[PATCH v2 3/3] dm: fix uninitialized heap access risk in virtio GPU


Yonghua Huang
 

From: Yonghua Huang <yonghua.huang@...>

This patch fix potential uninitialized heap use
in virtio_gpu.c file.

Signed-off-by: Yonghua Huang <yonghua.huang@...>
---
devicemodel/hw/pci/virtio/virtio_gpu.c | 30 ++++++++++++++++++++++++++
1 file changed, 30 insertions(+)

diff --git a/devicemodel/hw/pci/virtio/virtio_gpu.c b/devicemodel/hw/pci/virtio/virtio_gpu.c
index 6e1ba248b..31c7ab1a3 100644
--- a/devicemodel/hw/pci/virtio/virtio_gpu.c
+++ b/devicemodel/hw/pci/virtio/virtio_gpu.c
@@ -784,6 +784,21 @@ virtio_gpu_cmd_resource_attach_backing(struct virtio_gpu_command *cmd)
memcpy(&req, cmd->iov[0].iov_base, sizeof(req));
memset(&resp, 0, sizeof(resp));

+ /*
+ * 1. Per VIRTIO GPU specification,
+ * 'cmd->iovcnt' = 'nr_entries' of 'struct virtio_gpu_resource_attach_backing' + 2,
+ * where 'nr_entries' is number of instance of 'struct virtio_gpu_mem_entry'.
+ * case 'cmd->iovcnt < 3' means above 'nr_entries' is zero, which is invalid
+ * and ignored.
+ * 2. Function 'virtio_gpu_ctrl_bh(void *data)' guarantees cmd->iovcnt >=1.
+ */
+ if (cmd->iovcnt < 3) {
+ resp.type = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ memcpy(cmd->iov[cmd->iovcnt - 1].iov_base, &resp, sizeof(resp));
+ pr_err("%s : invalid memory entry.\n", __func__);
+ return;
+ }
+
r2d = virtio_gpu_find_resource_2d(cmd->gpu, req.resource_id);
if (r2d) {
iov = malloc(req.nr_entries * sizeof(struct iovec));
@@ -1200,6 +1215,21 @@ virtio_gpu_cmd_create_blob(struct virtio_gpu_command *cmd)

}

+ /*
+ * 1. Per VIRTIO GPU specification,
+ * 'cmd->iovcnt' = 'nr_entries' of 'struct virtio_gpu_resource_attach_backing' + 2,
+ * where 'nr_entries' is number of instance of 'struct virtio_gpu_mem_entry'.
+ * case 'cmd->iovcnt < 3' means above 'nr_entries' is zero, which is invalid
+ * and ignored.
+ * 2. Function 'virtio_gpu_ctrl_bh(void *data)' guarantees cmd->iovcnt >=1.
+ */
+ if (cmd->iovcnt < 3) {
+ resp.type = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ memcpy(cmd->iov[cmd->iovcnt - 1].iov_base, &resp, sizeof(resp));
+ pr_err("%s : invalid memory entry.\n", __func__);
+ return;
+ }
+
if ((req.blob_mem != VIRTIO_GPU_BLOB_MEM_GUEST) ||
(req.blob_flags != VIRTIO_GPU_BLOB_FLAG_USE_SHAREABLE)) {
pr_dbg("%s : invalid create_blob parameter for %d.\n",
--
2.25.1