CVE# CVE-2021-23905
Add Null pointer check in init vq ring and add vq ring descriptor
check in case cause Nullpointer exception.
Tracked-On: #5355
Signed-off-by: Liu Long <long.liu@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Wang, Yu1 <yu1.wang@intel.com>
CVE# CVE-2021-23904
We can only call these callbacks when they are not NULL.
Tracked-On: #5342
Signed-off-by: Jie Deng <jie.deng@intel.com>
Signed-off-by: Yonghua Huang<yonghua.huang@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
The trb pointer may be NULL when get the address from user space, add
the pointer check before use the trb.
Tracked-On: #6172
Signed-off-by: Liu Long <long.liu@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
With virtio polling mode enabled, a timer is running in the virtio
backend service. And the timer will also be triggered if its frondend
driver didn't do the device reset in shutdown. A freed virtio device
will be accessed in the polling timer handler.
Do the virtio reset() callback specifically to clear the polling timer
before the free.
Tracked-On: #6147
Signed-off-by: Shuo A Liu <shuo.a.liu@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Only free rb_entry when we remove this entry from the rb tree, otherwise, a
page fault would trigger when next rb itreation would access the freed rb_entry.
Tracked-On: #6056
Signed-off-by: Li Fei1 <fei1.li@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Input 'vcpu_id‘ shall be validated properly:
- 'vcpu_id' shall be less than 'vm->hw.created_vcpus'
instead of 'MAX_VCPUS_PER_VM'.
Tracked-On: #4670
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
This patch fixes potential hypervisor crash when calling
hc_hcall_write_protect_page()with a crafted GPA in
'struct wp_data' instance, e.g. an invalid GPA that is
out of the scope of target VM's EPT address space.
Tracked-On: #4669
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
AP trampoline code should be accessile to hypervisor only,
Unmap this memory region from service VM's EPT mapping
for security reason..
Tracked-On: #4112
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
1. Print warning message instead of panic when
the caller try to modify the attribute for
memory region or delete memory region that
are not present.
2. To avoid above warning message for memory region
below 1M,its attribute may be updated by Service
VM when updating MTTR setting.
Tracked-On: #4112
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Fei Li <fei1.li@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
In lib/string.c, strncmp doesn't consider condition "n_arg=0",
just add a process to "n_arg=0".
Tracked-On: #4115
Signed-off-by: fuyanx <yanx.fu@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
This patch is to remove unused info in server.c
Tracked-On: #4111
Signed-off-by: xiaojin2 <xiaojing.liu@intel.com>
Reviewed-by: Liu, Xinwu <xinwu.liu@intel.com>
Acked-by: CHEN Gang <gang.c.chen@intel.com>
The return value of 'strtol()' is not checked properly
in _get_vmname_pid() @acrn_vm_ops.c and parse_opt()@acnrd.c,
the return type of 'strtol' is 'long int', but it is assigned
to a variable with type of 'int' and compared to "LONG_MAX"
and "LONG_MIN", which is always false.
This patch is to fix above error case.
Tracked-On: #4110
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yan, Like <like.yan@intel.com>
Acked-by: Yan, Like <like.yan@intel.com>
int snprintf(char *str, size_t size, const char *format, ...)
The functions snprintf() write at most size bytes (including the
terminating null byte('\0')) to str.
only when returned value of snprintf is non-negative and less than size,
the string has been completely written.
Tracked-On: #4109
Signed-off-by: Gao Junhao <junhao.gao@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In function crb_reg_write() in tpm_rbc.c
'tpm_vdev->request_mutex' will potentially kept
in locked state after crb_reg_write() returns.
Tracked-On: #4108
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yadong Qi <yadong.qi@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In acrn_load_elf(), file pointer 'fp' is kept in
open state before exiting if 'load_elf32()' is executed,
this patch is to fix this bug.
Tracked-On: #4107
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
DIR handler is referenced after release, need to be adjusted before
released.
Tracked-On: #4106
Signed-off-by: Gao Junhao <junhao.gao@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
When removing node in list, list_foreach_safe will be safer than
LIST_FOREACH.
Tracked-On: #4104
Signed-off-by: Junhao Gao <junhao.gao@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
this patch is to fix error debug message
for invalid 'param' case, there is no string
variable for '%s' output, which will potenially
trigger hypervisor crash as it may access random
memroy address and trigger SMAP violation.
Tracked-On: #4114
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
checking the inputs explicitly instead of using Assert.
Tracked-On: #3991
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Shuo Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
TSC would be reset to 0 when enter suspend state on some platform.
This will fail the secure timer checking in secure world because
secure world leverage the TSC as source of secure timer which should
be increased monotonously.
This patch save/restore TSC in host suspend/resume path to guarantee
the mono increasing TSC.
Note: There should no timer setup before TSC resumed.
Tracked-On: #3698
Signed-off-by: Qi Yadong <yadong.qi@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
In release environment, binary files must be stripped in
order to remove debugging code sections and symbol information
that aid attackers in the process of disassembly and reverse
engineering.
Use '-s' linking option to remove symbol table and relocation
information from release binaries.
Tracked-On: #3433
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
'pcpu_id' should be less than CONFIG_MAX_PCPU_NUM,
else 'per_cpu_data' will overflow. This commit fixes
this potential overflow issue.
Tracked-On: #3407
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
va_end() was not getting called under certain condition
after the va_start() function call taking the va_list.
Tracked-On: #3406
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
va_end() was not getting called under certain condition
after the va_start() function call taking the va_list
Tracked-On: #3406
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Gang Chen <gang.c.chen@intel.com>
This patch is to fix some potential memory leak issues
1, free mrp if the mmio_rb_lookup() function return 0;
2, free memory allocated by strdup in some error case handling.
Tracked-On: #3333
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
When the IO/MMIO acccess on Android guest causes the trap to hypervisor,
it will be blocked until the ioreq emulation is completed.
In order to get the better performance, it will be better that the ioreq
emulation can be completed ASAP. As it is handled in SOS kernel, the
corresponding thread priority will be raised.
Tracked-On:#3242
Signed-off-by: Liu, Shuo <shuo.liu@intel.com>
Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
Map SIGINT(2) to watchdog reset.
NOTE:
We required guest to do a full reset after detect the recent last
reset type is watchdog. This is used to resume the passthru devices
in UOS.
Tracked-On: #3103
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
The old logic to process control transfer failure is not complete, this
patch is used to fix this issue.
Tracked-On: #2824
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
On some platforms, the VBus will drop after suspending is done, hence
a disconnect and re-connect for device connected before suspending will
be triggered in DM. But during the stress test, when the free memory is
limited to very low level, and put huge workload to SOS, under certain
possibility, the DM will receive re-connect event first and disconnect
event later, this behavior will result of failing to emulate USB device
to UOS.
The reason is due to a timing issue from libusb. Before we could upstream
fixing patch to libusb or find some other better solution, this workaround
patch will be used to avoid errors happen.
Tracked-On: #2823
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
When disable slot cmd is received by device model, the operation
should be: release the pci_xhci_dev_emu variable first, and signal
xhci_vbdp_thread to wakeup later. Tho old implementation is not
right, this patch is used to fix it.
Tracked-On: #2823
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
Applying realtime scheduler to vcpu0 thread could trigger
stability issue. So revert it here.
Tracked-On: #2717
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
When run 'acrnctl add', acrnctl dryruns launch script to get
vmname. Acrnctl assumes there are no more than 64 words in each
line of the script, and creates a buffer to hold 64 pointers to these
words. But we didn't check if the number of words exceed 64 limitation,
which can lead to buffer overflow. This commit fixed this potential
overflow problem.
And also refine some confusing error messages in 'acrnctl add'
Tracked-On: #2734
Acked-by: Yan Like <like.yan@intel.com>
Signed-off-by: Tao Yuhong <yuhong.tao@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Dynamic memory stored in 'net' allocated through function 'calloc'
should be freed correspondingly when return fail.
Tracked-On: #2704
Signed-off-by: Jie Deng <jie.deng@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Should not set hci_address to zero during USB reset.
Tracked-On: #2633
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
