From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 17/36] qemu: Security fixes CVE-2021-3545/6
Date: Sat, 28 Aug 2021 08:11:05 -1000 [thread overview]
Message-ID: <e066967a306292cd0ce5ef2cd5aa0ee80fde1041.1630174149.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1630174149.git.steve@sakoman.com>
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 111845, 111839
Type: Security Fix
Disposition: Backport from https://gitlab.com/qemu-project/qemu/-/commit/9f22893a & 121841b2
ChangeID: 111b168e0fe4d2a722158c6bfdaceb06a8789e69
Description:
Fixes: CVE-2021-3545 and CVE-2021-3546
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2021-3545.patch | 41 ++++++++++++++++
.../qemu/qemu/CVE-2021-3546.patch | 47 +++++++++++++++++++
3 files changed, 90 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 90549136e5..028b81ee34 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -77,6 +77,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3544_3.patch \
file://CVE-2021-3544_4.patch \
file://CVE-2021-3544_5.patch \
+ file://CVE-2021-3545.patch \
+ file://CVE-2021-3546.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
new file mode 100644
index 0000000000..fcdda64437
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
@@ -0,0 +1,41 @@
+From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: [PATCH] vhost-user-gpu: fix memory disclosure in
+ virgl_cmd_get_capset_info (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise some of the 'resp' will be leaked to guest.
+
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3545
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -132,6 +132,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+
+ VUGPU_FILL_CMD(info);
+
++ memset(&resp, 0, sizeof(resp));
+ if (info.capset_index == 0) {
+ resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+ virgl_renderer_get_cap_set(resp.capset_id,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
new file mode 100644
index 0000000000..f8da428233
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
@@ -0,0 +1,47 @@
+From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3546
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
+ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
--
2.25.1
next prev parent reply other threads:[~2021-08-28 18:13 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 01/36] glibc: Security fix CVE-2021-33574 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 02/36] glibc: Security fix for CVE-2021-38604 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 03/36] gnupg: upgrade 2.2.20 -> 2.2.21 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 04/36] gnupg: update 2.2.21 -> 2.2.22 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 05/36] gnupg: uprev 2.2.22 -> 2.2.23 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 06/36] gnupg: update 2.2.23 -> 2.2.26 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 07/36] gnupg: upgrade 2.2.26 -> 2.2.27 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 08/36] qemu: Security fix CVE-2020-25085 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 09/36] qemu: Security fix CVE-2020-25624 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 10/36] Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 11/36] qemu: Security fix for CVE-2020-29443 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 12/36] qemu: Security fix CVE-2021-20221 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 13/36] qemu: fix CVE-2021-20181 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 14/36] qemu: fix CVE-2021-3416 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 15/36] qemu: fix CVE-2021-20257 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 16/36] qemu: Security fix CVE-2021-3544 Steve Sakoman
2021-08-28 18:11 ` Steve Sakoman [this message]
2021-08-28 18:11 ` [OE-core][dunfell 18/36] qemu: fix CVE-2021-3527 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 19/36] qemu: fix CVE-2021-3582 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 20/36] qemu: fix CVE-2021-3607 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 21/36] qemu: fix CVE-2021-3608 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 22/36] rpm: Add fix for CVE-2021-20266 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 23/36] binutils: Security fix for CVE-2021-3549 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 24/36] binutils: Security fix for CVE-2020-16593 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 25/36] openssl: update from 1.1.1k to 1.1.1l Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 26/36] Use the label provided when formating a dos partition Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 27/36] lzo: add CVE_PRODUCT Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 28/36] utils: Reduce the number of calls to the "dirname" command Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 29/36] tcf-agent: fetching over git:// no longer works Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 30/36] mklibs-native: drop deprecated cpp17 exceptions Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 31/36] image_types: Restore pre-btrfs-tools 4.14.1 mkfs.btrfs shrink behavior Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 32/36] linux-yocto/5.4: update to v5.4.142 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 33/36] qemurunner.py: print output from runqemu/qemu-system in stop() Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 34/36] qemurunner.py: handle getOutput() having nothing to read Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 35/36] parselogs.py: ignore intermittent CD/DVDROM identification failure Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 36/36] selftest: disable virgl headless test Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e066967a306292cd0ce5ef2cd5aa0ee80fde1041.1630174149.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox