| CVE: CVE-2022-1050 |
| Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| |
| From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 |
| From: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| Date: Sun, 3 Apr 2022 12:52:34 +0300 |
| Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver |
| |
| Guest driver might execute HW commands when shared buffers are not yet |
| allocated. |
| This could happen on purpose (malicious guest) or because of some other |
| guest/host address mapping error. |
| We need to protect againts such case. |
| |
| Fixes: CVE-2022-1050 |
| |
| Reported-by: Raven <wxhusst@gmail.com> |
| Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| --- |
| hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c |
| index da7ddfa548..89db963c46 100644 |
| --- a/hw/rdma/vmw/pvrdma_cmd.c |
| +++ b/hw/rdma/vmw/pvrdma_cmd.c |
| @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) |
| |
| dsr_info = &dev->dsr_info; |
| |
| + if (!dsr_info->dsr) { |
| + /* Buggy or malicious guest driver */ |
| + rdma_error_report("Exec command without dsr, req or rsp buffers"); |
| + goto out; |
| + } |
| + |
| if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / |
| sizeof(struct cmd_handler)) { |
| rdma_error_report("Unsupported command"); |
| -- |
| 2.34.1 |
| |