github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-05-12 02:18:40 +00:00
Code Issues Projects Releases Wiki Activity

dm: fix uninitialized heap access risk in virtio GPU

Browse Source 
This patch fix potential uninitialized heap use in virtio_gpu.c file.

Tracked-On: #8439
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Reviewed-by: Jian Jun Chen <jian.jun.chen@intel.com>
This commit is contained in:
Jiaqing Zhao 2023-07-05 02:41:59 +00:00 committed by acrnsi-robot
parent ac8690cd4d
commit b35b8ef677
1 changed files with 80 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
devicemodel/hw/pci/virtio/virtio_gpu.c
View File

@ -785,8 +785,23 @@ virtio_gpu_cmd_resource_attach_backing(struct virtio_gpu_command *cmd)
memcpy(&req, cmd->iov[0].iov_base, sizeof(req)); memcpy(&req, cmd->iov[0].iov_base, sizeof(req));
memset(&resp, 0, sizeof(resp)); memset(&resp, 0, sizeof(resp));
/*
* 1. Per VIRTIO GPU specification,
* 'cmd->iovcnt' = 'nr_entries' of 'struct virtio_gpu_resource_attach_backing' + 2,
* where 'nr_entries' is number of instance of 'struct virtio_gpu_mem_entry'.
* case 'cmd->iovcnt < 3' means above 'nr_entries' is zero, which is invalid
* and ignored.
* 2. Function 'virtio_gpu_ctrl_bh(void *data)' guarantees cmd->iovcnt >=1.
*/
if (cmd->iovcnt < 2) {
resp.type = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
memcpy(cmd->iov[cmd->iovcnt - 1].iov_base, &resp, sizeof(resp));
pr_err("%s : invalid memory entry.\n", __func__);
return;
}
r2d = virtio_gpu_find_resource_2d(cmd->gpu, req.resource_id); r2d = virtio_gpu_find_resource_2d(cmd->gpu, req.resource_id);
if (r2d) { if (r2d && req.nr_entries > 0) {
iov = malloc(req.nr_entries * sizeof(struct iovec)); iov = malloc(req.nr_entries * sizeof(struct iovec));
if (!iov) { if (!iov) {
resp.type = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; resp.type = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
@ -1198,6 +1213,19 @@ virtio_gpu_cmd_create_blob(struct virtio_gpu_command *cmd)
return; return;
} }
/*
* 1. Per VIRTIO GPU specification,
* 'cmd->iovcnt' = 'nr_entries' of 'struct virtio_gpu_resource_create_blob' + 2,
* where 'nr_entries' is number of instance of 'struct virtio_gpu_mem_entry'.
* 2. Function 'virtio_gpu_ctrl_bh(void *data)' guarantees cmd->iovcnt >=1.
*/
if (cmd->iovcnt < 2) {
resp.type = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
memcpy(cmd->iov[cmd->iovcnt - 1].iov_base, &resp, sizeof(resp));
pr_err("%s : invalid memory entry.\n", __func__);
return;
}
if ((req.blob_mem != VIRTIO_GPU_BLOB_MEM_GUEST) || if ((req.blob_mem != VIRTIO_GPU_BLOB_MEM_GUEST) ||
(req.blob_flags != VIRTIO_GPU_BLOB_FLAG_USE_SHAREABLE)) { (req.blob_flags != VIRTIO_GPU_BLOB_FLAG_USE_SHAREABLE)) {
pr_dbg("%s : invalid create_blob parameter for %d.\n", pr_dbg("%s : invalid create_blob parameter for %d.\n",
@ -1227,6 +1255,7 @@ virtio_gpu_cmd_create_blob(struct virtio_gpu_command *cmd)
r2d->resource_id = req.resource_id; r2d->resource_id = req.resource_id;
if (req.nr_entries > 0) {
entries = malloc(req.nr_entries * sizeof(struct virtio_gpu_mem_entry)); entries = malloc(req.nr_entries * sizeof(struct virtio_gpu_mem_entry));
if (!entries) { if (!entries) {
pr_err("%s : memory allocation for entries failed.\n", __func__); pr_err("%s : memory allocation for entries failed.\n", __func__);
@ -1283,6 +1312,7 @@ virtio_gpu_cmd_create_blob(struct virtio_gpu_command *cmd)
} }
free(entries); free(entries);
}
resp.type = VIRTIO_GPU_RESP_OK_NODATA; resp.type = VIRTIO_GPU_RESP_OK_NODATA;
LIST_INSERT_HEAD(&cmd->gpu->r2d_list, r2d, link); LIST_INSERT_HEAD(&cmd->gpu->r2d_list, r2d, link);
memcpy(cmd->iov[cmd->iovcnt - 1].iov_base, &resp, sizeof(resp)); memcpy(cmd->iov[cmd->iovcnt - 1].iov_base, &resp, sizeof(resp));