25.1 + -- 2.32.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal @ 2021-08-15 15:56 ` Anuj Mittal 0 siblings, 0 replies; 6+ messages in thread From: Anuj Mittal @ 2021-08-15 15:56 UTC (permalink / raw) To: openembedded-core, sakib.sajal Hello, On Tue, 2021-08-10 at 23:08 -0400, Sakib Sajal wrote: > Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > --- > meta/recipes-devtools/qemu/qemu.inc | 7 +++ > .../qemu/qemu/CVE-2021-3544_1.patch | 43 ++++++++++++++ > .../qemu/qemu/CVE-2021-3544_2.patch | 41 +++++++++++++ > .../qemu/qemu/CVE-2021-3544_3.patch | 48 +++++++++++++++ > .../qemu/qemu/CVE-2021-3544_4.patch | 50 ++++++++++++++++ > .../qemu/qemu/CVE-2021-3544_5.patch | 58 +++++++++++++++++++ > .../qemu/qemu/CVE-2021-3544_6.patch | 49 ++++++++++++++++ > .../qemu/qemu/CVE-2021-3544_7.patch | 49 ++++++++++++++++ These are already in hardknott and so is the fix for CVE-2021-3527. So, I have just taken the rest three from this series. Thanks, Anuj > 8 files changed, 345 insertions(+) > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_1.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_2.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_3.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_4.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_5.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_6.patch > create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021- > 3544_7.patch > > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes- > devtools/qemu/qemu.inc > index 8b77da7ebf..0a0893d6ae 100644 > --- a/meta/recipes-devtools/qemu/qemu.inc > +++ b/meta/recipes-devtools/qemu/qemu.inc > @@ -59,6 +59,13 @@ SRC_URI = > "https://download.qemu.org/${BPN}-${PV}.tar.xz \ > file://CVE-2021-3392.patch \ > file://CVE-2021-3527_1.patch \ > file://CVE-2021-3527_2.patch \ > + file://CVE-2021-3544_1.patch \ > + file://CVE-2021-3544_2.patch \ > + file://CVE-2021-3544_3.patch \ > + file://CVE-2021-3544_4.patch \ > + file://CVE-2021-3544_5.patch \ > + file://CVE-2021-3544_6.patch \ > + file://CVE-2021-3544_7.patch \ > " > UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch > new file mode 100644 > index 0000000000..e0702a4aa9 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch > @@ -0,0 +1,43 @@ > +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:03:56 -0700 > +Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in > + virgl_cmd_get_capset_info (CVE-2021-3545) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Otherwise some of the 'resp' will be leaked to guest. > + > +Fixes: CVE-2021-3545 > +Reported-by: Li Qiang <liq3ea@163.com> > +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak > +in getting capset info dispatch") > + > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-2-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3545 > +Upstream-Status: Backport [121841b25d72d13f8cad554363138c360f1250ea] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/virgl.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user- > gpu/virgl.c > +index 9e6660c7ab..6a332d601f 100644 > +--- a/contrib/vhost-user-gpu/virgl.c > ++++ b/contrib/vhost-user-gpu/virgl.c > +@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g, > + > + VUGPU_FILL_CMD(info); > + > ++ memset(&resp, 0, sizeof(resp)); > + if (info.capset_index == 0) { > + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; > + virgl_renderer_get_cap_set(resp.capset_id, > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch > new file mode 100644 > index 0000000000..a4894441e1 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch > @@ -0,0 +1,41 @@ > +From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:03:57 -0700 > +Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in > + 'vg_resource_create_2d' (CVE-2021-3544) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. > + > +Fixes: CVE-2021-3544 > +Reported-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-3-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3544 > +Upstream-Status: Backport [86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost- > user-gpu/vhost-user-gpu.c > +index f73f292c9f..b5e153d0d6 100644 > +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c > ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c > +@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, > + g_critical("%s: resource creation failed %d %d %d", > + __func__, c2d.resource_id, c2d.width, c2d.height); > + g_free(res); > ++ vugbm_buffer_destroy(&res->buffer); > + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; > + return; > + } > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch > new file mode 100644 > index 0000000000..6300a90e5d > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch > @@ -0,0 +1,48 @@ > +From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:03:58 -0700 > +Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in > + vg_resource_attach_backing (CVE-2021-3544) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +Check whether the 'res' has already been attach_backing to avoid > +memory leak. > + > +Fixes: CVE-2021-3544 > +Reported-by: Li Qiang <liq3ea@163.com> > +virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak > +in resource attach backing") > + > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-4-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3544 > +Upstream-Status: Backport [b9f79858a614d95f5de875d0ca31096eaab72c3b] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost- > user-gpu/vhost-user-gpu.c > +index b5e153d0d6..0437e52b64 100644 > +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c > ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c > +@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, > + return; > + } > + > ++ if (res->iov) { > ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; > ++ return; > ++ } > ++ > + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); > + if (ret != 0) { > + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch > new file mode 100644 > index 0000000000..bbc56d73e8 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch > @@ -0,0 +1,50 @@ > +From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:03:59 -0700 > +Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling > + 'vg_resource_unref' (CVE-2021-3544) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +If the guest trigger following sequences, the attach_backing will be > leaked: > + > + vg_resource_create_2d > + vg_resource_attach_backing > + vg_resource_unref > + > +This patch fix this by freeing 'res->iov' in vg_resource_destroy. > + > +Fixes: CVE-2021-3544 > +Reported-by: Li Qiang <liq3ea@163.com> > +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak > +in virgl_cmd_resource_unref") > + > +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-5-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3544 > +Upstream-Status: Backport [b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost- > user-gpu/vhost-user-gpu.c > +index 0437e52b64..770dfad529 100644 > +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c > ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c > +@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, > + } > + > + vugbm_buffer_destroy(&res->buffer); > ++ g_free(res->iov); > + pixman_image_unref(res->image); > + QTAILQ_REMOVE(&g->reslist, res, next); > + g_free(res); > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch > new file mode 100644 > index 0000000000..3adacc7a3d > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch > @@ -0,0 +1,58 @@ > +From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:04:00 -0700 > +Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in > + 'virgl_cmd_resource_unref' (CVE-2021-3544) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +The 'res->iov' will be leaked if the guest trigger following > sequences: > + > + virgl_cmd_create_resource_2d > + virgl_resource_attach_backing > + virgl_cmd_resource_unref > + > +This patch fixes this. > + > +Fixes: CVE-2021-3544 > +Reported-by: Li Qiang <liq3ea@163.com> > +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak > +in virgl_cmd_resource_unref" > + > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-6-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3544 > +Upstream-Status: Backport [f6091d86ba9ea05f4e111b9b42ee0005c37a6779] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/virgl.c | 7 +++++++ > + 1 file changed, 7 insertions(+) > + > +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user- > gpu/virgl.c > +index 6a332d601f..c669d73a1d 100644 > +--- a/contrib/vhost-user-gpu/virgl.c > ++++ b/contrib/vhost-user-gpu/virgl.c > +@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, > + struct virtio_gpu_ctrl_command *cmd) > + { > + struct virtio_gpu_resource_unref unref; > ++ struct iovec *res_iovs = NULL; > ++ int num_iovs = 0; > + > + VUGPU_FILL_CMD(unref); > + > ++ virgl_renderer_resource_detach_iov(unref.resource_id, > ++ &res_iovs, > ++ &num_iovs); > ++ g_free(res_iovs); > ++ > + virgl_renderer_resource_unref(unref.resource_id); > + } > + > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch > new file mode 100644 > index 0000000000..3410d15fb0 > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch > @@ -0,0 +1,49 @@ > +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:04:01 -0700 > +Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in > + 'virgl_resource_attach_backing' (CVE-2021-3544) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will > +be leaked. > + > +Fixes: CVE-2021-3544 > +Reported-by: Li Qiang <liq3ea@163.com> > +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak > +in resource attach backing") > + > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-7-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3544 > +Upstream-Status: Backport [63736af5a6571d9def93769431e0d7e38c6677bf] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/virgl.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user- > gpu/virgl.c > +index c669d73a1d..a16a311d80 100644 > +--- a/contrib/vhost-user-gpu/virgl.c > ++++ b/contrib/vhost-user-gpu/virgl.c > +@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g, > + return; > + } > + > +- virgl_renderer_resource_attach_iov(att_rb.resource_id, > ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, > + res_iovs, att_rb.nr_entries); > ++ if (ret != 0) { > ++ g_free(res_iovs); > ++ } > + } > + > + static void > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch > new file mode 100644 > index 0000000000..fea0562f7b > --- /dev/null > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch > @@ -0,0 +1,49 @@ > +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liq3ea@163.com> > +Date: Sat, 15 May 2021 20:04:02 -0700 > +Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in > 'virgl_cmd_get_capset' > + (CVE-2021-3546) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +If 'virgl_cmd_get_capset' set 'max_size' to 0, > +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. > +This patch avoid this by checking the returned 'max_size'. > + > +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check > +virgl capabilities max_size") > + > +Fixes: CVE-2021-3546 > +Reported-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> > +Signed-off-by: Li Qiang <liq3ea@163.com> > +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > +Message-Id: <20210516030403.107723-8-liq3ea@163.com> > +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > + > +CVE: CVE-2021-3546 > +Upstream-Status: Backport [9f22893adcb02580aee5968f32baa2cd109b3ec2] > +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> > +--- > + contrib/vhost-user-gpu/virgl.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user- > gpu/virgl.c > +index a16a311d80..7172104b19 100644 > +--- a/contrib/vhost-user-gpu/virgl.c > ++++ b/contrib/vhost-user-gpu/virgl.c > +@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, > + > + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, > + &max_size); > ++ if (!max_size) { > ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; > ++ return; > ++ } > + resp = g_malloc0(sizeof(*resp) + max_size); > + > + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; > +-- > +2.25.1 > + > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal @ 2021-08-11 3:08 ` Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 Sakib Sajal 3 siblings, 0 replies; 6+ messages in thread From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw) To: openembedded-core Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3582.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 0a0893d6ae..c64bbe66f2 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -66,6 +66,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3544_5.patch \ file://CVE-2021-3544_6.patch \ file://CVE-2021-3544_7.patch \ + file://CVE-2021-3582.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch new file mode 100644 index 0000000000..7a88e29384 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch @@ -0,0 +1,47 @@ +From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel@redhat.com> +Date: Wed, 16 Jun 2021 14:06:00 +0300 +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) + +Ensure mremap boundaries not trusting the guest kernel to +pass the correct buffer length. + +Fixes: CVE-2021-3582 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3582 +Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index f59879e257..da7ddfa548 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, + return NULL; + } + ++ length = ROUND_UP(length, TARGET_PAGE_SIZE); ++ if (nchunks * TARGET_PAGE_SIZE != length) { ++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, ++ (unsigned long)length); ++ return NULL; ++ } ++ + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory"); +-- +2.25.1 + -- 2.32.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 Sakib Sajal @ 2021-08-11 3:08 ` Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 Sakib Sajal 3 siblings, 0 replies; 6+ messages in thread From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw) To: openembedded-core Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3607.patch | 43 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c64bbe66f2..69fba5dd79 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -67,6 +67,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3544_6.patch \ file://CVE-2021-3544_7.patch \ file://CVE-2021-3582.patch \ + file://CVE-2021-3607.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch new file mode 100644 index 0000000000..0547c74484 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch @@ -0,0 +1,43 @@ +From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:46:34 +0300 +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) + +Check the guest passed a non zero page count +for pvrdma device ring buffers. + +Fixes: CVE-2021-3607 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630114634.2168872-1-marcel@redhat.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3607 +Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 84ae8024fc..7c0c3551a8 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + uint64_t *dir, *tbl; + int rc = 0; + ++ if (!num_pages) { ++ rdma_error_report("Ring pages count must be strictly positive"); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); +-- +2.25.1 + -- 2.32.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal ` (2 preceding siblings ...) 2021-08-11 3:08 ` [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 Sakib Sajal @ 2021-08-11 3:08 ` Sakib Sajal 3 siblings, 0 replies; 6+ messages in thread From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw) To: openembedded-core Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3608.patch | 43 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 69fba5dd79..b5f42ddfc3 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -68,6 +68,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3544_7.patch \ file://CVE-2021-3582.patch \ file://CVE-2021-3607.patch \ + file://CVE-2021-3608.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch new file mode 100644 index 0000000000..22d68b025d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch @@ -0,0 +1,43 @@ +From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:52:46 +0300 +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Do not unmap uninitialized dma addresses. + +Fixes: CVE-2021-3608 +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630115246.2178219-1-marcel@redhat.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3608 +Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c +index 074ac59b84..42130667a7 100644 +--- a/hw/rdma/vmw/pvrdma_dev_ring.c ++++ b/hw/rdma/vmw/pvrdma_dev_ring.c +@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev, + qatomic_set(&ring->ring_state->cons_head, 0); + */ + ring->npages = npages; +- ring->pages = g_malloc(npages * sizeof(void *)); ++ ring->pages = g_malloc0(npages * sizeof(void *)); + + for (i = 0; i < npages; i++) { + if (!tbl[i]) { +-- +2.25.1 + -- 2.32.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-08-15 15:56 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal 2021-08-15 15:56 ` [OE-core] " Anuj Mittal 2021-08-11 3:08 ` [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 Sakib Sajal 2021-08-11 3:08 ` [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 Sakib Sajal
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.