8 files changed, 345 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 0cbd66301e..aa7cf74dd3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,13 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://determinism.patch \
           file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
           file://0001-configure-fix-detection-of-gdbus-codegen.patch \
+           file://0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch \
+           file://0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch \
+           file://0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch \
+           file://0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch \
+           file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \
+           file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
+           file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
new file mode 100644
index 0000000000..981c237292
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
@@ -0,0 +1,43 @@
+CVE: CVE-2021-3545
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in
+ virgl_cmd_get_capset_info (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Otherwise some of the 'resp' will be leaked to guest.
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 9e6660c7ab..6a332d601f 100644
+--- a/contrib/vhost-user-gpu/virgl.c
+++ b/contrib/vhost-user-gpu/virgl.c
+@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+ 
+     VUGPU_FILL_CMD(info);
+ 
+    memset(&resp, 0, sizeof(resp));
+     if (info.capset_index == 0) {
+         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+         virgl_renderer_get_cap_set(resp.capset_id,
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
new file mode 100644
index 0000000000..a9aee47e39
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
@@ -0,0 +1,41 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:57 -0700
+Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in
+ 'vg_resource_create_2d' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index f73f292c9f..b5e153d0d6 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
+         g_critical("%s: resource creation failed %d %d %d",
+                    __func__, c2d.resource_id, c2d.width, c2d.height);
+         g_free(res);
+        vugbm_buffer_destroy(&res->buffer);
+         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+         return;
+     }
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
new file mode 100644
index 0000000000..1718486405
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
@@ -0,0 +1,48 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:58 -0700
+Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in
+ vg_resource_attach_backing (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
+in resource attach backing")
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index b5e153d0d6..0437e52b64 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+    if (res->iov) {
+        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+        return;
+    }
+
+     ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+     if (ret != 0) {
+         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
new file mode 100644
index 0000000000..9fc2fafe1d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
@@ -0,0 +1,50 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:59 -0700
+Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling
+ 'vg_resource_unref' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If the guest trigger following sequences, the attach_backing will be leaked:
+        vg_resource_create_2d
+        vg_resource_attach_backing
+        vg_resource_unref
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index 0437e52b64..770dfad529 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
+     }
+ 
+     vugbm_buffer_destroy(&res->buffer);
+    g_free(res->iov);
+     pixman_image_unref(res->image);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
new file mode 100644
index 0000000000..e70f3c02c2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
@@ -0,0 +1,58 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:00 -0700
+Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in
+ 'virgl_cmd_resource_unref' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The 'res->iov' will be leaked if the guest trigger following sequences:
+        virgl_cmd_create_resource_2d
+        virgl_resource_attach_backing
+        virgl_cmd_resource_unref
+This patch fixes this.
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 6a332d601f..c669d73a1d 100644
+--- a/contrib/vhost-user-gpu/virgl.c
+++ b/contrib/vhost-user-gpu/virgl.c
+@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+                          struct virtio_gpu_ctrl_command *cmd)
+ {
+     struct virtio_gpu_resource_unref unref;
+    struct iovec *res_iovs = NULL;
+    int num_iovs = 0;
+ 
+     VUGPU_FILL_CMD(unref);
+ 
+    virgl_renderer_resource_detach_iov(unref.resource_id,
+                                       &res_iovs,
+                                       &num_iovs);
+    g_free(res_iovs);
+
+     virgl_renderer_resource_unref(unref.resource_id);
+ }
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
new file mode 100644
index 0000000000..5efb87ca33
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
@@ -0,0 +1,49 @@
+CVE: CVE-2021-3544
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in
+ 'virgl_resource_attach_backing' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index c669d73a1d..a16a311d80 100644
+--- a/contrib/vhost-user-gpu/virgl.c
+++ b/contrib/vhost-user-gpu/virgl.c
+@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
+    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+                                        res_iovs, att_rb.nr_entries);
+    if (ret != 0) {
+        g_free(res_iovs);
+    }
+ }
+ 
+ static void
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
new file mode 100644
index 0000000000..33e6a66193
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
@@ -0,0 +1,49 @@
+CVE: CVE-2021-3546
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index a16a311d80..7172104b19 100644
+--- a/contrib/vhost-user-gpu/virgl.c
+++ b/contrib/vhost-user-gpu/virgl.c
+@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
+    if (!max_size) {
+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+        return;
+    }
+     resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 0cbd66301e..aa7cf74dd3 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,6 +29,13 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
29	file://determinism.patch \	29	file://determinism.patch \
30	file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \	30	file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
31	file://0001-configure-fix-detection-of-gdbus-codegen.patch \	31	file://0001-configure-fix-detection-of-gdbus-codegen.patch \
		32	file://0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch \
		33	file://0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch \
		34	file://0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch \
		35	file://0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch \
		36	file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \
		37	file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \
		38	file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \
32	"	39	"
33	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	40	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
34		41


diff --git a/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch new file mode 100644 index 0000000000..981c237292 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch
@@ -0,0 +1,43 @@
		1	CVE: CVE-2021-3545
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:03:56 -0700
		8	Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in
		9	virgl_cmd_get_capset_info (CVE-2021-3545)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	Otherwise some of the 'resp' will be leaked to guest.
		15
		16	Fixes: CVE-2021-3545
		17	Reported-by: Li Qiang <liq3ea@163.com>
		18	virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
		19	in getting capset info dispatch")
		20
		21	Signed-off-by: Li Qiang <liq3ea@163.com>
		22	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		23	Message-Id: <20210516030403.107723-2-liq3ea@163.com>
		24	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		25	---
		26	contrib/vhost-user-gpu/virgl.c \| 1 +
		27	1 file changed, 1 insertion(+)
		28
		29	diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
		30	index 9e6660c7ab..6a332d601f 100644
		31	--- a/contrib/vhost-user-gpu/virgl.c
		32	+++ b/contrib/vhost-user-gpu/virgl.c
		33	@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
		34
		35	VUGPU_FILL_CMD(info);
		36
		37	+ memset(&resp, 0, sizeof(resp));
		38	if (info.capset_index == 0) {
		39	resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
		40	virgl_renderer_get_cap_set(resp.capset_id,
		41	--
		42	2.25.1
		43


diff --git a/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch new file mode 100644 index 0000000000..a9aee47e39 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch
@@ -0,0 +1,41 @@
		1	CVE: CVE-2021-3544
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:03:57 -0700
		8	Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in
		9	'vg_resource_create_2d' (CVE-2021-3544)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
		15
		16	Fixes: CVE-2021-3544
		17	Reported-by: Li Qiang <liq3ea@163.com>
		18	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
		19	Signed-off-by: Li Qiang <liq3ea@163.com>
		20	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		21	Message-Id: <20210516030403.107723-3-liq3ea@163.com>
		22	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		23	---
		24	contrib/vhost-user-gpu/vhost-user-gpu.c \| 1 +
		25	1 file changed, 1 insertion(+)
		26
		27	diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
		28	index f73f292c9f..b5e153d0d6 100644
		29	--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
		30	+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
		31	@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
		32	g_critical("%s: resource creation failed %d %d %d",
		33	__func__, c2d.resource_id, c2d.width, c2d.height);
		34	g_free(res);
		35	+ vugbm_buffer_destroy(&res->buffer);
		36	cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
		37	return;
		38	}
		39	--
		40	2.25.1
		41


diff --git a/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch new file mode 100644 index 0000000000..1718486405 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch
@@ -0,0 +1,48 @@
		1	CVE: CVE-2021-3544
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:03:58 -0700
		8	Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in
		9	vg_resource_attach_backing (CVE-2021-3544)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	Check whether the 'res' has already been attach_backing to avoid
		15	memory leak.
		16
		17	Fixes: CVE-2021-3544
		18	Reported-by: Li Qiang <liq3ea@163.com>
		19	virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
		20	in resource attach backing")
		21
		22	Signed-off-by: Li Qiang <liq3ea@163.com>
		23	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		24	Message-Id: <20210516030403.107723-4-liq3ea@163.com>
		25	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		26	---
		27	contrib/vhost-user-gpu/vhost-user-gpu.c \| 5 +++++
		28	1 file changed, 5 insertions(+)
		29
		30	diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
		31	index b5e153d0d6..0437e52b64 100644
		32	--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
		33	+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
		34	@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
		35	return;
		36	}
		37
		38	+ if (res->iov) {
		39	+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
		40	+ return;
		41	+ }
		42	+
		43	ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
		44	if (ret != 0) {
		45	cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
		46	--
		47	2.25.1
		48


diff --git a/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch new file mode 100644 index 0000000000..9fc2fafe1d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch
@@ -0,0 +1,50 @@
		1	CVE: CVE-2021-3544
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:03:59 -0700
		8	Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling
		9	'vg_resource_unref' (CVE-2021-3544)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	If the guest trigger following sequences, the attach_backing will be leaked:
		15
		16	vg_resource_create_2d
		17	vg_resource_attach_backing
		18	vg_resource_unref
		19
		20	This patch fix this by freeing 'res->iov' in vg_resource_destroy.
		21
		22	Fixes: CVE-2021-3544
		23	Reported-by: Li Qiang <liq3ea@163.com>
		24	virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
		25	in virgl_cmd_resource_unref")
		26
		27	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
		28	Signed-off-by: Li Qiang <liq3ea@163.com>
		29	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		30	Message-Id: <20210516030403.107723-5-liq3ea@163.com>
		31	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		32	---
		33	contrib/vhost-user-gpu/vhost-user-gpu.c \| 1 +
		34	1 file changed, 1 insertion(+)
		35
		36	diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
		37	index 0437e52b64..770dfad529 100644
		38	--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
		39	+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
		40	@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
		41	}
		42
		43	vugbm_buffer_destroy(&res->buffer);
		44	+ g_free(res->iov);
		45	pixman_image_unref(res->image);
		46	QTAILQ_REMOVE(&g->reslist, res, next);
		47	g_free(res);
		48	--
		49	2.25.1
		50


diff --git a/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch new file mode 100644 index 0000000000..e70f3c02c2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch
@@ -0,0 +1,58 @@
		1	CVE: CVE-2021-3544
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:04:00 -0700
		8	Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in
		9	'virgl_cmd_resource_unref' (CVE-2021-3544)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	The 'res->iov' will be leaked if the guest trigger following sequences:
		15
		16	virgl_cmd_create_resource_2d
		17	virgl_resource_attach_backing
		18	virgl_cmd_resource_unref
		19
		20	This patch fixes this.
		21
		22	Fixes: CVE-2021-3544
		23	Reported-by: Li Qiang <liq3ea@163.com>
		24	virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
		25	in virgl_cmd_resource_unref"
		26
		27	Signed-off-by: Li Qiang <liq3ea@163.com>
		28	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		29	Message-Id: <20210516030403.107723-6-liq3ea@163.com>
		30	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		31	---
		32	contrib/vhost-user-gpu/virgl.c \| 7 +++++++
		33	1 file changed, 7 insertions(+)
		34
		35	diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
		36	index 6a332d601f..c669d73a1d 100644
		37	--- a/contrib/vhost-user-gpu/virgl.c
		38	+++ b/contrib/vhost-user-gpu/virgl.c
		39	@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
		40	struct virtio_gpu_ctrl_command *cmd)
		41	{
		42	struct virtio_gpu_resource_unref unref;
		43	+ struct iovec *res_iovs = NULL;
		44	+ int num_iovs = 0;
		45
		46	VUGPU_FILL_CMD(unref);
		47
		48	+ virgl_renderer_resource_detach_iov(unref.resource_id,
		49	+ &res_iovs,
		50	+ &num_iovs);
		51	+ g_free(res_iovs);
		52	+
		53	virgl_renderer_resource_unref(unref.resource_id);
		54	}
		55
		56	--
		57	2.25.1
		58


diff --git a/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch new file mode 100644 index 0000000000..5efb87ca33 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch
@@ -0,0 +1,49 @@
		1	CVE: CVE-2021-3544
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:04:01 -0700
		8	Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in
		9	'virgl_resource_attach_backing' (CVE-2021-3544)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
		15	be leaked.
		16
		17	Fixes: CVE-2021-3544
		18	Reported-by: Li Qiang <liq3ea@163.com>
		19	virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
		20	in resource attach backing")
		21
		22	Signed-off-by: Li Qiang <liq3ea@163.com>
		23	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		24	Message-Id: <20210516030403.107723-7-liq3ea@163.com>
		25	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		26	---
		27	contrib/vhost-user-gpu/virgl.c \| 5 ++++-
		28	1 file changed, 4 insertions(+), 1 deletion(-)
		29
		30	diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
		31	index c669d73a1d..a16a311d80 100644
		32	--- a/contrib/vhost-user-gpu/virgl.c
		33	+++ b/contrib/vhost-user-gpu/virgl.c
		34	@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
		35	return;
		36	}
		37
		38	- virgl_renderer_resource_attach_iov(att_rb.resource_id,
		39	+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
		40	res_iovs, att_rb.nr_entries);
		41	+ if (ret != 0) {
		42	+ g_free(res_iovs);
		43	+ }
		44	}
		45
		46	static void
		47	--
		48	2.25.1
		49


diff --git a/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch new file mode 100644 index 0000000000..33e6a66193 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
@@ -0,0 +1,49 @@
		1	CVE: CVE-2021-3546
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
		6	From: Li Qiang <liq3ea@163.com>
		7	Date: Sat, 15 May 2021 20:04:02 -0700
		8	Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
		9	(CVE-2021-3546)
		10	MIME-Version: 1.0
		11	Content-Type: text/plain; charset=UTF-8
		12	Content-Transfer-Encoding: 8bit
		13
		14	If 'virgl_cmd_get_capset' set 'max_size' to 0,
		15	the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
		16	This patch avoid this by checking the returned 'max_size'.
		17
		18	virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
		19	virgl capabilities max_size")
		20
		21	Fixes: CVE-2021-3546
		22	Reported-by: Li Qiang <liq3ea@163.com>
		23	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
		24	Signed-off-by: Li Qiang <liq3ea@163.com>
		25	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		26	Message-Id: <20210516030403.107723-8-liq3ea@163.com>
		27	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		28	---
		29	contrib/vhost-user-gpu/virgl.c \| 4 ++++
		30	1 file changed, 4 insertions(+)
		31
		32	diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
		33	index a16a311d80..7172104b19 100644
		34	--- a/contrib/vhost-user-gpu/virgl.c
		35	+++ b/contrib/vhost-user-gpu/virgl.c
		36	@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
		37
		38	virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
		39	&max_size);
		40	+ if (!max_size) {
		41	+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
		42	+ return;
		43	+ }
		44	resp = g_malloc0(sizeof(*resp) + max_size);
		45
		46	resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
		47	--
		48	2.25.1
		49