| From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001 |
| From: Marcel Apfelbaum <marcel@redhat.com> |
| Date: Wed, 16 Jun 2021 14:06:00 +0300 |
| Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device |
| (CVE-2021-3582) |
| |
| Ensure mremap boundaries not trusting the guest kernel to |
| pass the correct buffer length. |
| |
| Fixes: CVE-2021-3582 |
| Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> |
| Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> |
| Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> |
| Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> |
| Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> |
| Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> |
| |
| CVE: CVE-2021-3582 |
| Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4] |
| Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| --- |
| hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c |
| index f59879e257..da7ddfa548 100644 |
| --- a/hw/rdma/vmw/pvrdma_cmd.c |
| +++ b/hw/rdma/vmw/pvrdma_cmd.c |
| @@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, |
| return NULL; |
| } |
| |
| + length = ROUND_UP(length, TARGET_PAGE_SIZE); |
| + if (nchunks * TARGET_PAGE_SIZE != length) { |
| + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, |
| + (unsigned long)length); |
| + return NULL; |
| + } |
| + |
| dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); |
| if (!dir) { |
| rdma_error_report("Failed to map to page directory"); |
| -- |
| 2.25.1 |
| |