| hw/pvrdma: Protect against buggy or malicious guest driver |
| |
| Guest driver might execute HW commands when shared buffers are not yet |
| allocated. |
| This might happen on purpose (malicious guest) or because some other |
| guest/host address mapping. |
| We need to protect againts such case. |
| |
| Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> |
| Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| |
| CVE: CVE-2022-1050 |
| Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] |
| |
| Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c |
| =================================================================== |
| --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c |
| +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c |
| @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) |
| |
| dsr_info = &dev->dsr_info; |
| |
| + if (!dsr_info->dsr) { |
| + /* Buggy or malicious guest driver */ |
| + rdma_error_report("Exec command without dsr, req or rsp buffers"); |
| + goto out; |
| + } |
| + |
| if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / |
| sizeof(struct cmd_handler)) { |
| rdma_error_report("Unsupported command"); |
| Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c |
| =================================================================== |
| --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c |
| +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c |
| @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev |
| { |
| struct pvrdma_device_shared_region *dsr; |
| |
| - if (dev->dsr_info.dsr == NULL) { |
| + if (!dev->dsr_info.dsr) { |
| + /* Buggy or malicious guest driver */ |
| rdma_error_report("Can't initialized DSR"); |
| return; |
| } |