diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 5 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch | 29 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch | 39 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch | 39 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch | 46 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch | 47 |
6 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1ddb373115..90549136e5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -72,6 +72,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
72 | file://CVE-2021-3416_9.patch \ | 72 | file://CVE-2021-3416_9.patch \ |
73 | file://CVE-2021-3416_10.patch \ | 73 | file://CVE-2021-3416_10.patch \ |
74 | file://CVE-2021-20257.patch \ | 74 | file://CVE-2021-20257.patch \ |
75 | file://CVE-2021-3544.patch \ | ||
76 | file://CVE-2021-3544_2.patch \ | ||
77 | file://CVE-2021-3544_3.patch \ | ||
78 | file://CVE-2021-3544_4.patch \ | ||
79 | file://CVE-2021-3544_5.patch \ | ||
75 | " | 80 | " |
76 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 81 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
77 | 82 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch new file mode 100644 index 0000000000..1b4fcbfb60 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) | ||
2 | |||
3 | Call 'vugbm_buffer_destroy' in error path to avoid resource leak. | ||
4 | |||
5 | Fixes: CVE-2021-3544 | ||
6 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
7 | Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
8 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
9 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
10 | Message-Id: <20210516030403.107723-3-liq3ea@163.com> | ||
11 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | [vhost-user-gpu does not exist in 4.2.0] | ||
15 | CVE: CVE-2021-3544 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
19 | =================================================================== | ||
20 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
21 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
22 | @@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, | ||
23 | g_critical("%s: resource creation failed %d %d %d", | ||
24 | __func__, c2d.resource_id, c2d.width, c2d.height); | ||
25 | g_free(res); | ||
26 | + vugbm_buffer_destroy(&res->buffer); | ||
27 | cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; | ||
28 | return; | ||
29 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch new file mode 100644 index 0000000000..36cbb127f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) | ||
2 | |||
3 | |||
4 | Check whether the 'res' has already been attach_backing to avoid | ||
5 | memory leak. | ||
6 | |||
7 | Fixes: CVE-2021-3544 | ||
8 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
9 | virtio-gpu fix: 204f01b3 | ||
10 | |||
11 | ("virtio-gpu: fix memory leak | ||
12 | in resource attach backing") | ||
13 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
14 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
15 | Message-Id: <20210516030403.107723-4-liq3ea@163.com> | ||
16 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | [vhost-user-gpu does not exist in 4.2.0 context] | ||
20 | CVE: CVE-2021-3544 | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | |||
24 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
25 | =================================================================== | ||
26 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
27 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
28 | @@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, | ||
29 | return; | ||
30 | } | ||
31 | |||
32 | + if (res->iov) { | ||
33 | + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; | ||
34 | + return; | ||
35 | + } | ||
36 | + | ||
37 | ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); | ||
38 | if (ret != 0) { | ||
39 | cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch new file mode 100644 index 0000000000..c534f4c24f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) | ||
2 | |||
3 | If the guest trigger following sequences, the attach_backing will be leaked: | ||
4 | |||
5 | vg_resource_create_2d | ||
6 | vg_resource_attach_backing | ||
7 | vg_resource_unref | ||
8 | |||
9 | This patch fix this by freeing 'res->iov' in vg_resource_destroy. | ||
10 | |||
11 | Fixes: CVE-2021-3544 | ||
12 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
13 | virtio-gpu fix: 5e8e3c4c | ||
14 | |||
15 | ("virtio-gpu: fix resource leak | ||
16 | in virgl_cmd_resource_unref") | ||
17 | Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
18 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
19 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
20 | Message-Id: <20210516030403.107723-5-liq3ea@163.com> | ||
21 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2021-3544 | ||
25 | [vhost-user-gpu does not exist in the 4.2.0] | ||
26 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
27 | |||
28 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
29 | =================================================================== | ||
30 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
31 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
32 | @@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, | ||
33 | } | ||
34 | |||
35 | vugbm_buffer_destroy(&res->buffer); | ||
36 | + g_free(res->iov); | ||
37 | pixman_image_unref(res->image); | ||
38 | QTAILQ_REMOVE(&g->reslist, res, next); | ||
39 | g_free(res); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch new file mode 100644 index 0000000000..96e36eb854 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) | ||
2 | |||
3 | The 'res->iov' will be leaked if the guest trigger following sequences: | ||
4 | |||
5 | virgl_cmd_create_resource_2d | ||
6 | virgl_resource_attach_backing | ||
7 | virgl_cmd_resource_unref | ||
8 | |||
9 | This patch fixes this. | ||
10 | |||
11 | Fixes: CVE-2021-3544 | ||
12 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
13 | virtio-gpu fix: 5e8e3c4c | ||
14 | |||
15 | ("virtio-gpu: fix resource leak | ||
16 | in virgl_cmd_resource_unref" | ||
17 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
18 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
19 | Message-Id: <20210516030403.107723-6-liq3ea@163.com> | ||
20 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2021-3544 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
27 | =================================================================== | ||
28 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c | ||
29 | +++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
30 | @@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g, | ||
31 | struct virtio_gpu_ctrl_command *cmd) | ||
32 | { | ||
33 | struct virtio_gpu_resource_unref unref; | ||
34 | + struct iovec *res_iovs = NULL; | ||
35 | + int num_iovs = 0; | ||
36 | |||
37 | VUGPU_FILL_CMD(unref); | ||
38 | |||
39 | + virgl_renderer_resource_detach_iov(unref.resource_id, | ||
40 | + &res_iovs, | ||
41 | + &num_iovs); | ||
42 | + g_free(res_iovs); | ||
43 | + | ||
44 | virgl_renderer_resource_unref(unref.resource_id); | ||
45 | } | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch new file mode 100644 index 0000000000..e592ce50e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Qiang <liq3ea@163.com> | ||
3 | Date: Sat, 15 May 2021 20:04:01 -0700 | ||
4 | Subject: [PATCH] vhost-user-gpu: fix memory leak in | ||
5 | 'virgl_resource_attach_backing' (CVE-2021-3544) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will | ||
11 | be leaked. | ||
12 | |||
13 | Fixes: CVE-2021-3544 | ||
14 | Reported-by: Li Qiang <liq3ea@163.com> | ||
15 | virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak | ||
16 | in resource attach backing") | ||
17 | |||
18 | Signed-off-by: Li Qiang <liq3ea@163.com> | ||
19 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
20 | Message-Id: <20210516030403.107723-7-liq3ea@163.com> | ||
21 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2021-3544 | ||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | contrib/vhost-user-gpu/virgl.c | 5 ++++- | ||
29 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
30 | |||
31 | Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
32 | =================================================================== | ||
33 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c | ||
34 | +++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c | ||
35 | @@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g, | ||
36 | return; | ||
37 | } | ||
38 | |||
39 | - virgl_renderer_resource_attach_iov(att_rb.resource_id, | ||
40 | + ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, | ||
41 | res_iovs, att_rb.nr_entries); | ||
42 | + if (ret != 0) { | ||
43 | + g_free(res_iovs); | ||
44 | + } | ||
45 | } | ||
46 | |||
47 | static void | ||