poky/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch - openbmc/openbmc - Gitiles

 From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001
 From: Yuval Shaia <yuval.shaia.ml@gmail.com>
 Date: Tue, 12 Apr 2022 11:01:51 +0100
 Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest
  driver

 Guest driver might execute HW commands when shared buffers are not yet
 allocated.
 This might happen on purpose (malicious guest) or because some other
 guest/host address mapping.
 We need to protect againts such case.

 Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

 CVE: CVE-2022-1050
 Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]

 ---
  hw/rdma/vmw/pvrdma_cmd.c  | 6 ++++++
  hw/rdma/vmw/pvrdma_main.c | 3 ++-
  2 files changed, 8 insertions(+), 1 deletion(-)

 diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
 index da7ddfa54..89db963c4 100644
 --- a/hw/rdma/vmw/pvrdma_cmd.c
 +++ b/hw/rdma/vmw/pvrdma_cmd.c
 @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

      dsr_info = &dev->dsr_info;

 +    if (!dsr_info->dsr) {
 +            /* Buggy or malicious guest driver */
 +            rdma_error_report("Exec command without dsr, req or rsp buffers");
 +            goto out;
 +    }
 +
      if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                        sizeof(struct cmd_handler)) {
          rdma_error_report("Unsupported command");
 diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
 index 91206dbb8..0b7d908e2 100644
 --- a/hw/rdma/vmw/pvrdma_main.c
 +++ b/hw/rdma/vmw/pvrdma_main.c
 @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
  {
      struct pvrdma_device_shared_region *dsr;

 -    if (dev->dsr_info.dsr == NULL) {
 +    if (!dev->dsr_info.dsr) {
 +        /* Buggy or malicious guest driver */
          rdma_error_report("Can't initialized DSR");
          return;
      }
 --
 2.30.2
	From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001
	From: Yuval Shaia <yuval.shaia.ml@gmail.com>
	Date: Tue, 12 Apr 2022 11:01:51 +0100
	Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest
	driver

	Guest driver might execute HW commands when shared buffers are not yet
	allocated.
	This might happen on purpose (malicious guest) or because some other
	guest/host address mapping.
	We need to protect againts such case.

	Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
	Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

	CVE: CVE-2022-1050
	Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]

	---
	hw/rdma/vmw/pvrdma_cmd.c \| 6 ++++++
	hw/rdma/vmw/pvrdma_main.c \| 3 ++-
	2 files changed, 8 insertions(+), 1 deletion(-)

	diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
	index da7ddfa54..89db963c4 100644
	--- a/hw/rdma/vmw/pvrdma_cmd.c
	+++ b/hw/rdma/vmw/pvrdma_cmd.c
	@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

	dsr_info = &dev->dsr_info;

	+ if (!dsr_info->dsr) {
	+ /* Buggy or malicious guest driver */
	+ rdma_error_report("Exec command without dsr, req or rsp buffers");
	+ goto out;
	+ }
	+
	if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
	sizeof(struct cmd_handler)) {
	rdma_error_report("Unsupported command");
	diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
	index 91206dbb8..0b7d908e2 100644
	--- a/hw/rdma/vmw/pvrdma_main.c
	+++ b/hw/rdma/vmw/pvrdma_main.c
	@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
	{
	struct pvrdma_device_shared_region *dsr;

	- if (dev->dsr_info.dsr == NULL) {
	+ if (!dev->dsr_info.dsr) {
	+ /* Buggy or malicious guest driver */
	rdma_error_report("Can't initialized DSR");
	return;
	}
	--
	2.30.2