From 364d9e830275ed103a6f3b48d78138fba5f824d3 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 09:53:22 +0800 Subject: [PATCH 1/7] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Call 'vugbm_buffer_destroy' in error path to avoid resource leak. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-3-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c index b45d2019b4..f69af7d17f 100644 --- a/contrib/vhost-user-gpu/main.c +++ b/contrib/vhost-user-gpu/main.c @@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, g_critical("%s: resource creation failed %d %d %d", __func__, c2d.resource_id, c2d.width, c2d.height); g_free(res); + vugbm_buffer_destroy(&res->buffer); cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; return; } -- Gitee From fe5a0f6e7d92fcc8cae75db4d68d18302e6afd1e Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 09:56:42 +0800 Subject: [PATCH 2/7] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Check whether the 'res' has already been attach_backing to avoid memory leak. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 204f01b3 ("virtio-gpu: fix memory leak in resource attach backing") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-4-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c index f69af7d17f..4f087d6000 100644 --- a/contrib/vhost-user-gpu/main.c +++ b/contrib/vhost-user-gpu/main.c @@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, return; } + if (res->iov) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; + return; + } + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); if (ret != 0) { cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -- Gitee From 6dab7254252413652148b5ae8a2c9a728fe7f18e Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 10:02:08 +0800 Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If the guest trigger following sequences, the attach_backing will be leaked: vg_resource_create_2d vg_resource_attach_backing vg_resource_unref This patch fix this by freeing 'res->iov' in vg_resource_destroy. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 5e8e3c4c ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref") Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-5-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c index 4f087d6000..43d9851800 100644 --- a/contrib/vhost-user-gpu/main.c +++ b/contrib/vhost-user-gpu/main.c @@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, } vugbm_buffer_destroy(&res->buffer); + g_free(res->iov); pixman_image_unref(res->image); QTAILQ_REMOVE(&g->reslist, res, next); g_free(res); -- Gitee From 65408d889ca5512b1c077bcc23558798884a5de4 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 10:05:40 +0800 Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 The 'res->iov' will be leaked if the guest trigger following sequences: virgl_cmd_create_resource_2d virgl_resource_attach_backing virgl_cmd_resource_unref This patch fixes this. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 5e8e3c4c ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref" Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-6-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/virgl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 43413e29df..4b8b536edf 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -105,8 +105,14 @@ virgl_cmd_resource_unref(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_resource_unref unref; + struct iovec *res_iovs = NULL; + int num_iovs = 0; VUGPU_FILL_CMD(unref); + virgl_renderer_resource_detach_iov(unref.resource_id, + &res_iovs, + &num_iovs); + g_free(res_iovs); virgl_renderer_resource_unref(unref.resource_id); } -- Gitee From 00d9f711d18b7a5b35223fa1e2fa7a7347cb9639 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 10:09:13 +0800 Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will be leaked. Fixes: CVE-2021-3544 Reported-by: default avatarLi Qiang virtio-gpu fix: 33243031 ("virtio-gpu-3d: fix memory leak in resource attach backing") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-7-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/virgl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 4b8b536edf..79556df094 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -282,8 +282,11 @@ virgl_resource_attach_backing(VuGpu *g, return; } - virgl_renderer_resource_attach_iov(att_rb.resource_id, + ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, res_iovs, att_rb.nr_entries); + if (ret != 0) { + g_free(res_iovs); + } } static void -- Gitee From a1ccbbbcb8a87401e89d955ba5e665b6f379686e Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 10:11:17 +0800 Subject: [PATCH 6/7] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 Otherwise some of the 'resp' will be leaked to guest. Fixes: CVE-2021-3545 Reported-by: default avatarLi Qiang virtio-gpu fix: 42a8dadc ("virtio-gpu: fix information leak in getting capset info dispatch") Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-2-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/virgl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 79556df094..44e79ab82a 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -131,6 +131,7 @@ virgl_cmd_get_capset_info(VuGpu *g, VUGPU_FILL_CMD(info); + memset(&resp, 0, sizeof(resp)); if (info.capset_index == 0) { resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; virgl_renderer_get_cap_set(resp.capset_id, -- Gitee From ea20075b55c9fe2f74a018d2d3465babb2bbbb55 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Tue, 15 Jun 2021 10:14:06 +0800 Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2021-3544 If 'virgl_cmd_get_capset' set 'max_size' to 0, the 'virgl_renderer_fill_caps' will write the data after the 'resp'. This patch avoid this by checking the returned 'max_size'. virtio-gpu fix: abd7f08b ("display: virtio-gpu-3d: check virgl capabilities max_size") Fixes: CVE-2021-3546 Reported-by: default avatarLi Qiang Reviewed-by: default avatarPrasad J Pandit Signed-off-by: default avatarLi Qiang Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau Message-Id: <20210516030403.107723-8-liq3ea@163.com> Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann Signed-off-by: Jiajie Li --- contrib/vhost-user-gpu/virgl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 44e79ab82a..ad2834902b 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -173,6 +173,10 @@ virgl_cmd_get_capset(VuGpu *g, virgl_renderer_get_cap_set(gc.capset_id, &max_ver, &max_size); + if (!max_size) { + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } resp = g_malloc0(sizeof(*resp) + max_size); resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; -- Gitee