From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Sat, 15 May 2021 20:03:57 -0700 Subject: vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Call 'vugbm_buffer_destroy' in error path to avoid resource leak. Fixes: CVE-2021-3544 Reported-by: Li Qiang Reviewed-by: Prasad J Pandit Signed-off-by: Li Qiang Reviewed-by: Marc-André Lureau Message-Id: <20210516030403.107723-3-liq3ea@163.com> Signed-off-by: Gerd Hoffmann --- contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + 1 file changed, 1 insertion(+) (limited to 'contrib/vhost-user-gpu/vhost-user-gpu.c') diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index f73f292c9f..b5e153d0d6 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, g_critical("%s: resource creation failed %d %d %d", __func__, c2d.resource_id, c2d.width, c2d.height); g_free(res); + vugbm_buffer_destroy(&res->buffer); cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; return; } -- cgit 1.4.1 From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Sat, 15 May 2021 20:03:58 -0700 Subject: vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Check whether the 'res' has already been attach_backing to avoid memory leak. Fixes: CVE-2021-3544 Reported-by: Li Qiang virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak in resource attach backing") Signed-off-by: Li Qiang Reviewed-by: Marc-André Lureau Message-Id: <20210516030403.107723-4-liq3ea@163.com> Signed-off-by: Gerd Hoffmann --- contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'contrib/vhost-user-gpu/vhost-user-gpu.c') diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index b5e153d0d6..0437e52b64 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, return; } + if (res->iov) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; + return; + } + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); if (ret != 0) { cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -- cgit 1.4.1 From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Sat, 15 May 2021 20:03:59 -0700 Subject: vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the guest trigger following sequences, the attach_backing will be leaked: vg_resource_create_2d vg_resource_attach_backing vg_resource_unref This patch fix this by freeing 'res->iov' in vg_resource_destroy. Fixes: CVE-2021-3544 Reported-by: Li Qiang virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak in virgl_cmd_resource_unref") Reviewed-by: Prasad J Pandit Signed-off-by: Li Qiang Reviewed-by: Marc-André Lureau Message-Id: <20210516030403.107723-5-liq3ea@163.com> Signed-off-by: Gerd Hoffmann --- contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + 1 file changed, 1 insertion(+) (limited to 'contrib/vhost-user-gpu/vhost-user-gpu.c') diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index 0437e52b64..770dfad529 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, } vugbm_buffer_destroy(&res->buffer); + g_free(res->iov); pixman_image_unref(res->image); QTAILQ_REMOVE(&g->reslist, res, next); g_free(res); -- cgit 1.4.1 From 3ea32d1355d446057c17458238db2749c52ee8f0 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Sat, 15 May 2021 20:04:03 -0700 Subject: vhost-user-gpu: abstract vg_cleanup_mapping_iov MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently in vhost-user-gpu, we free resource directly in the cleanup case of resource. If we change the cleanup logic we need to change several places, also abstruct a 'vg_create_mapping_iov' can be symmetry with the 'vg_create_mapping_iov'. This is like what virtio-gpu does, no function changed. Signed-off-by: Li Qiang Reviewed-by: Marc-André Lureau Message-Id: <20210516030403.107723-9-liq3ea@163.com> Signed-off-by: Gerd Hoffmann --- contrib/vhost-user-gpu/vhost-user-gpu.c | 24 ++++++++++++++++++++---- contrib/vhost-user-gpu/virgl.c | 9 +++++---- contrib/vhost-user-gpu/vugpu.h | 2 +- 3 files changed, 26 insertions(+), 9 deletions(-) (limited to 'contrib/vhost-user-gpu/vhost-user-gpu.c') diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c index 770dfad529..6dc6a44f4e 100644 --- a/contrib/vhost-user-gpu/vhost-user-gpu.c +++ b/contrib/vhost-user-gpu/vhost-user-gpu.c @@ -49,6 +49,8 @@ static char *opt_render_node; static gboolean opt_virgl; static void vg_handle_ctrl(VuDev *dev, int qidx); +static void vg_cleanup_mapping(VuGpu *g, + struct virtio_gpu_simple_resource *res); static const char * vg_cmd_to_string(int cmd) @@ -400,7 +402,7 @@ vg_resource_destroy(VuGpu *g, } vugbm_buffer_destroy(&res->buffer); - g_free(res->iov); + vg_cleanup_mapping(g, res); pixman_image_unref(res->image); QTAILQ_REMOVE(&g->reslist, res, next); g_free(res); @@ -504,6 +506,22 @@ vg_resource_attach_backing(VuGpu *g, res->iov_cnt = ab.nr_entries; } +/* Though currently only free iov, maybe later will do more work. */ +void vg_cleanup_mapping_iov(VuGpu *g, + struct iovec *iov, uint32_t count) +{ + g_free(iov); +} + +static void +vg_cleanup_mapping(VuGpu *g, + struct virtio_gpu_simple_resource *res) +{ + vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt); + res->iov = NULL; + res->iov_cnt = 0; +} + static void vg_resource_detach_backing(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) @@ -522,9 +540,7 @@ vg_resource_detach_backing(VuGpu *g, return; } - g_free(res->iov); - res->iov = NULL; - res->iov_cnt = 0; + vg_cleanup_mapping(g, res); } static void diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 7172104b19..3e45e1bd33 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -116,8 +116,9 @@ virgl_cmd_resource_unref(VuGpu *g, virgl_renderer_resource_detach_iov(unref.resource_id, &res_iovs, &num_iovs); - g_free(res_iovs); - + if (res_iovs != NULL && num_iovs != 0) { + vg_cleanup_mapping_iov(g, res_iovs, num_iovs); + } virgl_renderer_resource_unref(unref.resource_id); } @@ -294,7 +295,7 @@ virgl_resource_attach_backing(VuGpu *g, ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, res_iovs, att_rb.nr_entries); if (ret != 0) { - g_free(res_iovs); + vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries); } } @@ -314,7 +315,7 @@ virgl_resource_detach_backing(VuGpu *g, if (res_iovs == NULL || num_iovs == 0) { return; } - g_free(res_iovs); + vg_cleanup_mapping_iov(g, res_iovs, num_iovs); } static void diff --git a/contrib/vhost-user-gpu/vugpu.h b/contrib/vhost-user-gpu/vugpu.h index 04d5615812..e2864bba68 100644 --- a/contrib/vhost-user-gpu/vugpu.h +++ b/contrib/vhost-user-gpu/vugpu.h @@ -169,7 +169,7 @@ int vg_create_mapping_iov(VuGpu *g, struct virtio_gpu_resource_attach_backing *ab, struct virtio_gpu_ctrl_command *cmd, struct iovec **iov); - +void vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count); void vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd); void vg_wait_ok(VuGpu *g); -- cgit 1.4.1