diff options
| author | Li Qiang <liq3ea@163.com> | 2021-05-15 20:04:02 -0700 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2021-05-27 11:55:59 +0200 |
| commit | 9f22893adcb02580aee5968f32baa2cd109b3ec2 (patch) | |
| tree | 0c7ed9e162d074886ac73269a15b677c023a6714 /contrib/vhost-user-gpu/virgl.c | |
| parent | 63736af5a6571d9def93769431e0d7e38c6677bf (diff) | |
| download | focaccia-qemu-9f22893adcb02580aee5968f32baa2cd109b3ec2.tar.gz focaccia-qemu-9f22893adcb02580aee5968f32baa2cd109b3ec2.zip | |
vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546)
If 'virgl_cmd_get_capset' set 'max_size' to 0,
the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
This patch avoid this by checking the returned 'max_size'.
virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
virgl capabilities max_size")
Fixes: CVE-2021-3546
Reported-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-8-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'contrib/vhost-user-gpu/virgl.c')
| -rw-r--r-- | contrib/vhost-user-gpu/virgl.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index a16a311d80..7172104b19 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, virgl_renderer_get_cap_set(gc.capset_id, &max_ver, &max_size); + if (!max_size) { + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } resp = g_malloc0(sizeof(*resp) + max_size); resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; |