| CVE: CVE-2022-26354 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| |
| From 0190d651a73463dc2b8f170b29326d1f38140a04 Mon Sep 17 00:00:00 2001 |
| From: Stefano Garzarella <sgarzare@redhat.com> |
| Date: Mon, 28 Feb 2022 10:50:58 +0100 |
| Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error |
| |
| In vhost_vsock_common_send_transport_reset(), if an element popped from |
| the virtqueue is invalid, we should call virtqueue_detach_element() to |
| detach it from the virtqueue before freeing its memory. |
| |
| Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") |
| Fixes: CVE-2022-26354 |
| Cc: qemu-stable@nongnu.org |
| Reported-by: VictorV <vv474172261@gmail.com> |
| Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> |
| Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> |
| Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> |
| Reviewed-by: Michael S. Tsirkin <mst@redhat.com> |
| Signed-off-by: Michael S. Tsirkin <mst@redhat.com> |
| --- |
| hw/virtio/vhost-vsock-common.c | 10 +++++++--- |
| 1 file changed, 7 insertions(+), 3 deletions(-) |
| |
| diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c |
| index 3f3771274e..ed706681ac 100644 |
| --- a/hw/virtio/vhost-vsock-common.c |
| +++ b/hw/virtio/vhost-vsock-common.c |
| @@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) |
| if (elem->out_num) { |
| error_report("invalid vhost-vsock event virtqueue element with " |
| "out buffers"); |
| - goto out; |
| + goto err; |
| } |
| |
| if (iov_from_buf(elem->in_sg, elem->in_num, 0, |
| &event, sizeof(event)) != sizeof(event)) { |
| error_report("vhost-vsock event virtqueue element is too short"); |
| - goto out; |
| + goto err; |
| } |
| |
| virtqueue_push(vq, elem, sizeof(event)); |
| virtio_notify(VIRTIO_DEVICE(vvc), vq); |
| |
| -out: |
| + g_free(elem); |
| + return; |
| + |
| +err: |
| + virtqueue_detach_element(vq, elem, 0); |
| g_free(elem); |
| } |
| |
| -- |
| 2.25.1 |
| |