From 73ab1791c951e9163ae7803aebf0b4655ff79fb0 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 15 Jun 2021 10:14:06 +0800
Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
 (CVE-2021-3546)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix CVE-2021-3544

If 'virgl_cmd_get_capset' set 'max_size' to 0,
the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
This patch avoid this by checking the returned 'max_size'.

virtio-gpu fix: abd7f08b

 ("display: virtio-gpu-3d: check
virgl capabilities max_size")

Fixes: CVE-2021-3546
Reported-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20210516030403.107723-8-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
---
 ...ix-OOB-write-in-virgl_cmd_get_capset.patch | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch

diff --git a/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
new file mode 100644
index 0000000..11f9ce8
--- /dev/null
+++ b/vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
@@ -0,0 +1,51 @@
+From acb9f3aadde7222eacf95b2d70204dd6f8351ed7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Tue, 15 Jun 2021 10:14:06 +0800
+Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix CVE-2021-3544
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b
+
+ ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 44e79ab82a..ad2834902b 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -173,6 +173,10 @@ virgl_cmd_get_capset(VuGpu *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
++    if (!max_size) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++        return;
++    }
+     resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+-- 
+2.27.0
+