poky/meta/recipes-devtools/qemu/qemu/0001-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2022-26354
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>

 From 0190d651a73463dc2b8f170b29326d1f38140a04 Mon Sep 17 00:00:00 2001
 From: Stefano Garzarella <sgarzare@redhat.com>
 Date: Mon, 28 Feb 2022 10:50:58 +0100
 Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error

 In vhost_vsock_common_send_transport_reset(), if an element popped from
 the virtqueue is invalid, we should call virtqueue_detach_element() to
 detach it from the virtqueue before freeing its memory.

 Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
 Fixes: CVE-2022-26354
 Cc: qemu-stable@nongnu.org
 Reported-by: VictorV <vv474172261@gmail.com>
 Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
 Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 ---
  hw/virtio/vhost-vsock-common.c | 10 +++++++---
  1 file changed, 7 insertions(+), 3 deletions(-)

 diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
 index 3f3771274e..ed706681ac 100644
 --- a/hw/virtio/vhost-vsock-common.c
 +++ b/hw/virtio/vhost-vsock-common.c
 @@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
      if (elem->out_num) {
          error_report("invalid vhost-vsock event virtqueue element with "
                       "out buffers");
 -        goto out;
 +        goto err;
      }

      if (iov_from_buf(elem->in_sg, elem->in_num, 0,
                       &event, sizeof(event)) != sizeof(event)) {
          error_report("vhost-vsock event virtqueue element is too short");
 -        goto out;
 +        goto err;
      }

      virtqueue_push(vq, elem, sizeof(event));
      virtio_notify(VIRTIO_DEVICE(vvc), vq);

 -out:
 +    g_free(elem);
 +    return;
 +
 +err:
 +    virtqueue_detach_element(vq, elem, 0);
      g_free(elem);
  }

 --
 2.25.1
	CVE: CVE-2022-26354
	Upstream-Status: Backport
	Signed-off-by: Ross Burton <ross.burton@arm.com>

	From 0190d651a73463dc2b8f170b29326d1f38140a04 Mon Sep 17 00:00:00 2001
	From: Stefano Garzarella <sgarzare@redhat.com>
	Date: Mon, 28 Feb 2022 10:50:58 +0100
	Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error

	In vhost_vsock_common_send_transport_reset(), if an element popped from
	the virtqueue is invalid, we should call virtqueue_detach_element() to
	detach it from the virtqueue before freeing its memory.

	Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
	Fixes: CVE-2022-26354
	Cc: qemu-stable@nongnu.org
	Reported-by: VictorV <vv474172261@gmail.com>
	Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
	Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
	---
	hw/virtio/vhost-vsock-common.c \| 10 +++++++---
	1 file changed, 7 insertions(+), 3 deletions(-)

	diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
	index 3f3771274e..ed706681ac 100644
	--- a/hw/virtio/vhost-vsock-common.c
	+++ b/hw/virtio/vhost-vsock-common.c
	@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
	if (elem->out_num) {
	error_report("invalid vhost-vsock event virtqueue element with "
	"out buffers");
	- goto out;
	+ goto err;
	}

	if (iov_from_buf(elem->in_sg, elem->in_num, 0,
	&event, sizeof(event)) != sizeof(event)) {
	error_report("vhost-vsock event virtqueue element is too short");
	- goto out;
	+ goto err;
	}

	virtqueue_push(vq, elem, sizeof(event));
	virtio_notify(VIRTIO_DEVICE(vvc), vq);

	-out:
	+ g_free(elem);
	+ return;
	+
	+err:
	+ virtqueue_detach_element(vq, elem, 0);
	g_free(elem);
	}

	--
	2.25.1