poky/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2022-1050
 Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/]
 Signed-off-by: Ross Burton <ross.burton@arm.com>

 From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001
 From: Yuval Shaia <yuval.shaia.ml@gmail.com>
 Date: Sun, 3 Apr 2022 12:52:34 +0300
 Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver

 Guest driver might execute HW commands when shared buffers are not yet
 allocated.
 This could happen on purpose (malicious guest) or because of some other
 guest/host address mapping error.
 We need to protect againts such case.

 Fixes: CVE-2022-1050

 Reported-by: Raven <wxhusst@gmail.com>
 Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
 ---
  hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
  1 file changed, 6 insertions(+)

 diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
 index da7ddfa548..89db963c46 100644
 --- a/hw/rdma/vmw/pvrdma_cmd.c
 +++ b/hw/rdma/vmw/pvrdma_cmd.c
 @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

      dsr_info = &dev->dsr_info;

 +    if (!dsr_info->dsr) {
 +            /* Buggy or malicious guest driver */
 +            rdma_error_report("Exec command without dsr, req or rsp buffers");
 +            goto out;
 +    }
 +
      if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                        sizeof(struct cmd_handler)) {
          rdma_error_report("Unsupported command");
 --
 2.34.1
	CVE: CVE-2022-1050
	Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/]
	Signed-off-by: Ross Burton <ross.burton@arm.com>

	From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001
	From: Yuval Shaia <yuval.shaia.ml@gmail.com>
	Date: Sun, 3 Apr 2022 12:52:34 +0300
	Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver

	Guest driver might execute HW commands when shared buffers are not yet
	allocated.
	This could happen on purpose (malicious guest) or because of some other
	guest/host address mapping error.
	We need to protect againts such case.

	Fixes: CVE-2022-1050

	Reported-by: Raven <wxhusst@gmail.com>
	Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
	---
	hw/rdma/vmw/pvrdma_cmd.c \| 6 ++++++
	1 file changed, 6 insertions(+)

	diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
	index da7ddfa548..89db963c46 100644
	--- a/hw/rdma/vmw/pvrdma_cmd.c
	+++ b/hw/rdma/vmw/pvrdma_cmd.c
	@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

	dsr_info = &dev->dsr_info;

	+ if (!dsr_info->dsr) {
	+ /* Buggy or malicious guest driver */
	+ rdma_error_report("Exec command without dsr, req or rsp buffers");
	+ goto out;
	+ }
	+
	if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
	sizeof(struct cmd_handler)) {
	rdma_error_report("Unsupported command");
	--
	2.34.1