Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2021-06-18 10:13:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Fri Jun 18 10:13:26 2021 rev:206 rq:900191 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2021-06-09 21:54:55.334754955 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new.2625/qemu.changes 2021-06-18 10:13:35.805979215 +0200 @@ -1,0 +2,30 @@ +Fri Jun 11 18:15:25 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Improve compatibility with gcc 11: + target-sh4-Return-error-if-CPUClass-get_.patch + tcg-arm-Fix-tcg_out_op-function-signatur.patch + +------------------------------------------------------------------- +Wed Jun 9 13:23:54 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Enable zstd compression option to qcow2 + +------------------------------------------------------------------- +Mon Jun 7 18:13:50 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Fix out-of-bounds write in virgl_cmd_get_capset + CVE-2021-3546 bsc#1185981 + vhost-user-gpu-abstract-vg_cleanup_mappi.patch +- Fix memory leaks found in the virtio vhost-user GPU device + CVE-2021-3544 bsc#1186010 + vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch + vhost-user-gpu-fix-leak-in-virgl_resourc.patch + vhost-user-gpu-fix-memory-disclosure-in-.patch + vhost-user-gpu-fix-memory-leak-in-vg_res.patch + vhost-user-gpu-fix-memory-leak-while-cal.patch + vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch +- Fix information disclosure due to uninitialized memory read + CVE-2021-3545 bsc#1185990 + vhost-user-gpu-fix-resource-leak-in-vg_r.patch + +------------------------------------------------------------------- New: ---- target-sh4-Return-error-if-CPUClass-get_.patch tcg-arm-Fix-tcg_out_op-function-signatur.patch vhost-user-gpu-abstract-vg_cleanup_mappi.patch vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch vhost-user-gpu-fix-leak-in-virgl_resourc.patch vhost-user-gpu-fix-memory-disclosure-in-.patch vhost-user-gpu-fix-memory-leak-in-vg_res.patch vhost-user-gpu-fix-memory-leak-while-cal.patch vhost-user-gpu-fix-resource-leak-in-vg_r.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.kb2kXq/_old 2021-06-18 10:13:37.717981742 +0200 +++ /var/tmp/diff_new_pack.kb2kXq/_new 2021-06-18 10:13:37.721981748 +0200 @@ -192,6 +192,16 @@ Patch00057: virtio-Fail-if-iommu_platform-is-request.patch Patch00058: vhost-user-blk-Check-that-num-queues-is-.patch Patch00059: vfio-ccw-Permit-missing-IRQs.patch +Patch00060: vhost-user-gpu-fix-memory-disclosure-in-.patch +Patch00061: vhost-user-gpu-fix-resource-leak-in-vg_r.patch +Patch00062: vhost-user-gpu-fix-memory-leak-in-vg_res.patch +Patch00063: vhost-user-gpu-fix-memory-leak-while-cal.patch +Patch00064: vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch +Patch00065: vhost-user-gpu-fix-leak-in-virgl_resourc.patch +Patch00066: vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch +Patch00067: vhost-user-gpu-abstract-vg_cleanup_mappi.patch +Patch00068: target-sh4-Return-error-if-CPUClass-get_.patch +Patch00069: tcg-arm-Fix-tcg_out_op-function-signatur.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -336,6 +346,7 @@ %if %{build_x86_firmware_from_source} BuildRequires: pkgconfig(liblzma) %endif +BuildRequires: pkgconfig(libzstd) BuildRequires: pkgconfig(zlib) %if "%{name}" == "qemu" Requires: group(kvm) @@ -1084,6 +1095,16 @@ %patch00057 -p1 %patch00058 -p1 %patch00059 -p1 +%patch00060 -p1 +%patch00061 -p1 +%patch00062 -p1 +%patch00063 -p1 +%patch00064 -p1 +%patch00065 -p1 +%patch00066 -p1 +%patch00067 -p1 +%patch00068 -p1 +%patch00069 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1350,6 +1371,7 @@ --enable-vvfat \ --enable-werror \ --disable-whpx \ + --enable-zstd \ %ifarch x86_64 --enable-xen \ --enable-xen-pci-passthrough \ ++++++ bundles.tar.xz ++++++ Binary files old/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle and new/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle differ Binary files old/roms/ipxe/4bd064de239dab2426b31c9789a1f4d78087dc63.bundle and new/roms/ipxe/4bd064de239dab2426b31c9789a1f4d78087dc63.bundle differ Binary files old/roms/qboot/a5300c4949b8d4de2d34bedfaed66793f48ec948.bundle and new/roms/qboot/a5300c4949b8d4de2d34bedfaed66793f48ec948.bundle differ Binary files old/roms/seabios/155821a1990b6de78dde5f98fa5ab90e802021e0.bundle and new/roms/seabios/155821a1990b6de78dde5f98fa5ab90e802021e0.bundle differ Binary files old/roms/sgabios/cbaee52287e5f32373181cff50a00b6c4ac9015a.bundle and new/roms/sgabios/cbaee52287e5f32373181cff50a00b6c4ac9015a.bundle differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/skiboot/repo new/roms/skiboot/repo --- old/roms/skiboot/repo 1970-01-01 01:00:00.000000000 +0100 +++ new/roms/skiboot/repo 2021-06-14 21:18:37.000000000 +0200 @@ -0,0 +1 @@ +https://github.com/openSUSE/qemu-skiboot.git ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.kb2kXq/_old 2021-06-18 10:13:38.165982335 +0200 +++ /var/tmp/diff_new_pack.kb2kXq/_new 2021-06-18 10:13:38.169982340 +0200 @@ -257,6 +257,7 @@ BuildRequires: pkgconfig(liblzma) %endif BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(libzstd) %if "%{name}" == "qemu" Requires: group(kvm) Requires: group(qemu) @@ -1191,6 +1192,7 @@ --enable-vvfat \ --enable-werror \ --disable-whpx \ + --enable-zstd \ %ifarch x86_64 --enable-xen \ --enable-xen-pci-passthrough \ ++++++ target-sh4-Return-error-if-CPUClass-get_.patch ++++++ From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> Date: Wed, 5 May 2021 18:10:46 +0200 Subject: target/sh4: Return error if CPUClass::get_phys_page_debug() fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 52a1c621f9d56d18212273c64b4119513a2db1f1 If the get_physical_address() call fails, the SH4 get_phys_page_debug() handler returns an uninitialized address. Instead return -1, which correspond to "no page found" (see cpu_get_phys_page_debug() doc string). This fixes a warning emitted when building with CFLAGS=-O3 (using GCC 10.2.1 20201125): target/sh4/helper.c: In function ???superh_cpu_get_phys_page_debug???: target/sh4/helper.c:446:12: warning: ???physical??? may be used uninitialized in this function [-Wmaybe-uninitialized] 446 | return physical; | ^~~~~~~~ Signed-off-by: Philippe Mathieu-Daud?? <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Yoshinori Sato <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- target/sh4/helper.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/target/sh4/helper.c b/target/sh4/helper.c index bd8e034f174d530354913acb7fa1..2d622081e85afec6e40034c24508 100644 --- a/target/sh4/helper.c +++ b/target/sh4/helper.c @@ -441,9 +441,12 @@ hwaddr superh_cpu_get_phys_page_debug(CPUState *cs, vaddr addr) target_ulong physical; int prot; - get_physical_address(&cpu->env, &physical, &prot, addr, MMU_DATA_LOAD); + if (get_physical_address(&cpu->env, &physical, &prot, addr, MMU_DATA_LOAD) + == MMU_OK) { + return physical; + } - return physical; + return -1; } void cpu_load_tlb(CPUSH4State * env) ++++++ tcg-arm-Fix-tcg_out_op-function-signatur.patch ++++++ From: "Jose R. Ziviani" <[email protected]> Date: Thu, 10 Jun 2021 19:44:50 -0300 Subject: tcg/arm: Fix tcg_out_op function signature Git-commit: c372565d08e278d6e65a54c8b5ab082bd63234ea Commit 5e8892db93 fixed several function signatures but tcg_out_op for arm is missing. This patch fixes it as well. Signed-off-by: Jose R. Ziviani <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- tcg/arm/tcg-target.c.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc index 8457108a87a17c2628f5a5c83115..cd9ae20037f30c2075cd0bfa5ff5 100644 --- a/tcg/arm/tcg-target.c.inc +++ b/tcg/arm/tcg-target.c.inc @@ -1710,7 +1710,8 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is64) static void tcg_out_epilogue(TCGContext *s); static inline void tcg_out_op(TCGContext *s, TCGOpcode opc, - const TCGArg *args, const int *const_args) + const TCGArg args[TCG_MAX_OP_ARGS], + const int const_args[TCG_MAX_OP_ARGS]) { TCGArg a0, a1, a2, a3, a4, a5; int c; ++++++ update_git.sh ++++++ --- /var/tmp/diff_new_pack.kb2kXq/_old 2021-06-18 10:13:38.289982498 +0200 +++ /var/tmp/diff_new_pack.kb2kXq/_new 2021-06-18 10:13:38.293982504 +0200 @@ -237,6 +237,12 @@ git -C $GIT_DIR/$SUBDIR bundle create $BUN_DIR/$SUBDIR$GITREPO_COMMIT_ISH.bundle $GITREPO_COMMIT_ISH..FETCH_HEAD #TODO: post-process repo info to avoid un-needed diffs (eg git vs https) git -C $(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) remote get-url origin >$BUN_DIR/$SUBDIR/repo + else + local localbundle="$BUN_DIR/$SUBDIR$GITREPO_COMMIT_ISH.bundle" + if [[ -f "$localbundle" ]]; then + echo "Removing existing $localbundle" + rm "$localbundle" + fi fi fi fi ++++++ vhost-user-gpu-abstract-vg_cleanup_mappi.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:04:03 -0700 Subject: vhost-user-gpu: abstract vg_cleanup_mapping_iov MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 3ea32d1355d446057c17458238db2749c52ee8f0 References: CVE-2021-3546 bsc#1185981 CVE-2021-3545 bsc#1185990 CVE-2021-3544 bsc#1186010 Currently in vhost-user-gpu, we free resource directly in the cleanup case of resource. If we change the cleanup logic we need to change several places, also abstruct a 'vg_create_mapping_iov' can be symmetry with the 'vg_create_mapping_iov'. This is like what virtio-gpu does, no function changed. Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- contrib/vhost-user-gpu/vhost-user-gpu.c | 24 ++++++++++++++++++++---- contrib/vhost-user-gpu/virgl.c | 9 +++++---- contrib/vhost-user-gpu/vugpu.h | 2 +- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index 770dfad52989b2651eea67fdbb1b..6dc6a44f4e263bfb31ba9ba6ff32 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -49,6 +49,8 @@ static char *opt_render_node; static gboolean opt_virgl; static void vg_handle_ctrl(VuDev *dev, int qidx); +static void vg_cleanup_mapping(VuGpu *g, + struct virtio_gpu_simple_resource *res); static const char * vg_cmd_to_string(int cmd) @@ -400,7 +402,7 @@ vg_resource_destroy(VuGpu *g, } vugbm_buffer_destroy(&res->buffer); - g_free(res->iov); + vg_cleanup_mapping(g, res); pixman_image_unref(res->image); QTAILQ_REMOVE(&g->reslist, res, next); g_free(res); @@ -504,6 +506,22 @@ vg_resource_attach_backing(VuGpu *g, res->iov_cnt = ab.nr_entries; } +/* Though currently only free iov, maybe later will do more work. */ +void vg_cleanup_mapping_iov(VuGpu *g, + struct iovec *iov, uint32_t count) +{ + g_free(iov); +} + +static void +vg_cleanup_mapping(VuGpu *g, + struct virtio_gpu_simple_resource *res) +{ + vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt); + res->iov = NULL; + res->iov_cnt = 0; +} + static void vg_resource_detach_backing(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) @@ -522,9 +540,7 @@ vg_resource_detach_backing(VuGpu *g, return; } - g_free(res->iov); - res->iov = NULL; - res->iov_cnt = 0; + vg_cleanup_mapping(g, res); } static void diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 7172104b19d7a79eb7cc3404e09f..3e45e1bd33600fe5d91c0eea3af8 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -116,8 +116,9 @@ virgl_cmd_resource_unref(VuGpu *g, virgl_renderer_resource_detach_iov(unref.resource_id, &res_iovs, &num_iovs); - g_free(res_iovs); - + if (res_iovs != NULL && num_iovs != 0) { + vg_cleanup_mapping_iov(g, res_iovs, num_iovs); + } virgl_renderer_resource_unref(unref.resource_id); } @@ -294,7 +295,7 @@ virgl_resource_attach_backing(VuGpu *g, ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, res_iovs, att_rb.nr_entries); if (ret != 0) { - g_free(res_iovs); + vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries); } } @@ -314,7 +315,7 @@ virgl_resource_detach_backing(VuGpu *g, if (res_iovs == NULL || num_iovs == 0) { return; } - g_free(res_iovs); + vg_cleanup_mapping_iov(g, res_iovs, num_iovs); } static void diff --git a/contrib/vhost-user-gpu/vugpu.h b/contrib/vhost-user-gpu/vugpu.h index 04d56158123d3ee1c271302d8f8a..e2864bba68e0d9c1228eb7745c50 100644 --- a/contrib/vhost-user-gpu/vugpu.h +++ b/contrib/vhost-user-gpu/vugpu.h @@ -169,7 +169,7 @@ int vg_create_mapping_iov(VuGpu *g, struct virtio_gpu_resource_attach_backing *ab, struct virtio_gpu_ctrl_command *cmd, struct iovec **iov); - +void vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count); void vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd); void vg_wait_ok(VuGpu *g); ++++++ vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:04:02 -0700 Subject: vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 9f22893adcb02580aee5968f32baa2cd109b3ec2 References: CVE-2021-3546 bsc#1185981 If 'virgl_cmd_get_capset' set 'max_size' to 0, the 'virgl_renderer_fill_caps' will write the data after the 'resp'. This patch avoid this by checking the returned 'max_size'. virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check virgl capabilities max_size") Fixes: CVE-2021-3546 Reported-by: Li Qiang <[email protected]> Reviewed-by: Prasad J Pandit <[email protected]> Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- contrib/vhost-user-gpu/virgl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index a16a311d80df19294e4330f7d004..7172104b19d7a79eb7cc3404e09f 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, virgl_renderer_get_cap_set(gc.capset_id, &max_ver, &max_size); + if (!max_size) { + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } resp = g_malloc0(sizeof(*resp) + max_size); resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; ++++++ vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:04:00 -0700 Subject: vhost-user-gpu: fix leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-comit: f6091d86ba9ea05f4e111b9b42ee0005c37a6779 References: CVE-2021-3544 bsc#1186010 The 'res->iov' will be leaked if the guest trigger following sequences: virgl_cmd_create_resource_2d virgl_resource_attach_backing virgl_cmd_resource_unref This patch fixes this. Fixes: CVE-2021-3544 Reported-by: Li Qiang <[email protected]> virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref" Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> [jrz: tweaked title to not break spec file] --- contrib/vhost-user-gpu/virgl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 6a332d601f8092c5017e903930e5..c669d73a1dbe93d8faa1474462a9 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_resource_unref unref; + struct iovec *res_iovs = NULL; + int num_iovs = 0; VUGPU_FILL_CMD(unref); + virgl_renderer_resource_detach_iov(unref.resource_id, + &res_iovs, + &num_iovs); + g_free(res_iovs); + virgl_renderer_resource_unref(unref.resource_id); } ++++++ vhost-user-gpu-fix-leak-in-virgl_resourc.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:04:01 -0700 Subject: vhost-user-gpu: fix leak in 'virgl_resource_attach_backing' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 63736af5a6571d9def93769431e0d7e38c6677bf References: CVE-2021-3544 bsc#1186010 If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will be leaked. Fixes: CVE-2021-3544 Reported-by: Li Qiang <[email protected]> virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak in resource attach backing") Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> [jrz: tweak title to not break spec file] --- contrib/vhost-user-gpu/virgl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index c669d73a1dbe93d8faa1474462a9..a16a311d80df19294e4330f7d004 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g, return; } - virgl_renderer_resource_attach_iov(att_rb.resource_id, + ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, res_iovs, att_rb.nr_entries); + if (ret != 0) { + g_free(res_iovs); + } } static void ++++++ vhost-user-gpu-fix-memory-disclosure-in-.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:03:56 -0700 Subject: vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 121841b25d72d13f8cad554363138c360f1250ea References: CVE-2021-3545 bsc#1185990 Otherwise some of the 'resp' will be leaked to guest. Fixes: CVE-2021-3545 Reported-by: Li Qiang <[email protected]> virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak in getting capset info dispatch") Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- contrib/vhost-user-gpu/virgl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 9e6660c7ab875fe83f366d040c97..6a332d601f8092c5017e903930e5 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g, VUGPU_FILL_CMD(info); + memset(&resp, 0, sizeof(resp)); if (info.capset_index == 0) { resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; virgl_renderer_get_cap_set(resp.capset_id, ++++++ vhost-user-gpu-fix-memory-leak-in-vg_res.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:03:58 -0700 Subject: vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: b9f79858a614d95f5de875d0ca31096eaab72c3b References: CVE-2021-3544 bsc#1186010 Check whether the 'res' has already been attach_backing to avoid memory leak. Fixes: CVE-2021-3544 Reported-by: Li Qiang <[email protected]> virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak in resource attach backing") Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index b5e153d0d648def62d5700e686c0..0437e52b64604512607e548d01d8 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, return; } + if (res->iov) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; + return; + } + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); if (ret != 0) { cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++++++ vhost-user-gpu-fix-memory-leak-while-cal.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:03:59 -0700 Subject: vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e References: CVE-2021-3544 bsc#1186010 If the guest trigger following sequences, the attach_backing will be leaked: vg_resource_create_2d vg_resource_attach_backing vg_resource_unref This patch fix this by freeing 'res->iov' in vg_resource_destroy. Fixes: CVE-2021-3544 Reported-by: Li Qiang <[email protected]> virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref") Reviewed-by: Prasad J Pandit <[email protected]> Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index 0437e52b64604512607e548d01d8..770dfad52989b2651eea67fdbb1b 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, } vugbm_buffer_destroy(&res->buffer); + g_free(res->iov); pixman_image_unref(res->image); QTAILQ_REMOVE(&g->reslist, res, next); g_free(res); ++++++ vhost-user-gpu-fix-resource-leak-in-vg_r.patch ++++++ From: Li Qiang <[email protected]> Date: Sat, 15 May 2021 20:03:57 -0700 Subject: vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e References: CVE-2021-3544 bsc#1186010 Call 'vugbm_buffer_destroy' in error path to avoid resource leak. Fixes: CVE-2021-3544 Reported-by: Li Qiang <[email protected]> Reviewed-by: Prasad J Pandit <[email protected]> Signed-off-by: Li Qiang <[email protected]> Reviewed-by: Marc-Andr?? Lureau <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index f73f292c9f72395525c51c8bd9fb..b5e153d0d648def62d5700e686c0 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, g_critical("%s: resource creation failed %d %d %d", __func__, c2d.resource_id, c2d.width, c2d.height); g_free(res); + vugbm_buffer_destroy(&res->buffer); cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; return; }
