diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch new file mode 100644 index 0000000000..c534f4c24f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) | ||
2 | |||
3 | If the guest trigger following sequences, the attach_backing will be leaked: | ||
4 | |||
5 | vg_resource_create_2d | ||
6 | vg_resource_attach_backing | ||
7 | vg_resource_unref | ||
8 | |||
9 | This patch fix this by freeing 'res->iov' in vg_resource_destroy. | ||
10 | |||
11 | Fixes: CVE-2021-3544 | ||
12 | Reported-by: default avatarLi Qiang <liq3ea@163.com> | ||
13 | virtio-gpu fix: 5e8e3c4c | ||
14 | |||
15 | ("virtio-gpu: fix resource leak | ||
16 | in virgl_cmd_resource_unref") | ||
17 | Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
18 | Signed-off-by: default avatarLi Qiang <liq3ea@163.com> | ||
19 | Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com> | ||
20 | Message-Id: <20210516030403.107723-5-liq3ea@163.com> | ||
21 | Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2021-3544 | ||
25 | [vhost-user-gpu does not exist in the 4.2.0] | ||
26 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
27 | |||
28 | Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
29 | =================================================================== | ||
30 | --- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c | ||
31 | +++ qemu-4.2.0/contrib/vhost-user-gpu/main.c | ||
32 | @@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, | ||
33 | } | ||
34 | |||
35 | vugbm_buffer_destroy(&res->buffer); | ||
36 | + g_free(res->iov); | ||
37 | pixman_image_unref(res->image); | ||
38 | QTAILQ_REMOVE(&g->reslist, res, next); | ||
39 | g_free(res); | ||