From df0e46c7dbfd81a957d85e449ba41b52f6f7beb4 Mon Sep 17 00:00:00 2001
From: Frederic Dalleau <frederic.dalleau@docker.com>
Date: Wed, 2 Jun 2021 11:58:27 +0200
Subject: [PATCH 1/4] Fix vi_pci_read null vc_cfgread function pointer
 dereference (GHSL-2021-054)

This is backport of what is done in bhyve

Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
---
 src/lib/virtio.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lib/virtio.c b/src/lib/virtio.c
index 9cd44ce8..8321ae3e 100644
--- a/src/lib/virtio.c
+++ b/src/lib/virtio.c
@@ -559,7 +559,10 @@ vi_pci_read(UNUSED int vcpu, struct pci_devinst *pi, int baridx,
 		max = vc->vc_cfgsize ? vc->vc_cfgsize : 0x100000000;
 		if ((newoff + ((unsigned) size)) > max)
 			goto bad;
-		error = (*vc->vc_cfgread)(DEV_SOFTC(vs), ((int) newoff), size, &value);
+		if (vc->vc_cfgread != NULL)
+			error = (*vc->vc_cfgread)(DEV_SOFTC(vs), ((int) newoff), size, &value);
+		else
+			error = 0;
 		if (!error)
 			goto done;
 	}

From 451558fe8aaa8b24e02e34106e3bb9fe41d7ad13 Mon Sep 17 00:00:00 2001
From: Frederic Dalleau <frederic.dalleau@docker.com>
Date: Thu, 24 Jun 2021 10:09:30 +0200
Subject: [PATCH 2/4] Fix vi_pci_write null vc_cfgwrite function pointer
 dereference (GHSL-2021-055)

This is a backport of what is done in bhyve.

Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
---
 src/lib/virtio.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib/virtio.c b/src/lib/virtio.c
index 8321ae3e..73069414 100644
--- a/src/lib/virtio.c
+++ b/src/lib/virtio.c
@@ -681,8 +681,11 @@ vi_pci_write(UNUSED int vcpu, struct pci_devinst *pi, int baridx,
 		max = vc->vc_cfgsize ? vc->vc_cfgsize : 0x100000000;
 		if ((newoff + ((unsigned) size)) > max)
 			goto bad;
-		error = (*vc->vc_cfgwrite)(DEV_SOFTC(vs), ((int) newoff), size,
-			((uint32_t) value));
+		if (vc->vc_cfgwrite != NULL)
+			error = (*vc->vc_cfgwrite)(DEV_SOFTC(vs), ((int) newoff), size,
+				((uint32_t) value));
+		else
+			error = 0;
 		if (!error)
 			goto done;
 	}

From 41272a980197917df8e58ff90642d14dec8fe948 Mon Sep 17 00:00:00 2001
From: Frederic Dalleau <frederic.dalleau@docker.com>
Date: Wed, 2 Jun 2021 12:02:47 +0200
Subject: [PATCH 3/4] Fix vtrnd pci_vtrnd_notify uninitialized memory use
 (GHSL-2021-056)

Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
---
 src/lib/pci_virtio_rnd.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/lib/pci_virtio_rnd.c b/src/lib/pci_virtio_rnd.c
index 2b77dde7..24ba08ee 100644
--- a/src/lib/pci_virtio_rnd.c
+++ b/src/lib/pci_virtio_rnd.c
@@ -100,7 +100,7 @@ pci_vtrnd_notify(void *vsc, struct vqueue_info *vq)
 {
 	struct iovec iov;
 	struct pci_vtrnd_softc *sc;
-	int len;
+	int len, n;
 	uint16_t idx;
 
 	sc = vsc;
@@ -111,7 +111,11 @@ pci_vtrnd_notify(void *vsc, struct vqueue_info *vq)
 	}
 
 	while (vq_has_descs(vq)) {
-		vq_getchain(vq, &idx, &iov, 1, NULL);
+		n = vq_getchain(vq, &idx, &iov, 1, NULL);
+		if (n < 0) {
+			fprintf(stderr, "vtrnd: vtrnd_notify(): n %d\r\n", n);
+			return;
+		}
 
 		len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len);
 

From af5eba2360a7351c08dfd9767d9be863a50ebaba Mon Sep 17 00:00:00 2001
From: Frederic Dalleau <frederic.dalleau@docker.com>
Date: Wed, 2 Jun 2021 12:13:56 +0200
Subject: [PATCH 4/4] Fix virtio-sock pci_vtsock_proc_tx uninitialized memory
 use (GHSL-2021-057)

Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
---
 src/lib/pci_virtio_sock.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/lib/pci_virtio_sock.c b/src/lib/pci_virtio_sock.c
index f66d2955..7a03c8d3 100644
--- a/src/lib/pci_virtio_sock.c
+++ b/src/lib/pci_virtio_sock.c
@@ -1121,6 +1121,11 @@ static void pci_vtsock_proc_tx(struct pci_vtsock_softc *sc,
 	size_t pulled;
 
 	iovec_len = vq_getchain(vq, &idx, iov, VTSOCK_MAXSEGS, flags);
+	if (iovec_len < 0) {
+		fprintf(stderr, "TX: failed to get chain at idx %"PRIx16"\n", idx);
+		return;
+	}
+
 	assert(iovec_len <= VTSOCK_MAXSEGS);
 
 	DPRINTF(("TX: chain with %d buffers at idx %"PRIx16"\n",