| Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame^] | 1 | CVE: CVE-2022-26354 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 0190d651a73463dc2b8f170b29326d1f38140a04 Mon Sep 17 00:00:00 2001 |
| 6 | From: Stefano Garzarella <sgarzare@redhat.com> |
| 7 | Date: Mon, 28 Feb 2022 10:50:58 +0100 |
| 8 | Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error |
| 9 | |
| 10 | In vhost_vsock_common_send_transport_reset(), if an element popped from |
| 11 | the virtqueue is invalid, we should call virtqueue_detach_element() to |
| 12 | detach it from the virtqueue before freeing its memory. |
| 13 | |
| 14 | Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") |
| 15 | Fixes: CVE-2022-26354 |
| 16 | Cc: qemu-stable@nongnu.org |
| 17 | Reported-by: VictorV <vv474172261@gmail.com> |
| 18 | Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> |
| 19 | Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> |
| 20 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> |
| 21 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> |
| 22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> |
| 23 | --- |
| 24 | hw/virtio/vhost-vsock-common.c | 10 +++++++--- |
| 25 | 1 file changed, 7 insertions(+), 3 deletions(-) |
| 26 | |
| 27 | diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c |
| 28 | index 3f3771274e..ed706681ac 100644 |
| 29 | --- a/hw/virtio/vhost-vsock-common.c |
| 30 | +++ b/hw/virtio/vhost-vsock-common.c |
| 31 | @@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) |
| 32 | if (elem->out_num) { |
| 33 | error_report("invalid vhost-vsock event virtqueue element with " |
| 34 | "out buffers"); |
| 35 | - goto out; |
| 36 | + goto err; |
| 37 | } |
| 38 | |
| 39 | if (iov_from_buf(elem->in_sg, elem->in_num, 0, |
| 40 | &event, sizeof(event)) != sizeof(event)) { |
| 41 | error_report("vhost-vsock event virtqueue element is too short"); |
| 42 | - goto out; |
| 43 | + goto err; |
| 44 | } |
| 45 | |
| 46 | virtqueue_push(vq, elem, sizeof(event)); |
| 47 | virtio_notify(VIRTIO_DEVICE(vvc), vq); |
| 48 | |
| 49 | -out: |
| 50 | + g_free(elem); |
| 51 | + return; |
| 52 | + |
| 53 | +err: |
| 54 | + virtqueue_detach_element(vq, elem, 0); |
| 55 | g_free(elem); |
| 56 | } |
| 57 | |
| 58 | -- |
| 59 | 2.25.1 |
| 60 | |