Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame^] | 1 | CVE: CVE-2018-20124 |
| 2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373] |
| 3 | |
| 4 | Backport patch to fix CVE-2018-20124. Update context and stay with current |
| 5 | function comp_handler() which has been replaced with complete_work() in latest |
| 6 | git repo. |
| 7 | |
| 8 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 9 | |
| 10 | From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001 |
| 11 | From: Prasad J Pandit <pjp@fedoraproject.org> |
| 12 | Date: Thu, 13 Dec 2018 01:00:34 +0530 |
| 13 | Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE |
| 14 | |
| 15 | rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set |
| 16 | to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element |
| 17 | with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. |
| 18 | Add check to avoid it. |
| 19 | |
| 20 | Reported-by: Saar Amar <saaramar5@gmail.com> |
| 21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| 22 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> |
| 23 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> |
| 24 | --- |
| 25 | hw/rdma/rdma_backend.c | 12 ++++++------ |
| 26 | 1 file changed, 6 insertions(+), 6 deletions(-) |
| 27 | |
| 28 | diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c |
| 29 | index d7a4bbd9..7f8028f8 100644 |
| 30 | --- a/hw/rdma/rdma_backend.c |
| 31 | +++ b/hw/rdma/rdma_backend.c |
| 32 | @@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, |
| 33 | } |
| 34 | |
| 35 | pr_dbg("num_sge=%d\n", num_sge); |
| 36 | - if (!num_sge) { |
| 37 | - pr_dbg("num_sge=0\n"); |
| 38 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); |
| 39 | + if (!num_sge || num_sge > MAX_SGE) { |
| 40 | + pr_dbg("invalid num_sge=%d\n", num_sge); |
| 41 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); |
| 42 | return; |
| 43 | } |
| 44 | |
| 45 | @@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, |
| 46 | } |
| 47 | |
| 48 | pr_dbg("num_sge=%d\n", num_sge); |
| 49 | - if (!num_sge) { |
| 50 | - pr_dbg("num_sge=0\n"); |
| 51 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); |
| 52 | + if (!num_sge || num_sge > MAX_SGE) { |
| 53 | + pr_dbg("invalid num_sge=%d\n", num_sge); |
| 54 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); |
| 55 | return; |
| 56 | } |
| 57 | |
| 58 | -- |
| 59 | 2.20.1 |
| 60 | |