qemu: Security fix CVE-2021-3544

Source: qemu.org MR: 111833 Type: Security Fix Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/86dd8fac..63736af5 ChangeID: 7f301e939cf9d1fdb826ac47d1fc96430086a68e Description: https://gitlab.com/qemu-project/qemu/-/commit/86dd8fac https://gitlab.com/qemu-project/qemu/-/commit/b9f79858 https://gitlab.com/qemu-project/qemu/-/commit/b7afebcf Tweeked the above patches as vhost-user-gpu.c does not exist. https://gitlab.com/qemu-project/qemu/-/commit/f6091d86 https://gitlab.com/qemu-project/qemu/-/commit/63736af5 (From OE-Core rev: eca0abf120709fab20da1a2c190d04191733f5ed) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-08-23 21:27:41 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-01 16:27:09 +0100
commit: 0d253da7204bbba3fbdf6fa479bbb723e122e2bd (patch)
tree: d8b551a66282cb4db64b05e9f29805ec70832e68
parent: 4ed9972582fc8cdfad5425e1952d7ce7590147cf (diff)
download: poky-0d253da7204bbba3fbdf6fa479bbb723e122e2bd.tar.gz
6 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 1ddb373115..90549136e5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -72,6 +72,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3416_9.patch \
           file://CVE-2021-3416_10.patch \
           file://CVE-2021-20257.patch \
+           file://CVE-2021-3544.patch \
+           file://CVE-2021-3544_2.patch \
+           file://CVE-2021-3544_3.patch \
+           file://CVE-2021-3544_4.patch \
+           file://CVE-2021-3544_5.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
new file mode 100644
index 0000000000..1b4fcbfb60
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
@@ -0,0 +1,29 @@
+vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+[vhost-user-gpu does not exist in 4.2.0]
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
+         g_critical("%s: resource creation failed %d %d %d",
+                    __func__, c2d.resource_id, c2d.width, c2d.height);
+         g_free(res);
+        vugbm_buffer_destroy(&res->buffer);
+         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+         return;
+     }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
new file mode 100644
index 0000000000..36cbb127f8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
@@ -0,0 +1,39 @@
+vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b3
+ ("virtio-gpu: fix memory leak
+ in resource attach backing")
+ Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+ Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+ Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+ Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+[vhost-user-gpu does not exist in 4.2.0 context]
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+    if (res->iov) {
+        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+        return;
+    }
+
+     ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+     if (ret != 0) {
+         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
new file mode 100644
index 0000000000..c534f4c24f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
@@ -0,0 +1,39 @@
+vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
+If the guest trigger following sequences, the attach_backing will be leaked:
+vg_resource_create_2d
+vg_resource_attach_backing
+vg_resource_unref
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c
+("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+[vhost-user-gpu does not exist in the 4.2.0]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
+     }
+ 
+     vugbm_buffer_destroy(&res->buffer);
+    g_free(res->iov);
+     pixman_image_unref(res->image);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
new file mode 100644
index 0000000000..96e36eb854
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
@@ -0,0 +1,46 @@
+vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
+The 'res->iov' will be leaked if the guest trigger following sequences:
+virgl_cmd_create_resource_2d
+virgl_resource_attach_backing
+virgl_cmd_resource_unref
+This patch fixes this.
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c
+("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+                          struct virtio_gpu_ctrl_command *cmd)
+ {
+     struct virtio_gpu_resource_unref unref;
+    struct iovec *res_iovs = NULL;
+    int num_iovs = 0;
+ 
+     VUGPU_FILL_CMD(unref);
+ 
+    virgl_renderer_resource_detach_iov(unref.resource_id,
+            &res_iovs,
+            &num_iovs);
+    g_free(res_iovs);
+
+     virgl_renderer_resource_unref(unref.resource_id);
+ }
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
new file mode 100644
index 0000000000..e592ce50e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
@@ -0,0 +1,47 @@
+From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: [PATCH] vhost-user-gpu: fix memory leak in
+ 'virgl_resource_attach_backing' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
+    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+                                        res_iovs, att_rb.nr_entries);
+    if (ret != 0) {
+        g_free(res_iovs);
+    }
+ }
+ 
+ static void
author	Armin Kuster <akuster@mvista.com>	2021-08-23 21:27:41 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-01 16:27:09 +0100
commit	0d253da7204bbba3fbdf6fa479bbb723e122e2bd (patch)
tree	d8b551a66282cb4db64b05e9f29805ec70832e68
parent	4ed9972582fc8cdfad5425e1952d7ce7590147cf (diff)
download	poky-0d253da7204bbba3fbdf6fa479bbb723e122e2bd.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 1ddb373115..90549136e5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -72,6 +72,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
72	file://CVE-2021-3416_9.patch \	72	file://CVE-2021-3416_9.patch \
73	file://CVE-2021-3416_10.patch \	73	file://CVE-2021-3416_10.patch \
74	file://CVE-2021-20257.patch \	74	file://CVE-2021-20257.patch \
		75	file://CVE-2021-3544.patch \
		76	file://CVE-2021-3544_2.patch \
		77	file://CVE-2021-3544_3.patch \
		78	file://CVE-2021-3544_4.patch \
		79	file://CVE-2021-3544_5.patch \
75	"	80	"
76	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	81	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
77		82


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch new file mode 100644 index 0000000000..1b4fcbfb60 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
@@ -0,0 +1,29 @@
		1	vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
		2
		3	Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
		4
		5	Fixes: CVE-2021-3544
		6	Reported-by: default avatarLi Qiang <liq3ea@163.com>
		7	Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
		8	Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
		9	Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
		10	Message-Id: <20210516030403.107723-3-liq3ea@163.com>
		11	Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
		12
		13	Upstream-Status: Backport
		14	[vhost-user-gpu does not exist in 4.2.0]
		15	CVE: CVE-2021-3544
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
		19	===================================================================
		20	--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
		21	+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
		22	@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
		23	g_critical("%s: resource creation failed %d %d %d",
		24	__func__, c2d.resource_id, c2d.width, c2d.height);
		25	g_free(res);
		26	+ vugbm_buffer_destroy(&res->buffer);
		27	cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
		28	return;
		29	}


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch new file mode 100644 index 0000000000..36cbb127f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
@@ -0,0 +1,39 @@
		1	vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
		2
		3
		4	Check whether the 'res' has already been attach_backing to avoid
		5	memory leak.
		6
		7	Fixes: CVE-2021-3544
		8	Reported-by: default avatarLi Qiang <liq3ea@163.com>
		9	virtio-gpu fix: 204f01b3
		10
		11	("virtio-gpu: fix memory leak
		12	in resource attach backing")
		13	Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
		14	Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
		15	Message-Id: <20210516030403.107723-4-liq3ea@163.com>
		16	Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
		17
		18	Upstream-Status: Backport
		19	[vhost-user-gpu does not exist in 4.2.0 context]
		20	CVE: CVE-2021-3544
		21	Signed-off-by: Armin Kuster <akuster@mvista.com>
		22
		23
		24	Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
		25	===================================================================
		26	--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
		27	+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
		28	@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
		29	return;
		30	}
		31
		32	+ if (res->iov) {
		33	+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
		34	+ return;
		35	+ }
		36	+
		37	ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
		38	if (ret != 0) {
		39	cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch new file mode 100644 index 0000000000..c534f4c24f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
@@ -0,0 +1,39 @@
		1	vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
		2
		3	If the guest trigger following sequences, the attach_backing will be leaked:
		4
		5	vg_resource_create_2d
		6	vg_resource_attach_backing
		7	vg_resource_unref
		8
		9	This patch fix this by freeing 'res->iov' in vg_resource_destroy.
		10
		11	Fixes: CVE-2021-3544
		12	Reported-by: default avatarLi Qiang <liq3ea@163.com>
		13	virtio-gpu fix: 5e8e3c4c
		14
		15	("virtio-gpu: fix resource leak
		16	in virgl_cmd_resource_unref")
		17	Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
		18	Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
		19	Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
		20	Message-Id: <20210516030403.107723-5-liq3ea@163.com>
		21	Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
		22
		23	Upstream-Status: Backport
		24	CVE: CVE-2021-3544
		25	[vhost-user-gpu does not exist in the 4.2.0]
		26	Signed-off-by: Armin Kuster <akuster@mvista.com>
		27
		28	Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
		29	===================================================================
		30	--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
		31	+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
		32	@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
		33	}
		34
		35	vugbm_buffer_destroy(&res->buffer);
		36	+ g_free(res->iov);
		37	pixman_image_unref(res->image);
		38	QTAILQ_REMOVE(&g->reslist, res, next);
		39	g_free(res);


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch new file mode 100644 index 0000000000..96e36eb854 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
@@ -0,0 +1,46 @@
		1	vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
		2
		3	The 'res->iov' will be leaked if the guest trigger following sequences:
		4
		5	virgl_cmd_create_resource_2d
		6	virgl_resource_attach_backing
		7	virgl_cmd_resource_unref
		8
		9	This patch fixes this.
		10
		11	Fixes: CVE-2021-3544
		12	Reported-by: default avatarLi Qiang <liq3ea@163.com>
		13	virtio-gpu fix: 5e8e3c4c
		14
		15	("virtio-gpu: fix resource leak
		16	in virgl_cmd_resource_unref"
		17	Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
		18	Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
		19	Message-Id: <20210516030403.107723-6-liq3ea@163.com>
		20	Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
		21
		22	Upstream-Status: Backport
		23	CVE: CVE-2021-3544
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25
		26	Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
		27	===================================================================
		28	--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
		29	+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
		30	@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
		31	struct virtio_gpu_ctrl_command *cmd)
		32	{
		33	struct virtio_gpu_resource_unref unref;
		34	+ struct iovec *res_iovs = NULL;
		35	+ int num_iovs = 0;
		36
		37	VUGPU_FILL_CMD(unref);
		38
		39	+ virgl_renderer_resource_detach_iov(unref.resource_id,
		40	+ &res_iovs,
		41	+ &num_iovs);
		42	+ g_free(res_iovs);
		43	+
		44	virgl_renderer_resource_unref(unref.resource_id);
		45	}
		46


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch new file mode 100644 index 0000000000..e592ce50e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
@@ -0,0 +1,47 @@
		1	From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
		2	From: Li Qiang <liq3ea@163.com>
		3	Date: Sat, 15 May 2021 20:04:01 -0700
		4	Subject: [PATCH] vhost-user-gpu: fix memory leak in
		5	'virgl_resource_attach_backing' (CVE-2021-3544)
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
		11	be leaked.
		12
		13	Fixes: CVE-2021-3544
		14	Reported-by: Li Qiang <liq3ea@163.com>
		15	virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
		16	in resource attach backing")
		17
		18	Signed-off-by: Li Qiang <liq3ea@163.com>
		19	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		20	Message-Id: <20210516030403.107723-7-liq3ea@163.com>
		21	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		22
		23	Upstream-Status: Backport
		24	CVE: CVE-2021-3544
		25	Signed-off-by: Armin Kuster <akuster@mvista.com>
		26
		27	---
		28	contrib/vhost-user-gpu/virgl.c \| 5 ++++-
		29	1 file changed, 4 insertions(+), 1 deletion(-)
		30
		31	Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
		32	===================================================================
		33	--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
		34	+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
		35	@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g,
		36	return;
		37	}
		38
		39	- virgl_renderer_resource_attach_iov(att_rb.resource_id,
		40	+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
		41	res_iovs, att_rb.nr_entries);
		42	+ if (ret != 0) {
		43	+ g_free(res_iovs);
		44	+ }
		45	}
		46
		47	static void