Merge remote-tracking branch 'remotes/kraxel/tags/vga-20210527-pull-request' into staging

virtio-gpu: add blob resource support.
vhost-user-gpu: security fixes.

# gpg: Signature made Thu 27 May 2021 15:23:25 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20210527-pull-request: (23 commits)
  virtio-gpu: Update cursor data using blob
  virtio-gpu: Add virtio_gpu_set_scanout_blob
  virtio-gpu: Factor out update scanout
  virtio-gpu: Add helpers to create and destroy dmabuf objects
  ui/pixman: Add qemu_pixman_to_drm_format()
  virtio-gpu: Add virtio_gpu_resource_create_blob
  virtio-gpu: Add initial definitions for blob resources
  virtio-gpu: Refactor virtio_gpu_create_mapping_iov
  virtio-gpu: Refactor virtio_gpu_set_scanout
  virtio-gpu: Add virtio_gpu_find_check_resource
  stubs: Add stubs for udmabuf helpers
  virtio-gpu: Add udmabuf helpers
  headers: Add udmabuf.h
  ui: Get the fd associated with udmabuf driver
  hw/display/qxl: Set pci rom address aligned with page size
  vhost-user-gpu: abstract vg_cleanup_mapping_iov
  vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546)
  vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544)
  vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
  vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 18 insertions, 2 deletions

diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
index 9e6660c7ab..3e45e1bd33 100644
--- a/contrib/vhost-user-gpu/virgl.c
+++ b/contrib/vhost-user-gpu/virgl.c
@@ -108,9 +108,17 @@ virgl_cmd_resource_unref(VuGpu *g,
                          struct virtio_gpu_ctrl_command *cmd)
 {
     struct virtio_gpu_resource_unref unref;
+    struct iovec *res_iovs = NULL;
+    int num_iovs = 0;
 
     VUGPU_FILL_CMD(unref);
 
+    virgl_renderer_resource_detach_iov(unref.resource_id,
+                                       &res_iovs,
+                                       &num_iovs);
+    if (res_iovs != NULL && num_iovs != 0) {
+        vg_cleanup_mapping_iov(g, res_iovs, num_iovs);
+    }
     virgl_renderer_resource_unref(unref.resource_id);
 }
 
@@ -128,6 +136,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
 
     VUGPU_FILL_CMD(info);
 
+    memset(&resp, 0, sizeof(resp));
     if (info.capset_index == 0) {
         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
         virgl_renderer_get_cap_set(resp.capset_id,
@@ -169,6 +178,10 @@ virgl_cmd_get_capset(VuGpu *g,
 
     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
                                &max_size);
+    if (!max_size) {
+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+        return;
+    }
     resp = g_malloc0(sizeof(*resp) + max_size);
 
     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
@@ -279,8 +292,11 @@ virgl_resource_attach_backing(VuGpu *g,
         return;
     }
 
-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
+    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
                                        res_iovs, att_rb.nr_entries);
+    if (ret != 0) {
+        vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries);
+    }
 }
 
 static void
@@ -299,7 +315,7 @@ virgl_resource_detach_backing(VuGpu *g,
     if (res_iovs == NULL || num_iovs == 0) {
         return;
     }
-    g_free(res_iovs);
+    vg_cleanup_mapping_iov(g, res_iovs, num_iovs);
 }
 
 static void