* [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527
@ 2021-08-11 3:08 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-3527_1.patch | 57 +++++++++++++++++++
.../qemu/qemu/CVE-2021-3527_2.patch | 40 +++++++++++++
3 files changed, 99 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3921546df7..8b77da7ebf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -57,6 +57,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-27821.patch \
file://CVE-2021-20263.patch \
file://CVE-2021-3392.patch \
+ file://CVE-2021-3527_1.patch \
+ file://CVE-2021-3527_2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch
new file mode 100644
index 0000000000..0e116b5e70
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_1.patch
@@ -0,0 +1,57 @@
+From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:12 +0200
+Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use autofree heap allocation instead.
+
+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
+
+CVE: CVE-2021-3527
+Upstream-Status: Backport [7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/redirect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f3417..6a75b0dc4a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
+ .endpoint = ep,
+ .length = p->iov.size
+ };
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ /* No id, we look at the ep when receiving a status back */
+ usb_packet_copy(p, buf, p->iov.size);
+ usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+ &bulk_packet, NULL, 0);
+ } else {
+- uint8_t buf[size];
++ g_autofree uint8_t *buf = g_malloc(size);
+ usb_packet_copy(p, buf, size);
+ usbredir_log_data(dev, "bulk data out:", buf, size);
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
+ USBPacket *p, uint8_t ep)
+ {
+ struct usb_redir_interrupt_packet_header interrupt_packet;
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+
+ DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+ p->iov.size, p->id);
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch
new file mode 100644
index 0000000000..d9ced3a8c7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527_2.patch
@@ -0,0 +1,40 @@
+From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+CVE: CVE-2021-3527
+Upstream-Status: Backport [05a40b172e4d691371534828078be47e7fff524c]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+ if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+ next == NULL ||
+ /* Work around for Linux usbfs bulk splitting + migration */
+- (totalsize == (16 * KiB - 36) && p->int_req)) {
++ (totalsize == (16 * KiB - 36) && p->int_req) ||
++ /* Next package may grow combined package over 1MiB */
++ totalsize > 1 * MiB - ep->max_packet_size) {
+ usb_device_handle_data(ep->dev, first);
+ assert(first->status == USB_RET_ASYNC);
+ if (first->combined) {
+--
+2.25.1
+
--
2.32.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546
2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal
@ 2021-08-11 3:08 ` Sakib Sajal
2021-08-15 15:56 ` [OE-core] " Anuj Mittal
2021-08-11 3:08 ` [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 Sakib Sajal
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 7 +++
.../qemu/qemu/CVE-2021-3544_1.patch | 43 ++++++++++++++
.../qemu/qemu/CVE-2021-3544_2.patch | 41 +++++++++++++
.../qemu/qemu/CVE-2021-3544_3.patch | 48 +++++++++++++++
.../qemu/qemu/CVE-2021-3544_4.patch | 50 ++++++++++++++++
.../qemu/qemu/CVE-2021-3544_5.patch | 58 +++++++++++++++++++
.../qemu/qemu/CVE-2021-3544_6.patch | 49 ++++++++++++++++
.../qemu/qemu/CVE-2021-3544_7.patch | 49 ++++++++++++++++
8 files changed, 345 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 8b77da7ebf..0a0893d6ae 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -59,6 +59,13 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3392.patch \
file://CVE-2021-3527_1.patch \
file://CVE-2021-3527_2.patch \
+ file://CVE-2021-3544_1.patch \
+ file://CVE-2021-3544_2.patch \
+ file://CVE-2021-3544_3.patch \
+ file://CVE-2021-3544_4.patch \
+ file://CVE-2021-3544_5.patch \
+ file://CVE-2021-3544_6.patch \
+ file://CVE-2021-3544_7.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch
new file mode 100644
index 0000000000..e0702a4aa9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch
@@ -0,0 +1,43 @@
+From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in
+ virgl_cmd_get_capset_info (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise some of the 'resp' will be leaked to guest.
+
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3545
+Upstream-Status: Backport [121841b25d72d13f8cad554363138c360f1250ea]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 9e6660c7ab..6a332d601f 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+
+ VUGPU_FILL_CMD(info);
+
++ memset(&resp, 0, sizeof(resp));
+ if (info.capset_index == 0) {
+ resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+ virgl_renderer_get_cap_set(resp.capset_id,
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
new file mode 100644
index 0000000000..a4894441e1
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
@@ -0,0 +1,41 @@
+From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:57 -0700
+Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in
+ 'vg_resource_create_2d' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3544
+Upstream-Status: Backport [86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index f73f292c9f..b5e153d0d6 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
+ g_critical("%s: resource creation failed %d %d %d",
+ __func__, c2d.resource_id, c2d.width, c2d.height);
+ g_free(res);
++ vugbm_buffer_destroy(&res->buffer);
+ cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+ return;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
new file mode 100644
index 0000000000..6300a90e5d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
@@ -0,0 +1,48 @@
+From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:58 -0700
+Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in
+ vg_resource_attach_backing (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3544
+Upstream-Status: Backport [b9f79858a614d95f5de875d0ca31096eaab72c3b]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index b5e153d0d6..0437e52b64 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
+ return;
+ }
+
++ if (res->iov) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++ return;
++ }
++
+ ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+ if (ret != 0) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
new file mode 100644
index 0000000000..bbc56d73e8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
@@ -0,0 +1,50 @@
+From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:59 -0700
+Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling
+ 'vg_resource_unref' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the guest trigger following sequences, the attach_backing will be leaked:
+
+ vg_resource_create_2d
+ vg_resource_attach_backing
+ vg_resource_unref
+
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3544
+Upstream-Status: Backport [b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index 0437e52b64..770dfad529 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
+ }
+
+ vugbm_buffer_destroy(&res->buffer);
++ g_free(res->iov);
+ pixman_image_unref(res->image);
+ QTAILQ_REMOVE(&g->reslist, res, next);
+ g_free(res);
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
new file mode 100644
index 0000000000..3adacc7a3d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
@@ -0,0 +1,58 @@
+From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:00 -0700
+Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in
+ 'virgl_cmd_resource_unref' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'res->iov' will be leaked if the guest trigger following sequences:
+
+ virgl_cmd_create_resource_2d
+ virgl_resource_attach_backing
+ virgl_cmd_resource_unref
+
+This patch fixes this.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3544
+Upstream-Status: Backport [f6091d86ba9ea05f4e111b9b42ee0005c37a6779]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 6a332d601f..c669d73a1d 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+ struct virtio_gpu_ctrl_command *cmd)
+ {
+ struct virtio_gpu_resource_unref unref;
++ struct iovec *res_iovs = NULL;
++ int num_iovs = 0;
+
+ VUGPU_FILL_CMD(unref);
+
++ virgl_renderer_resource_detach_iov(unref.resource_id,
++ &res_iovs,
++ &num_iovs);
++ g_free(res_iovs);
++
+ virgl_renderer_resource_unref(unref.resource_id);
+ }
+
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch
new file mode 100644
index 0000000000..3410d15fb0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch
@@ -0,0 +1,49 @@
+From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in
+ 'virgl_resource_attach_backing' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3544
+Upstream-Status: Backport [63736af5a6571d9def93769431e0d7e38c6677bf]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index c669d73a1d..a16a311d80 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
+ return;
+ }
+
+- virgl_renderer_resource_attach_iov(att_rb.resource_id,
++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+ res_iovs, att_rb.nr_entries);
++ if (ret != 0) {
++ g_free(res_iovs);
++ }
+ }
+
+ static void
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch
new file mode 100644
index 0000000000..fea0562f7b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch
@@ -0,0 +1,49 @@
+From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2021-3546
+Upstream-Status: Backport [9f22893adcb02580aee5968f32baa2cd109b3ec2]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index a16a311d80..7172104b19 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
+ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+--
+2.25.1
+
--
2.32.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582
2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal
@ 2021-08-11 3:08 ` Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 Sakib Sajal
3 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3582.patch | 47 +++++++++++++++++++
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 0a0893d6ae..c64bbe66f2 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -66,6 +66,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3544_5.patch \
file://CVE-2021-3544_6.patch \
file://CVE-2021-3544_7.patch \
+ file://CVE-2021-3582.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
new file mode 100644
index 0000000000..7a88e29384
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
@@ -0,0 +1,47 @@
+From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel@redhat.com>
+Date: Wed, 16 Jun 2021 14:06:00 +0300
+Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
+ (CVE-2021-3582)
+
+Ensure mremap boundaries not trusting the guest kernel to
+pass the correct buffer length.
+
+Fixes: CVE-2021-3582
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3582
+Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index f59879e257..da7ddfa548 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
+ return NULL;
+ }
+
++ length = ROUND_UP(length, TARGET_PAGE_SIZE);
++ if (nchunks * TARGET_PAGE_SIZE != length) {
++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
++ (unsigned long)length);
++ return NULL;
++ }
++
+ dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
+ if (!dir) {
+ rdma_error_report("Failed to map to page directory");
+--
+2.25.1
+
--
2.32.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607
2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 Sakib Sajal
@ 2021-08-11 3:08 ` Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 Sakib Sajal
3 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3607.patch | 43 +++++++++++++++++++
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index c64bbe66f2..69fba5dd79 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -67,6 +67,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3544_6.patch \
file://CVE-2021-3544_7.patch \
file://CVE-2021-3582.patch \
+ file://CVE-2021-3607.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
new file mode 100644
index 0000000000..0547c74484
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
@@ -0,0 +1,43 @@
+From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:46:34 +0300
+Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
+
+Check the guest passed a non zero page count
+for pvrdma device ring buffers.
+
+Fixes: CVE-2021-3607
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3607
+Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 84ae8024fc..7c0c3551a8 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
+ uint64_t *dir, *tbl;
+ int rc = 0;
+
++ if (!num_pages) {
++ rdma_error_report("Ring pages count must be strictly positive");
++ return -EINVAL;
++ }
++
+ dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+ if (!dir) {
+ rdma_error_report("Failed to map to page directory (ring %s)", name);
+--
+2.25.1
+
--
2.32.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608
2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal
` (2 preceding siblings ...)
2021-08-11 3:08 ` [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 Sakib Sajal
@ 2021-08-11 3:08 ` Sakib Sajal
3 siblings, 0 replies; 6+ messages in thread
From: Sakib Sajal @ 2021-08-11 3:08 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3608.patch | 43 +++++++++++++++++++
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 69fba5dd79..b5f42ddfc3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -68,6 +68,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3544_7.patch \
file://CVE-2021-3582.patch \
file://CVE-2021-3607.patch \
+ file://CVE-2021-3608.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
new file mode 100644
index 0000000000..22d68b025d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
@@ -0,0 +1,43 @@
+From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:52:46 +0300
+Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not unmap uninitialized dma addresses.
+
+Fixes: CVE-2021-3608
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3608
+Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
+index 074ac59b84..42130667a7 100644
+--- a/hw/rdma/vmw/pvrdma_dev_ring.c
++++ b/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
+ qatomic_set(&ring->ring_state->cons_head, 0);
+ */
+ ring->npages = npages;
+- ring->pages = g_malloc(npages * sizeof(void *));
++ ring->pages = g_malloc0(npages * sizeof(void *));
+
+ for (i = 0; i < npages; i++) {
+ if (!tbl[i]) {
+--
+2.25.1
+
--
2.32.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546
2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal
@ 2021-08-15 15:56 ` Anuj Mittal
0 siblings, 0 replies; 6+ messages in thread
From: Anuj Mittal @ 2021-08-15 15:56 UTC (permalink / raw)
To: openembedded-core, sakib.sajal
Hello,
On Tue, 2021-08-10 at 23:08 -0400, Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 7 +++
> .../qemu/qemu/CVE-2021-3544_1.patch | 43 ++++++++++++++
> .../qemu/qemu/CVE-2021-3544_2.patch | 41 +++++++++++++
> .../qemu/qemu/CVE-2021-3544_3.patch | 48 +++++++++++++++
> .../qemu/qemu/CVE-2021-3544_4.patch | 50 ++++++++++++++++
> .../qemu/qemu/CVE-2021-3544_5.patch | 58 +++++++++++++++++++
> .../qemu/qemu/CVE-2021-3544_6.patch | 49 ++++++++++++++++
> .../qemu/qemu/CVE-2021-3544_7.patch | 49 ++++++++++++++++
These are already in hardknott and so is the fix for CVE-2021-3527. So,
I have just taken the rest three from this series.
Thanks,
Anuj
> 8 files changed, 345 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_2.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_3.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_4.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_5.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_6.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-
> 3544_7.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> devtools/qemu/qemu.inc
> index 8b77da7ebf..0a0893d6ae 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -59,6 +59,13 @@ SRC_URI =
> "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2021-3392.patch \
> file://CVE-2021-3527_1.patch \
> file://CVE-2021-3527_2.patch \
> + file://CVE-2021-3544_1.patch \
> + file://CVE-2021-3544_2.patch \
> + file://CVE-2021-3544_3.patch \
> + file://CVE-2021-3544_4.patch \
> + file://CVE-2021-3544_5.patch \
> + file://CVE-2021-3544_6.patch \
> + file://CVE-2021-3544_7.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch
> new file mode 100644
> index 0000000000..e0702a4aa9
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_1.patch
> @@ -0,0 +1,43 @@
> +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:03:56 -0700
> +Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in
> + virgl_cmd_get_capset_info (CVE-2021-3545)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Otherwise some of the 'resp' will be leaked to guest.
> +
> +Fixes: CVE-2021-3545
> +Reported-by: Li Qiang <liq3ea@163.com>
> +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
> +in getting capset info dispatch")
> +
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-2-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3545
> +Upstream-Status: Backport [121841b25d72d13f8cad554363138c360f1250ea]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/virgl.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-
> gpu/virgl.c
> +index 9e6660c7ab..6a332d601f 100644
> +--- a/contrib/vhost-user-gpu/virgl.c
> ++++ b/contrib/vhost-user-gpu/virgl.c
> +@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
> +
> + VUGPU_FILL_CMD(info);
> +
> ++ memset(&resp, 0, sizeof(resp));
> + if (info.capset_index == 0) {
> + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
> + virgl_renderer_get_cap_set(resp.capset_id,
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
> new file mode 100644
> index 0000000000..a4894441e1
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
> @@ -0,0 +1,41 @@
> +From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:03:57 -0700
> +Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in
> + 'vg_resource_create_2d' (CVE-2021-3544)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
> +
> +Fixes: CVE-2021-3544
> +Reported-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-3-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3544
> +Upstream-Status: Backport [86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-
> user-gpu/vhost-user-gpu.c
> +index f73f292c9f..b5e153d0d6 100644
> +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
> ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
> +@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
> + g_critical("%s: resource creation failed %d %d %d",
> + __func__, c2d.resource_id, c2d.width, c2d.height);
> + g_free(res);
> ++ vugbm_buffer_destroy(&res->buffer);
> + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
> + return;
> + }
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
> new file mode 100644
> index 0000000000..6300a90e5d
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
> @@ -0,0 +1,48 @@
> +From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:03:58 -0700
> +Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in
> + vg_resource_attach_backing (CVE-2021-3544)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Check whether the 'res' has already been attach_backing to avoid
> +memory leak.
> +
> +Fixes: CVE-2021-3544
> +Reported-by: Li Qiang <liq3ea@163.com>
> +virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
> +in resource attach backing")
> +
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-4-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3544
> +Upstream-Status: Backport [b9f79858a614d95f5de875d0ca31096eaab72c3b]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-
> user-gpu/vhost-user-gpu.c
> +index b5e153d0d6..0437e52b64 100644
> +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
> ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
> +@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
> + return;
> + }
> +
> ++ if (res->iov) {
> ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
> ++ return;
> ++ }
> ++
> + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
> + if (ret != 0) {
> + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
> new file mode 100644
> index 0000000000..bbc56d73e8
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
> @@ -0,0 +1,50 @@
> +From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:03:59 -0700
> +Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling
> + 'vg_resource_unref' (CVE-2021-3544)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +If the guest trigger following sequences, the attach_backing will be
> leaked:
> +
> + vg_resource_create_2d
> + vg_resource_attach_backing
> + vg_resource_unref
> +
> +This patch fix this by freeing 'res->iov' in vg_resource_destroy.
> +
> +Fixes: CVE-2021-3544
> +Reported-by: Li Qiang <liq3ea@163.com>
> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
> +in virgl_cmd_resource_unref")
> +
> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-5-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3544
> +Upstream-Status: Backport [b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-
> user-gpu/vhost-user-gpu.c
> +index 0437e52b64..770dfad529 100644
> +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
> ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
> +@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
> + }
> +
> + vugbm_buffer_destroy(&res->buffer);
> ++ g_free(res->iov);
> + pixman_image_unref(res->image);
> + QTAILQ_REMOVE(&g->reslist, res, next);
> + g_free(res);
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
> new file mode 100644
> index 0000000000..3adacc7a3d
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
> @@ -0,0 +1,58 @@
> +From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:04:00 -0700
> +Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in
> + 'virgl_cmd_resource_unref' (CVE-2021-3544)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The 'res->iov' will be leaked if the guest trigger following
> sequences:
> +
> + virgl_cmd_create_resource_2d
> + virgl_resource_attach_backing
> + virgl_cmd_resource_unref
> +
> +This patch fixes this.
> +
> +Fixes: CVE-2021-3544
> +Reported-by: Li Qiang <liq3ea@163.com>
> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
> +in virgl_cmd_resource_unref"
> +
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-6-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3544
> +Upstream-Status: Backport [f6091d86ba9ea05f4e111b9b42ee0005c37a6779]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/virgl.c | 7 +++++++
> + 1 file changed, 7 insertions(+)
> +
> +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-
> gpu/virgl.c
> +index 6a332d601f..c669d73a1d 100644
> +--- a/contrib/vhost-user-gpu/virgl.c
> ++++ b/contrib/vhost-user-gpu/virgl.c
> +@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
> + struct virtio_gpu_ctrl_command *cmd)
> + {
> + struct virtio_gpu_resource_unref unref;
> ++ struct iovec *res_iovs = NULL;
> ++ int num_iovs = 0;
> +
> + VUGPU_FILL_CMD(unref);
> +
> ++ virgl_renderer_resource_detach_iov(unref.resource_id,
> ++ &res_iovs,
> ++ &num_iovs);
> ++ g_free(res_iovs);
> ++
> + virgl_renderer_resource_unref(unref.resource_id);
> + }
> +
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch
> new file mode 100644
> index 0000000000..3410d15fb0
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_6.patch
> @@ -0,0 +1,49 @@
> +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:04:01 -0700
> +Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in
> + 'virgl_resource_attach_backing' (CVE-2021-3544)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
> +be leaked.
> +
> +Fixes: CVE-2021-3544
> +Reported-by: Li Qiang <liq3ea@163.com>
> +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
> +in resource attach backing")
> +
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-7-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3544
> +Upstream-Status: Backport [63736af5a6571d9def93769431e0d7e38c6677bf]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/virgl.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-
> gpu/virgl.c
> +index c669d73a1d..a16a311d80 100644
> +--- a/contrib/vhost-user-gpu/virgl.c
> ++++ b/contrib/vhost-user-gpu/virgl.c
> +@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
> + return;
> + }
> +
> +- virgl_renderer_resource_attach_iov(att_rb.resource_id,
> ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
> + res_iovs, att_rb.nr_entries);
> ++ if (ret != 0) {
> ++ g_free(res_iovs);
> ++ }
> + }
> +
> + static void
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch
> new file mode 100644
> index 0000000000..fea0562f7b
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_7.patch
> @@ -0,0 +1,49 @@
> +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liq3ea@163.com>
> +Date: Sat, 15 May 2021 20:04:02 -0700
> +Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in
> 'virgl_cmd_get_capset'
> + (CVE-2021-3546)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +If 'virgl_cmd_get_capset' set 'max_size' to 0,
> +the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
> +This patch avoid this by checking the returned 'max_size'.
> +
> +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
> +virgl capabilities max_size")
> +
> +Fixes: CVE-2021-3546
> +Reported-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
> +Signed-off-by: Li Qiang <liq3ea@163.com>
> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +Message-Id: <20210516030403.107723-8-liq3ea@163.com>
> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> +
> +CVE: CVE-2021-3546
> +Upstream-Status: Backport [9f22893adcb02580aee5968f32baa2cd109b3ec2]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/vhost-user-gpu/virgl.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-
> gpu/virgl.c
> +index a16a311d80..7172104b19 100644
> +--- a/contrib/vhost-user-gpu/virgl.c
> ++++ b/contrib/vhost-user-gpu/virgl.c
> +@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
> +
> + virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
> + &max_size);
> ++ if (!max_size) {
> ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
> ++ return;
> ++ }
> + resp = g_malloc0(sizeof(*resp) + max_size);
> +
> + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
> +--
> +2.25.1
> +
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-08-15 15:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-11 3:08 [hardknott][PATCH 1/5] qemu: fix CVE-2021-3527 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 2/5] qemu: fix CVE-2021-3544, CVE-2021-3545, CVE-2021-3546 Sakib Sajal
2021-08-15 15:56 ` [OE-core] " Anuj Mittal
2021-08-11 3:08 ` [hardknott][PATCH 3/5] qemu: fix CVE-2021-3582 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 4/5] qemu: fix CVE-2021-3607 Sakib Sajal
2021-08-11 3:08 ` [hardknott][PATCH 5/5] qemu: fix CVE-2021-3608 Sakib Sajal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.