1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
new file mode 100644
index 0000000000..fc4d6cf3df
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
@@ -0,0 +1,57 @@
+Backport of:
+From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 28 Feb 2022 10:50:58 +0100
+Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error
+In vhost_vsock_common_send_transport_reset(), if an element popped from
+the virtqueue is invalid, we should call virtqueue_detach_element() to
+detach it from the virtqueue before freeing its memory.
+Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
+Fixes: CVE-2022-26354
+Cc: qemu-stable@nongnu.org
+Reported-by: VictorV <vv474172261@gmail.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+CVE: CVE-2022-26354
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/virtio/vhost-vsock-common.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+--- a/hw/virtio/vhost-vsock.c
+++ b/hw/virtio/vhost-vsock.c
+@@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r
+     if (elem->out_num) {
+         error_report("invalid vhost-vsock event virtqueue element with "
+                      "out buffers");
+-        goto out;
+        goto err;
+     }
+ 
+     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
+                      &event, sizeof(event)) != sizeof(event)) {
+         error_report("vhost-vsock event virtqueue element is too short");
+-        goto out;
+        goto err;
+     }
+ 
+     virtqueue_push(vq, elem, sizeof(event));
+     virtio_notify(VIRTIO_DEVICE(vsock), vq);
+ 
+-out:
+    g_free(elem);
+    return;
+
+err:
+    virtqueue_detach_element(vq, elem, 0);
+     g_free(elem);
+ }
+

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch new file mode 100644 index 0000000000..fc4d6cf3df --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
@@ -0,0 +1,57 @@
	1	Backport of:
	2
	3	From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001
	4	From: Stefano Garzarella <sgarzare@redhat.com>
	5	Date: Mon, 28 Feb 2022 10:50:58 +0100
	6	Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error
	7
	8	In vhost_vsock_common_send_transport_reset(), if an element popped from
	9	the virtqueue is invalid, we should call virtqueue_detach_element() to
	10	detach it from the virtqueue before freeing its memory.
	11
	12	Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
	13	Fixes: CVE-2022-26354
	14	Cc: qemu-stable@nongnu.org
	15	Reported-by: VictorV <vv474172261@gmail.com>
	16	Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
	17	Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
	18	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
	19	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
	20	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
	21
	22	CVE: CVE-2022-26354
	23	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ]
	24	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	25	---
	26	hw/virtio/vhost-vsock-common.c \| 10 +++++++---
	27	1 file changed, 7 insertions(+), 3 deletions(-)
	28
	29	--- a/hw/virtio/vhost-vsock.c
	30	+++ b/hw/virtio/vhost-vsock.c
	31	@@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r
	32	if (elem->out_num) {
	33	error_report("invalid vhost-vsock event virtqueue element with "
	34	"out buffers");
	35	- goto out;
	36	+ goto err;
	37	}
	38
	39	if (iov_from_buf(elem->in_sg, elem->in_num, 0,
	40	&event, sizeof(event)) != sizeof(event)) {
	41	error_report("vhost-vsock event virtqueue element is too short");
	42	- goto out;
	43	+ goto err;
	44	}
	45
	46	virtqueue_push(vq, elem, sizeof(event));
	47	virtio_notify(VIRTIO_DEVICE(vsock), vq);
	48
	49	-out:
	50	+ g_free(elem);
	51	+ return;
	52	+
	53	+err:
	54	+ virtqueue_detach_element(vq, elem, 0);
	55	g_free(elem);
	56	}
	57