poky/meta/recipes-devtools/qemu/qemu/pvrdma.patch - openbmc/openbmc - Gitiles

 hw/pvrdma: Protect against buggy or malicious guest driver

 Guest driver might execute HW commands when shared buffers are not yet
 allocated.
 This might happen on purpose (malicious guest) or because some other
 guest/host address mapping.
 We need to protect againts such case.

 Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

 CVE: CVE-2022-1050
 Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]

 Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
 ===================================================================
 --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c
 +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
 @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

      dsr_info = &dev->dsr_info;

 +    if (!dsr_info->dsr) {
 +            /* Buggy or malicious guest driver */
 +            rdma_error_report("Exec command without dsr, req or rsp buffers");
 +            goto out;
 +    }
 +
      if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                        sizeof(struct cmd_handler)) {
          rdma_error_report("Unsupported command");
 Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
 ===================================================================
 --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c
 +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
 @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev
  {
      struct pvrdma_device_shared_region *dsr;

 -    if (dev->dsr_info.dsr == NULL) {
 +    if (!dev->dsr_info.dsr) {
 +        /* Buggy or malicious guest driver */
          rdma_error_report("Can't initialized DSR");
          return;
      }
	hw/pvrdma: Protect against buggy or malicious guest driver

	Guest driver might execute HW commands when shared buffers are not yet
	allocated.
	This might happen on purpose (malicious guest) or because some other
	guest/host address mapping.
	We need to protect againts such case.

	Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
	Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

	CVE: CVE-2022-1050
	Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]

	Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
	===================================================================
	--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c
	+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
	@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

	dsr_info = &dev->dsr_info;

	+ if (!dsr_info->dsr) {
	+ /* Buggy or malicious guest driver */
	+ rdma_error_report("Exec command without dsr, req or rsp buffers");
	+ goto out;
	+ }
	+
	if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
	sizeof(struct cmd_handler)) {
	rdma_error_report("Unsupported command");
	Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
	===================================================================
	--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c
	+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
	@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev
	{
	struct pvrdma_device_shared_region *dsr;

	- if (dev->dsr_info.dsr == NULL) {
	+ if (!dev->dsr_info.dsr) {
	+ /* Buggy or malicious guest driver */
	rdma_error_report("Can't initialized DSR");
	return;
	}